b61069242ab463326e38751e89c5ebaed3f6bc2c162c9bc866f58a80dc32138f

Analysis

max time kernel
135s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 20:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

03c8d693fdf531eda07474104de65120N.exe
Size

56KB
MD5

03c8d693fdf531eda07474104de65120
SHA1

53ff7f512f84b9b59e4cc251f5046dbf7312a0ca
SHA256

b61069242ab463326e38751e89c5ebaed3f6bc2c162c9bc866f58a80dc32138f
SHA512

1bd9ded2f537fb72af2d0984c46cec06162ab6ac33ad5563ded3fd9e3cfbcb2babaa3ab96e939b9c0e4609efd789a0b04ab65a7cca724a6b08447d93051d088d
SSDEEP

768:liQKGL4Wg5tX2vA6AHaaoGUpwzzDzAz6ul8gx8/T5DNS/H6SA/1H5eXdnh:liPG3Y6AH7VzzDcuuldoT5Q/a9K

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfandnla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmjdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adhdjpjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmmeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmdnadc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onapdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfandnla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nclbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oclkgccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmnbfhal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dafppp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfchlbfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adfgdpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfiplog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmdnadc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apodoq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcelpggq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmfcok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oclkgccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onapdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpcal32.exe

Executes dropped EXE 64 IoCs

pid	Process
4868	Mqfpckhm.exe
5304	Mcelpggq.exe
412	Mfchlbfd.exe
5132	Mqimikfj.exe
5140	Mcgiefen.exe
4440	Mjaabq32.exe
5456	Mmpmnl32.exe
3396	Mcifkf32.exe
5024	Mfhbga32.exe
2624	Nmbjcljl.exe
780	Nopfpgip.exe
1492	Nclbpf32.exe
1948	Nfjola32.exe
396	Nmdgikhi.exe
3180	Ngjkfd32.exe
2788	Nmfcok32.exe
2732	Npepkf32.exe
4216	Nfohgqlg.exe
1508	Nmipdk32.exe
2280	Ngndaccj.exe
6016	Nnhmnn32.exe
1652	Nceefd32.exe
1488	Ojomcopk.exe
5496	Omnjojpo.exe
5680	Ocgbld32.exe
5356	Ojajin32.exe
968	Oakbehfe.exe
2540	Ogekbb32.exe
3276	Onocomdo.exe
2064	Oclkgccf.exe
5784	Oghghb32.exe
1444	Onapdl32.exe
352	Opclldhj.exe
4172	Ofmdio32.exe
2856	Ondljl32.exe
4248	Ohlqcagj.exe
5328	Pnfiplog.exe
5752	Pccahbmn.exe
1600	Pfandnla.exe
576	Pjmjdm32.exe
2188	Pmlfqh32.exe
2708	Pfdjinjo.exe
2240	Pmnbfhal.exe
4800	Phcgcqab.exe
1680	Pnmopk32.exe
1324	Ppolhcnm.exe
5792	Pfiddm32.exe
6132	Pnplfj32.exe
4364	Panhbfep.exe
4876	Pdmdnadc.exe
5148	Qobhkjdi.exe
4896	Qpcecb32.exe
3336	Qhjmdp32.exe
5420	Qjiipk32.exe
3972	Qmgelf32.exe
2000	Qacameaj.exe
6092	Ahmjjoig.exe
1224	Akkffkhk.exe
4912	Amjbbfgo.exe
6040	Adcjop32.exe
3288	Afbgkl32.exe
2216	Aoioli32.exe
5392	Aagkhd32.exe
3484	Adfgdpmi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Chdialdl.exe	Bajqda32.exe
File created	C:\Windows\SysWOW64\Nopfpgip.exe	Nmbjcljl.exe
File created	C:\Windows\SysWOW64\Nmdgikhi.exe	Nfjola32.exe
File opened for modification	C:\Windows\SysWOW64\Pmlfqh32.exe	Pjmjdm32.exe
File created	C:\Windows\SysWOW64\Fgjimp32.dll	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Bknlbhhe.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhbebj32.exe
File opened for modification	C:\Windows\SysWOW64\Ngndaccj.exe	Nmipdk32.exe
File created	C:\Windows\SysWOW64\Hockka32.dll	Qmgelf32.exe
