f2d61902e7b2b2fd674a5809613fde43d93f345181f09efe1a5a9d8f20f36e77

Analysis

max time kernel
106s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 11:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

adbcc235c26c23463e2dd82d120ef590N.exe
Size

416KB
MD5

adbcc235c26c23463e2dd82d120ef590
SHA1

93eaa4574774bdeccf5a2499b69e9ddd1965186b
SHA256

f2d61902e7b2b2fd674a5809613fde43d93f345181f09efe1a5a9d8f20f36e77
SHA512

03b95b960ccca6183024bc699cd415df67ce759b3ae4d6811c4a61ed422a69033747e5335e4f7879903aa8801532f31dce50e7d6797d1f5d0985c19060080a35
SSDEEP

12288:fnbYJ07kE0KoFtw2gu9RxrBIUbPLwH96/I0lOZ0vbqFB:jYJ07kE0KoFtw2gu9RxrBIUbPLwH96/

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe

Executes dropped EXE 64 IoCs

pid	Process
1440	Lphoelqn.exe
3004	Mgagbf32.exe
1432	Mpjlklok.exe
3944	Mmnldp32.exe
1940	Mckemg32.exe
4508	Miemjaci.exe
3012	Melnob32.exe
4944	Mdmnlj32.exe
4652	Miifeq32.exe
1408	Mlhbal32.exe
3868	Nngokoej.exe
3552	Ngpccdlj.exe
1660	Nphhmj32.exe
2780	Ncfdie32.exe
216	Nnlhfn32.exe
4436	Nloiakho.exe
2740	Nfgmjqop.exe
456	Njciko32.exe
4088	Nnneknob.exe
2916	Npmagine.exe
976	Ndhmhh32.exe
4520	Nggjdc32.exe
4672	Nfjjppmm.exe
1372	Njefqo32.exe
4140	Olcbmj32.exe
512	Oponmilc.exe
552	Ocnjidkf.exe
4300	Ogifjcdp.exe
3504	Oflgep32.exe
3364	Oncofm32.exe
1452	Olfobjbg.exe
320	Odmgcgbi.exe
3200	Ocpgod32.exe
2812	Ogkcpbam.exe
2496	Ojjolnaq.exe
2888	Oneklm32.exe
3124	Opdghh32.exe
1616	Ofqpqo32.exe
3632	Odapnf32.exe
4232	Ofcmfodb.exe
1692	Ojoign32.exe
4716	Olmeci32.exe
4484	Oqhacgdh.exe
4080	Ocgmpccl.exe
5092	Ofeilobp.exe
2488	Ojaelm32.exe
4972	Pmoahijl.exe
2352	Pqknig32.exe
4756	Pcijeb32.exe
988	Pfhfan32.exe
4352	Pjcbbmif.exe
1792	Pmannhhj.exe
2552	Pqmjog32.exe
3288	Pclgkb32.exe
1924	Pfjcgn32.exe
1760	Pjeoglgc.exe
3500	Pmdkch32.exe
1116	Pqpgdfnp.exe
800	Pcncpbmd.exe
3880	Pflplnlg.exe
2700	Pjhlml32.exe
3080	Pmfhig32.exe
4780	Pqbdjfln.exe
3948	Pcppfaka.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Olcjhi32.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6408	6316	WerFault.exe	237

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	adbcc235c26c23463e2dd82d120ef590N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 1440	4580	adbcc235c26c23463e2dd82d120ef590N.exe	84
PID 4580 wrote to memory of 1440	4580	adbcc235c26c23463e2dd82d120ef590N.exe	84
PID 4580 wrote to memory of 1440	4580	adbcc235c26c23463e2dd82d120ef590N.exe	84
PID 1440 wrote to memory of 3004	1440	Lphoelqn.exe	85
PID 1440 wrote to memory of 3004	1440	Lphoelqn.exe	85
PID 1440 wrote to memory of 3004	1440	Lphoelqn.exe	85
PID 3004 wrote to memory of 1432	3004	Mgagbf32.exe	86
PID 3004 wrote to memory of 1432	3004	Mgagbf32.exe	86
PID 3004 wrote to memory of 1432	3004	Mgagbf32.exe	86
PID 1432 wrote to memory of 3944	1432	Mpjlklok.exe	87
PID 1432 wrote to memory of 3944	1432	Mpjlklok.exe	87
PID 1432 wrote to memory of 3944	1432	Mpjlklok.exe	87
PID 3944 wrote to memory of 1940	3944	Mmnldp32.exe	88
PID 3944 wrote to memory of 1940	3944	Mmnldp32.exe	88
PID 3944 wrote to memory of 1940	3944	Mmnldp32.exe	88
PID 1940 wrote to memory of 4508	1940	Mckemg32.exe	89
PID 1940 wrote to memory of 4508	1940	Mckemg32.exe	89
PID 1940 wrote to memory of 4508	1940	Mckemg32.exe	89
PID 4508 wrote to memory of 3012	4508	Miemjaci.exe	91
PID 4508 wrote to memory of 3012	4508	Miemjaci.exe	91
PID 4508 wrote to memory of 3012	4508	Miemjaci.exe	91
PID 3012 wrote to memory of 4944	3012	Melnob32.exe	92
PID 3012 wrote to memory of 4944	3012	Melnob32.exe	92
PID 3012 wrote to memory of 4944	3012	Melnob32.exe	92
PID 4944 wrote to memory of 4652	4944	Mdmnlj32.exe	94
PID 4944 wrote to memory of 4652	4944	Mdmnlj32.exe	94
PID 4944 wrote to memory of 4652	4944	Mdmnlj32.exe	94
PID 4652 wrote to memory of 1408	4652	Miifeq32.exe	95
PID 4652 wrote to memory of 1408	4652	Miifeq32.exe	95
PID 4652 wrote to memory of 1408	4652	Miifeq32.exe	95
PID 1408 wrote to memory of 3868	1408	Mlhbal32.exe	97
PID 1408 wrote to memory of 3868	1408	Mlhbal32.exe	97
PID 1408 wrote to memory of 3868	1408	Mlhbal32.exe	97
PID 3868 wrote to memory of 3552	3868	Nngokoej.exe	98
PID 3868 wrote to memory of 3552	3868	Nngokoej.exe	98
PID 3868 wrote to memory of 3552	3868	Nngokoej.exe	98
PID 3552 wrote to memory of 1660	3552	Ngpccdlj.exe	99
PID 3552 wrote to memory of 1660	3552	Ngpccdlj.exe	99
PID 3552 wrote to memory of 1660	3552	Ngpccdlj.exe	99
PID 1660 wrote to memory of 2780	1660	Nphhmj32.exe	100
PID 1660 wrote to memory of 2780	1660	Nphhmj32.exe	100
PID 1660 wrote to memory of 2780	1660	Nphhmj32.exe	100
PID 2780 wrote to memory of 216	2780	Ncfdie32.exe	101
PID 2780 wrote to memory of 216	2780	Ncfdie32.exe	101
PID 2780 wrote to memory of 216	2780	Ncfdie32.exe	101
PID 216 wrote to memory of 4436	216	Nnlhfn32.exe	102
PID 216 wrote to memory of 4436	216	Nnlhfn32.exe	102
PID 216 wrote to memory of 4436	216	Nnlhfn32.exe	102
PID 4436 wrote to memory of 2740	4436	Nloiakho.exe	103
PID 4436 wrote to memory of 2740	4436	Nloiakho.exe	103
PID 4436 wrote to memory of 2740	4436	Nloiakho.exe	103
PID 2740 wrote to memory of 456	2740	Nfgmjqop.exe	104
PID 2740 wrote to memory of 456	2740	Nfgmjqop.exe	104
PID 2740 wrote to memory of 456	2740	Nfgmjqop.exe	104
PID 456 wrote to memory of 4088	456	Njciko32.exe	105
PID 456 wrote to memory of 4088	456	Njciko32.exe	105
PID 456 wrote to memory of 4088	456	Njciko32.exe	105
PID 4088 wrote to memory of 2916	4088	Nnneknob.exe	106
PID 4088 wrote to memory of 2916	4088	Nnneknob.exe	106
PID 4088 wrote to memory of 2916	4088	Nnneknob.exe	106
PID 2916 wrote to memory of 976	2916	Npmagine.exe	107
PID 2916 wrote to memory of 976	2916	Npmagine.exe	107
PID 2916 wrote to memory of 976	2916	Npmagine.exe	107
PID 976 wrote to memory of 4520	976	Ndhmhh32.exe	108