File opened for modification	C:\Windows\SysWOW64\Ahmjjoig.exe	Qacameaj.exe
File opened for modification	C:\Windows\SysWOW64\Caojpaij.exe	Cncnob32.exe
File opened for modification	C:\Windows\SysWOW64\Dojqjdbl.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Dkodcb32.dll	03c8d693fdf531eda07474104de65120N.exe
File created	C:\Windows\SysWOW64\Caojpaij.exe	Cncnob32.exe
File opened for modification	C:\Windows\SysWOW64\Pmnbfhal.exe	Pfdjinjo.exe
File opened for modification	C:\Windows\SysWOW64\Akpoaj32.exe	Ahaceo32.exe
File created	C:\Windows\SysWOW64\Cgnomg32.exe	Cdpcal32.exe
File opened for modification	C:\Windows\SysWOW64\Bknlbhhe.exe	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Nflnbh32.dll	Chdialdl.exe
File opened for modification	C:\Windows\SysWOW64\Cgnomg32.exe	Cdpcal32.exe
File opened for modification	C:\Windows\SysWOW64\Mqimikfj.exe	Mfchlbfd.exe
File created	C:\Windows\SysWOW64\Lhdbgapf.dll	Pnfiplog.exe
File created	C:\Windows\SysWOW64\Gbfnjgdn.dll	Pfandnla.exe
File opened for modification	C:\Windows\SysWOW64\Phcgcqab.exe	Pmnbfhal.exe
File opened for modification	C:\Windows\SysWOW64\Bdmmeo32.exe	Amcehdod.exe
File opened for modification	C:\Windows\SysWOW64\Qmgelf32.exe	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Akpoaj32.exe	Ahaceo32.exe
File created	C:\Windows\SysWOW64\Cdpcal32.exe	Caageq32.exe
File created	C:\Windows\SysWOW64\Mqnbqh32.dll	Bddcenpi.exe
File opened for modification	C:\Windows\SysWOW64\Mjaabq32.exe	Mcgiefen.exe
File created	C:\Windows\SysWOW64\Jhpicj32.dll	Ojomcopk.exe
File created	C:\Windows\SysWOW64\Hlhefcoo.dll	Pccahbmn.exe
File created	C:\Windows\SysWOW64\Pdmdnadc.exe	Panhbfep.exe
File created	C:\Windows\SysWOW64\Opjghl32.dll	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Kbjpeo32.dll	Nopfpgip.exe
File created	C:\Windows\SysWOW64\Qfoaecol.dll	Cncnob32.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Cdmfllhn.exe
File opened for modification	C:\Windows\SysWOW64\Cdbpgl32.exe	Cacckp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddllkbf.exe	Dafppp32.exe
File created	C:\Windows\SysWOW64\Mjaabq32.exe	Mcgiefen.exe
File created	C:\Windows\SysWOW64\Akfiji32.dll	Nclbpf32.exe
File created	C:\Windows\SysWOW64\Bkgeainn.exe	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Lpmkebjc.dll	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Aqjpajgi.dll	Chiblk32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfkdb32.exe	Ckgohf32.exe
File opened for modification	C:\Windows\SysWOW64\Nmipdk32.exe	Nfohgqlg.exe
File opened for modification	C:\Windows\SysWOW64\Pnmopk32.exe	Phcgcqab.exe
File created	C:\Windows\SysWOW64\Cggkemhh.dll	Qobhkjdi.exe
File opened for modification	C:\Windows\SysWOW64\Amcehdod.exe	Agimkk32.exe
File opened for modification	C:\Windows\SysWOW64\Ckgohf32.exe	Chiblk32.exe
File created	C:\Windows\SysWOW64\Gdmpga32.dll	Onapdl32.exe
File created	C:\Windows\SysWOW64\Oeeape32.dll	Bgpcliao.exe
File created	C:\Windows\SysWOW64\Bkamodje.dll	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Mfgomdnj.dll	Amjbbfgo.exe
File opened for modification	C:\Windows\SysWOW64\Bmeandma.exe	Bobabg32.exe
File created	C:\Windows\SysWOW64\Bdojjo32.exe	Bmeandma.exe
File opened for modification	C:\Windows\SysWOW64\Mcifkf32.exe	Mmpmnl32.exe
File created	C:\Windows\SysWOW64\Qimkic32.dll	Nfjola32.exe
File created	C:\Windows\SysWOW64\Dicdcemd.dll	Nmdgikhi.exe
File opened for modification	C:\Windows\SysWOW64\Nnhmnn32.exe	Ngndaccj.exe
File created	C:\Windows\SysWOW64\Qacameaj.exe	Qmgelf32.exe
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Mmlmhc32.dll	Cdmfllhn.exe
File opened for modification	C:\Windows\SysWOW64\Dpkmal32.exe	Dnmaea32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5516	5292	WerFault.exe	209