C:\Users\Admin\AppData\Local\Temp\adbcc235c26c23463e2dd82d120ef590N.exe
"C:\Users\Admin\AppData\Local\Temp\adbcc235c26c23463e2dd82d120ef590N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\SysWOW64\Lphoelqn.exe
  C:\Windows\system32\Lphoelqn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\Mgagbf32.exe
    C:\Windows\system32\Mgagbf32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\Mpjlklok.exe
      C:\Windows\system32\Mpjlklok.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
      - C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        23⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        26⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:552
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3364
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:320
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2496
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        38⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        51⤵
        Executes dropped EXE
        
        PID:988
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1792
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        55⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        56⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        59⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        65⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        66⤵
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        67⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        69⤵
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2492
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        73⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        76⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        77⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        79⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        83⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        84⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        88⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        89⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        94⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        96⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5028
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        99⤵
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        100⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        101⤵
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        105⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        111⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        119⤵
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        121⤵
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        123⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        125⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        126⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        129⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        132⤵
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5564
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        139⤵
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        141⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4172
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        144⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        146⤵
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        148⤵
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        149⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:6236
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        151⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        152⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6316 -s 408
        153⤵
        Program crash
        
        PID:6408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6316 -ip 6316
1⤵
PID:6384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
128KB

MD5
38e8d4016fcd8ea0a3a75533c9e6491c

SHA1
ceb22ed52988cc2ca645590bec146a97c014a738

SHA256
892f9f035783a3ee762d68c9390c60a151d3b60aa1d03373b1abcf3b9f724f5c

SHA512
5b75b0831bceb471cd4d9915eeeb6789a9eee0815783bc40641a6617f855fd567c7ec99ac9c94f526d99bbb62dc1c7f707bb945c524dc1fda7d8840fb3ebd6f7

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
416KB

MD5
4a803af3bb792f90bd5d05bcff417a2c

SHA1
dbf3280f2b07401f055317c235ca456d41e73212

SHA256
11ccd78ce0c0accd4679c8843631293f94523a717477fb45a79474aef813ddfe

SHA512
b029cd8e4e2bac6e3ac521b7f36385f5ba390375342249c4861903c2bc5572b1b25a9238f57ed3a23bd5085efbd7c9e369f78693240fec0a6bb8a1c7b633db3e

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
416KB

MD5
2e3802308b73959677be33e4242e5792

SHA1
2d0bad7347967efa4d2e222afa9234c93490ca40

SHA256
dd6a039281451f77ea0ef0bff60d892ed5a13cfa76d926628a1213e2849d85d8

SHA512
8fbbf65eab37ecf92057810aee036d7d9265bfa2c2eb653f3304c24b10d9e6cb0c42b21ff122e617cd54d73a39d4f174f1b33a42958e7bab9ca9974d10c07ed5

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
416KB

MD5
f3a19cd80a90406c1a2cb56828ed6a40

SHA1
d5aec82435f30aace8ae7e1f1d22778c22b61ab2

SHA256
3d9b1fff4d582cfd943e8d8ae1645720864675b1e4f25aa01c134a2b139c79a8

SHA512
e44cb35e0de4ecccee08707dc1bd62030f445dd2734afdb11f56d068affec31e8c6b0b82f2f7a6b735fdce54bbfaca067dd40f6b5e54b5f6e42093ecd3b224f0

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
416KB

MD5
c1a521367b7a793273d0e33f2e9b86ed

SHA1
66ad8cbb9a125ccd4c455c820b4fba714ad88a1e

SHA256
60a255cc2e28f1c552e00e2ed7758d029792d9853e5d2b527fd921eadde234d7

SHA512
080b55a99645e40f6c45ad69beb68d4930bd7d080f442fdcd7eb2fd58ede0fc9e49fc14febc7df8d75db91517a9d2b5a58332fc8624c3443c4e63e873656bc5d

Download Submit
C:\Windows\SysWOW64\Gfhkicbi.dll

Filesize
7KB

MD5
473bb6498825fa0ef3eb543686ae5372

SHA1
53edcdc368f50afb8a75fd79822f6302f453d4de

SHA256
38e9934cadaaa6219c83044f59971fd128b2809d4143699a4445344f66321f29

SHA512
8348b260312539989e14e917c6226d7c7f3dca9e550fef0420788c4834066c0306ec028bc150faeeed4ae654b1ac480f1c039163dd468295d2f7425cf0c22aa2

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
416KB

MD5
adcb0bfbb6d28c95f667f9adc8dccccc

SHA1
54ab3793c08a8919d5f3615b1d0e7fd7f909c622

SHA256
88a7b6392181ddd4f9122dd892858e44c68be4216cdfa50e624ad1ec0486c4fa

SHA512
f14e8dbc53f6d3eea9997fdba4a9004478a2439cfb26ea8c62be8fb93e2d31702545df7d1236760edfa388b3e5f6a33eb02984d7df89af14c05f7c29aa945cef

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
416KB

MD5
d50819c7e6619fe23b4794b79029c393

SHA1
fc232e3ec9ba7c261637d8c9d310797af7a61a81

SHA256
11fa06406c7b420f7fd885cb250e9d6a4a2d5446ec3c51ea65702455447f873b

SHA512
52bebd189e531eb8f05d7a1a5df4a7cfa2cd729e723f5822b16ca78a1e3797506986ccbb94e806ba0e1f06514f1401ea95a548418b83eb17b2aff66e8dcc9a6d

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
416KB

MD5
8db32aecc0aac14d123df1c2836df022

SHA1
4a9eda737a28707b51b8b70510df3f49f7c904a1

SHA256
d10188e01d32be4be5a6efd91e748b1bf19ef79b2830619ffd0c4aab574fc201

SHA512
8ce439c088288ca54763ed01bbba5e43cde77fd3e36f71fb463400e305fd1385ee006945449ca2179aeeed58330844aaf472eba4aaf357bc746cf9efeb0591e1

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
416KB

MD5
509f2abe8bd09d2d4424d80b45521cb6

SHA1
a69d1881e8d9e3ea67b3b1dbf0ba0f805dded94d

SHA256
1e9192362f15b324e9c91f7e0487e0acf63133e51bec740da66501b758b5a075

SHA512
c966dfbf487b65f1b16edbe5a3d2fb11c4ac08c28e93273e51bface17187513929e3cdc69666ba5210eb73856a661915db27c5f90f623c2388b285bee6923cd4

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
416KB

MD5
03384d9e8f139b1a02a9eb9be2fc86e8

SHA1
0b66022ce0e0f6ae1df12815247f0889a3f174ee

SHA256
b0baaca76a8e70907097c74a3579c1fcabd2f9ecd596ef03d2f3e9ac58242b97

SHA512
6fe92fcddda0ff2c97125795d27bc65e684f0d7905c42c98b1a4e3dfafc07b888373abf916bcdb3e632ccda114bfa13bbcba1091b0f98d515a3ec058ed3f846f

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
416KB

MD5
9f951687d613a27fa3a01ac9cb4bfa0f

SHA1
b15ae5dc67e30c305895fb7437f4749ca0082581

SHA256
23629018ee7c81a3eff9cb0338179170478ff206cd429babe28199266d1b89f7

SHA512
56ce3787e3388908a436a48f120075892979941aa664d415d9bb50bf7082d29b740a7d23c3a308f89bf450ac4ace48a686f3dd4429baeca94fe6fa04171c18f2

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
416KB

MD5
24c687b49a58da3999217cad0de39a91

SHA1
bbd04e5aa7f387706521a99e7fce4f0b2e887fb0

SHA256
fc5d47a2c9a0e8de12193457f0be93fb926224ecda0f7e924e31dfe52ac9280e

SHA512
830bbefc65b61374df310349534b2d875cf93cdbccb781ce65e66f4ff9dca49ff2d3dae98fa00e188953823d5a09d4fe3555e12f3663336fbc36aa53f933fa81

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
416KB

MD5
e8aacb1423c14a693f0e77a8c1ba424c

SHA1
da0621b4cdb8a23ab644c0a76c200542559fa694

SHA256
7513cf3f4808f08f7d7e36b4746393bb428fbfd7382601dcff8ec305ae797adb

SHA512
1784fe08cce2c475437ca8d74aa717c2dfbcfea89bc3a9ae1608fefbb7837fed59fb07de4de48a74e2d8e81db0b432d186246cc866313022c35dfac5f8ed03e6