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkgeainn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akkffkhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpcal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofmdio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nceefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmmeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojajin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cncnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aggpfkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjola32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agimkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqimikfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppolhcnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiblk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcgcqab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjiipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjaabq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfkdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahmjjoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnplfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caageq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjknfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdjinjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfandnla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfiddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbgkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfhbga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghghb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpkmal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfchlbfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qobhkjdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpcecb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdojjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baegibae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcgiefen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckgohf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfiplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npepkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qacameaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahaceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ondljl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogekbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoioli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdialdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nclbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aonhghjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boenhgdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjiipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnpamkc.dll"	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielhgaa.dll"	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onahgf32.dll"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnifpf32.dll"	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgm32.dll"	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehmok32.dll"	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpfpo32.dll"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nopfpgip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoioli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	03c8d693fdf531eda07474104de65120N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll"	Ahaceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfhbga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhmnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojajin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figmglee.dll"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignjamf.dll"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dafppp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcelpggq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkamodje.dll"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll"	Cacckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpmnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjgeopm.dll"	Npepkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjhbli.dll"	Chfegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipeabep.dll"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfpnk32.dll"	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akpoaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	03c8d693fdf531eda07474104de65120N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfchlbfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbjcljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmnmmb.dll"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmfcok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdqcn32.dll"	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aggpfkjj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 4868	4548	03c8d693fdf531eda07474104de65120N.exe	84
PID 4548 wrote to memory of 4868	4548	03c8d693fdf531eda07474104de65120N.exe	84
PID 4548 wrote to memory of 4868	4548	03c8d693fdf531eda07474104de65120N.exe	84
PID 4868 wrote to memory of 5304	4868	Mqfpckhm.exe	85
PID 4868 wrote to memory of 5304	4868	Mqfpckhm.exe	85
PID 4868 wrote to memory of 5304	4868	Mqfpckhm.exe	85
PID 5304 wrote to memory of 412	5304	Mcelpggq.exe	86
PID 5304 wrote to memory of 412	5304	Mcelpggq.exe	86
PID 5304 wrote to memory of 412	5304	Mcelpggq.exe	86
PID 412 wrote to memory of 5132	412	Mfchlbfd.exe	87
PID 412 wrote to memory of 5132	412	Mfchlbfd.exe	87
PID 412 wrote to memory of 5132	412	Mfchlbfd.exe	87
PID 5132 wrote to memory of 5140	5132	Mqimikfj.exe	88
PID 5132 wrote to memory of 5140	5132	Mqimikfj.exe	88
PID 5132 wrote to memory of 5140	5132	Mqimikfj.exe	88
PID 5140 wrote to memory of 4440	5140	Mcgiefen.exe	89
PID 5140 wrote to memory of 4440	5140	Mcgiefen.exe	89
PID 5140 wrote to memory of 4440	5140	Mcgiefen.exe	89
PID 4440 wrote to memory of 5456	4440	Mjaabq32.exe	90
PID 4440 wrote to memory of 5456	4440	Mjaabq32.exe	90
PID 4440 wrote to memory of 5456	4440	Mjaabq32.exe	90
PID 5456 wrote to memory of 3396	5456	Mmpmnl32.exe	91
PID 5456 wrote to memory of 3396	5456	Mmpmnl32.exe	91
PID 5456 wrote to memory of 3396	5456	Mmpmnl32.exe	91
PID 3396 wrote to memory of 5024	3396	Mcifkf32.exe	92
PID 3396 wrote to memory of 5024	3396	Mcifkf32.exe	92
PID 3396 wrote to memory of 5024	3396	Mcifkf32.exe	92
PID 5024 wrote to memory of 2624	5024	Mfhbga32.exe	93
PID 5024 wrote to memory of 2624	5024	Mfhbga32.exe	93
PID 5024 wrote to memory of 2624	5024	Mfhbga32.exe	93
PID 2624 wrote to memory of 780	2624	Nmbjcljl.exe	94
PID 2624 wrote to memory of 780	2624	Nmbjcljl.exe	94
PID 2624 wrote to memory of 780	2624	Nmbjcljl.exe	94
PID 780 wrote to memory of 1492	780	Nopfpgip.exe	95
PID 780 wrote to memory of 1492	780	Nopfpgip.exe	95
PID 780 wrote to memory of 1492	780	Nopfpgip.exe	95
PID 1492 wrote to memory of 1948	1492	Nclbpf32.exe	96
PID 1492 wrote to memory of 1948	1492	Nclbpf32.exe	96
PID 1492 wrote to memory of 1948	1492	Nclbpf32.exe	96
PID 1948 wrote to memory of 396	1948	Nfjola32.exe	98
PID 1948 wrote to memory of 396	1948	Nfjola32.exe	98
PID 1948 wrote to memory of 396	1948	Nfjola32.exe	98
PID 396 wrote to memory of 3180	396	Nmdgikhi.exe	99
PID 396 wrote to memory of 3180	396	Nmdgikhi.exe	99
PID 396 wrote to memory of 3180	396	Nmdgikhi.exe	99
PID 3180 wrote to memory of 2788	3180	Ngjkfd32.exe	100
PID 3180 wrote to memory of 2788	3180	Ngjkfd32.exe	100
PID 3180 wrote to memory of 2788	3180	Ngjkfd32.exe	100
PID 2788 wrote to memory of 2732	2788	Nmfcok32.exe	102
PID 2788 wrote to memory of 2732	2788	Nmfcok32.exe	102
PID 2788 wrote to memory of 2732	2788	Nmfcok32.exe	102
PID 2732 wrote to memory of 4216	2732	Npepkf32.exe	103
PID 2732 wrote to memory of 4216	2732	Npepkf32.exe	103
PID 2732 wrote to memory of 4216	2732	Npepkf32.exe	103
PID 4216 wrote to memory of 1508	4216	Nfohgqlg.exe	105
PID 4216 wrote to memory of 1508	4216	Nfohgqlg.exe	105
PID 4216 wrote to memory of 1508	4216	Nfohgqlg.exe	105
PID 1508 wrote to memory of 2280	1508	Nmipdk32.exe	106
PID 1508 wrote to memory of 2280	1508	Nmipdk32.exe	106
PID 1508 wrote to memory of 2280	1508	Nmipdk32.exe	106
PID 2280 wrote to memory of 6016	2280	Ngndaccj.exe	107
PID 2280 wrote to memory of 6016	2280	Ngndaccj.exe	107
PID 2280 wrote to memory of 6016	2280	Ngndaccj.exe	107
PID 6016 wrote to memory of 1652	6016	Nnhmnn32.exe	108

C:\Users\Admin\AppData\Local\Temp\03c8d693fdf531eda07474104de65120N.exe
"C:\Users\Admin\AppData\Local\Temp\03c8d693fdf531eda07474104de65120N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\SysWOW64\Mqfpckhm.exe
  C:\Windows\system32\Mqfpckhm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\Mcelpggq.exe
    C:\Windows\system32\Mcelpggq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5304
  - - C:\Windows\SysWOW64\Mfchlbfd.exe
      C:\Windows\system32\Mfchlbfd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:412
    - - C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5132
      - C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5140
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5456
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6016
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        25⤵
        Executes dropped EXE
        
        PID:5496
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        26⤵
        Executes dropped EXE
        
        PID:5680
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        28⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        30⤵
        Executes dropped EXE
        
        PID:3276
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        34⤵
        Executes dropped EXE
        
        PID:352
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        37⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:576
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        46⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5792
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        67⤵
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3696
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        69⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6068
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        79⤵
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        86⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        93⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2100
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        110⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3024
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 400
        123⤵
        Program crash
        
        PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5292 -ip 5292
1⤵
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amcehdod.exe

Filesize
56KB

MD5
aeab4c1f251edd99c5de734c978d4e22

SHA1
3fa62a726ab902984917496238b47e508c3ad965

SHA256
a1cb9c8c3ca05887d0364e62b060c36f1a627db70b5bde58982ec4b62dbb66d2

SHA512
e16086a