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
416KB

MD5
d5af07db8fb9eb0bfda104625796c269

SHA1
e637d33cef5008c022454c1294a297bc31cecad9

SHA256
e7aac210128686e1a397193e0fcd6fad54ad68206bd7e93a1d95b27323a34b61

SHA512
7f68a0b9773dfb75006b65bfda5651b1f47072fa84e825f1d2026464a66e388bebeec9b2b7fb5e1f472e67fd10122a00ea3296500dc776834b0ba254ba466a51

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
416KB

MD5
088591bc608d1e4ee1e8aa9f99367e31

SHA1
82e5982529801c126401231a2458a24cfd77934a

SHA256
88ca300686dd1fe35d002d23399e503cc4cef7904a0b8b7e314db97094bb396e

SHA512
0dc091c2d9520c41cf46b90c36e5cab45c01753c6b0dae4759c3745b84286a7e08ea6d62a8504a72179efe69970265a5e46c0074dbde0ecc3d06be6696b9a38a

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
416KB

MD5
a46139a40462cdd028b33b65f4c5ee83

SHA1
53077fcdab562aa4dc023d3c9fa7213d25bc68b5

SHA256
3e3a070601d295c99cdd1f8b3b3f5f154a7682c947f0dd7db86fa75c7302039d

SHA512
64eb56f3ee87bf423004b37b7e13828f76214bf950fe9084d013c79235a81e8747867be37bd904a800d37805575b4c734ffc7877615b1ee4da2af2c90b4fa32b

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
416KB

MD5
5aaf724da40048ea77e7767a87cd95b7

SHA1
78aaf7499288a126a40aceef6ff2269eea34ae4c

SHA256
f15fb8c3fc8ec6b2cc2e994247dc98908ac9774601a77483918fe1636275db76

SHA512
d11d54c986bd5b7791f34281a5c9825b2d36725a269208ac9d8d8ff6149bc83c5e193c7f455457e72d27645c30dd8dafb089e3cd4ef255d582bbd25d898507cc

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
416KB

MD5
0f0ad2866b0bb0ecab9fecb042a3487f

SHA1
634f98d35b25b010d00c083d43580358d12884e8

SHA256
9c88c252a0eaf548a4cb03b2915aa54f289ea1a1ada26743f68324c62e980c7b

SHA512
d5f63a395d5fbd05e90a892b3f7400b93f13ef782279ba2079ef705ef253f482c99a6d718898023a02ae400fe5f4e339a9126ba05e6eaa4192eeddb9f996f19b

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
416KB

MD5
5299062bee859a8b316279a4c85ca34b

SHA1
bc69370daba9af0c7665aadeaf95d7685d018226

SHA256
004bfdd8c781a72bbdb86292a00be97e8bb061e7a880fc8d1a8b5981d899df65

SHA512
fbcd1b6a5d3334a75a13a5581a72309957cdff1b099d8540670e13b85d27868e9b553ae3b5d2d9658a7f58a1b3f2c6d106976100334b2340ed7149204629ea48

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
416KB

MD5
04450ec2f59230ea0f24c8a1141f4895

SHA1
5f97b9978178b21f9a4bc0dbc3617b27bd9387b5

SHA256
dbd12fea95c21ff06284148e4c6853c3fa48bc17422b326a64594e6e4525ba2b

SHA512
f798544b97c683ffac58bb1dd6d98d72f60e8c81e0efe3d845531afa13f8f86ee1562a01eef44ad8e8decfb5eef8bdc6f175de3a431edc95416e8f48447b587e

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
416KB

MD5
da4eba4ced24f57d3f83ded0fe5adf63

SHA1
12cc95f4dea9936e1913642195c105026403a09c

SHA256
ccacf6f47c30259936543b323d841f028033bf9025f01dd4a57658ca41f68189

SHA512
c3cb3d23212c8d4beff2bf43575ae09f3c3059ffcc40169cfd467ca6a4a7bfe638de2c455aec294c7a96d3675d3bd98e093ada7a8bb78a15e33a05f3c566db86

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
416KB

MD5
49edce7209c10bee24fd43dcdfe62ce7

SHA1
4cd75c7c8e561b01519fc3d2daa63533f193cae3

SHA256
7dd5df1259b6e13b637d3acd22b93dbe7081f0703914752d64c04eb89f211e48

SHA512
d9c0bca53cb2d42775ff53744a9ad9c5babc38b2ce467931556770541a9013c2677ec9fd312c6191707c7b8e5fa516a078e7288e830e126b3702ee4dc8110baa

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
416KB

MD5
7d6bdf9f5771741508816f1db32ef0b1

SHA1
69831b1a396b5fc198db02d01f0d80fd84a7f3d1

SHA256
4581ab4e71db47ab399456bf1c08e331baa57d986a51fcf38c67a671948ea99a

SHA512
84cc0c9b22a3e6cb36d3b28701cb2c8f3aab33c92ad41b15b86959a59cb8d0db7b80d661095ee2b74b435bfd45b1e54ede166d085120379e26c4b2f80b36d15a

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
416KB

MD5
64cccdd3369d8862589bfc39852dc4dd

SHA1
5f701baf000af88b382b23af071d1de61a2c3a13

SHA256
4409cb35f9a756da1914685d9df088c1468549f913a0200ebf1f7cbb6a3e5610

SHA512
04d0ee3628d94a7d1b0bbb05284a266e9400c2a675f44d45385a3b1bb8654f4b00fd726d2fd742536d02f59c84da45e8ff222783de4f11f48c9150ed824d35b0

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
416KB

MD5
0cdc985bf4c15c8fe8ba7bde8c2df206

SHA1
513694f8c5377eda364033395ed11e1dc0c62b04

SHA256
5b638d732d78270f010229df0d7529159fee1e40bec6dc444e002f38f736897f

SHA512
2b4b48eeaef24f0fd77935809ea6d26b6802d8e05c1be90a7833b7e5b4352f40f45d2a9a7a1fe6f3ca427b29bfb989cbf876ce092a4667abe96b386684921d83

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
416KB

MD5
bc83e19311031a52637db3b361559262

SHA1
7c719f031082e5922e56d7970d0716053d3a7d89

SHA256
96e0d9a287429111cbe44b41bf0b122168e88dc5fea3ba86178cdd59215b113c

SHA512
9ec4b801631936e16ecfe5ac968af9496e7e1840694189c797984fe12069ce870b8564a21491a00bea86b91646392bd999f1225950f2b76fc2b1c4975dab6fb6

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
416KB

MD5
f96177ee39b22f50055ed96b30694c56

SHA1
a3be132c964dac0420b0deed20fe9f2190ebaccc

SHA256
6cd6855462f8a28b797f9ed591d397c1342b297865b1c8735da0e4758546adf3

SHA512
404d414c6bf7170c19cb541131505556b0e9d9349331d86a63d7b60a8e26616ee2c74da0fb8947cd71f34e0657f282d22f001adbb1ff964ef158f0c76f7f1ae4

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
416KB

MD5
eda664e2f8890bf4c554d4080c667b71

SHA1
3fc685ea27f91c3c7a8b49f80382e9bd854dda93

SHA256
53b210748281b969efafd4419227a38d5382c82ed80c5812fac72a82e1716892

SHA512
8a6b11cdadb6acc50e3b727871623466a54244a8f16ac494bbc19ce6647e28a9706f4d560a72083751774bfdadcc261a02997274219d62cc634d52ffc6492683

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
416KB

MD5
f9b3cdc397ec049064d85723561e8c10

SHA1
6c669da40c936898b0f47e6fec31ccf2b3b9cf33

SHA256
638f518659e3a906d606ebef658ea6f7d4ceb4430a79858dd9cc29ae52363cb6

SHA512
7e7ccdec374260163ad108ae13359da6b10ec4e2330b555d83075944cc145bc91a3c3b502a4b3f910bf1051b623a809d223c28b7049772ce556c7ca15db6304f

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
416KB

MD5
349b2423d7256d7a0fa746b003afa32b

SHA1
1ed7f0079b96b671712c788aa57ed32aa890460b

SHA256
cca01a3709e9248555508ec2d778b7a9c05b0a45e1a24f30998a63b90eb63440

SHA512
7d8ad6bbab21d7110c2962dfecb8649f4554c58c1f5fcf3ef7d9143e5a6e46a9991eae476fc1ea7fc9b8fe43dfc24ce0f94303570e42287bc516c8717d963131

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
416KB

MD5
efcfbb909375ce30a79d6345188b24f0

SHA1
b93f93a63ea5bac5135113a116b793d1174aa3aa

SHA256
48720dfc30c50c2d4986d6038906d7dacedca4e18f2c93d949238453db59551d

SHA512
abfb1f3d35422492cf6e40615074eb5fbaf2422d65b065d13991c7b9ec8cd2eda84659b1157a8d2e3d0bed82a07d8d55be24146eb994d5cf1c1a516a0902a157

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
416KB

MD5
5b43d35f7f3752fa5e2e7acac0fcfcce

SHA1
c136eec75191a7b5ef0a06c38d7bbfa188198d99

SHA256
96605ac1e364161a65df9b149f59de85394f56583ab64bf54b53d5dde4e79c66

SHA512
b56ec2f20bf699016d1428936e9c52af65a6cd8cf80c3d4572b36c4f05b2ed0fd536807df39a9442a8615d127df6ec9cebb88b6a11c9e1eb4dbedb7e2c8452e5

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
416KB

MD5
0eb24d538a8f3c66110ada89819e5257

SHA1
425f93cfb6acbca1609776ed53a1d5d806b6df89

SHA256
faee80511ee7195c7bb2c6b0c22e89c15b910433610e62eb4e267683f63d9bea

SHA512
e198aeae96e4b7ec7bf9e36c3563daec9ec7a906238d29da4c09554fcbeaf13952fe72e2de4ef3c628da002ec429c83a4fc15a31c6a7dfbdbafba6249da5c3bc

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
416KB

MD5
700ea34b93c2d3a64786a9842073ccf9

SHA1
f3e9942c1b63c4574b268f0262ef27616da89438

SHA256
a1322027abafae256bbd00ebcd457f3ed84879b868df2d389ecc784cd73ba11e

SHA512
886a3446f4a0221c97397bfe621b37f778f7681c551afa889c90b4627ec6c1d719cfbbde6a07ad0e7c23320aa930772d8437a248b7c8500ea0635f49a16b2625

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
416KB

MD5
479159cd51f1faf5b4761291e70f1e40

SHA1
fcd6b85e6fb99d605141fe6547b13cab11600787

SHA256
8bf54237aef932f5da48ba096c2b4382e3f77cdf372dee691bd75a7ef42eb1fd

SHA512
4a02a9107956efd7d03f79e0ed6196581f7a5eb183c277bb520c6bb6b6225ab8398af8bc9a330a554ba24099fba478eee1cd08b6e5af166888ae7bba3274c2cb

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
416KB

MD5
c6eb277e85661bf54fd9754f91feabf8

SHA1
6be71a44d809e53648417182971665dda6081afd

SHA256
2f53b2f89f6ecc57cf1723b8e3402aa8b8666896755ba6a37d877a65c9981710

SHA512
2cb2f56e428a42108f91617bbe423b5d067d12be95889d8c287bb8f494b32d1ae3d60b128bc89abef29c3cf8eb4b440479023c5e507aa2514a45e01f37fd0ec2

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
416KB

MD5
6a42f2bfc67b10857a551b9fb839b61d

SHA1
e31bf2047ab79805f15ad28b7b1298cf39ed5eec

SHA256
a9bb8888274cffed70a55c37449eb2d6d0c687ab29ebe642251e0d076b58c314

SHA512
9814b478f708ff27ea45b572f84121a26f543985d7488882372f72023ccb11d3c77da03e8a8b5071e6f8e8de528151ed69ad0bc8974b60b59f41e66b4978a207

Download Submit
memory/216-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/320-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/432-495-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/456-149-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/512-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/552-221-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/800-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/940-483-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/976-173-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/988-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1116-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-196-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1432-590-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1432-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1440-556-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1440-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1452-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1660-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1692-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1760-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1792-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1924-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1940-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1940-603-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2352-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2388-459-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2488-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2492-489-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2496-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2700-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2740-140-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2812-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2888-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-164-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3004-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3004-563-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3080-441-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3124-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3200-266-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3244-477-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3288-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3348-471-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3364-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3500-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3504-237-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3632-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3868-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3880-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3944-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3944-597-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3948-453-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3980-507-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3984-465-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4080-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4088-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4140-204-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4232-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4300-228-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4352-374-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4380-501-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4436-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4484-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4508-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4520-181-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4580-548-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4580-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4652-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4672-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4716-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4756-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4780-447-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4972-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5092-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5148-513-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5188-519-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5228-525-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5272-531-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5308-537-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5348-543-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5388-550-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5432-557-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5472-568-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5524-591-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5572-596-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5604-592-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5644-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5676-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5716-595-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5784-604-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads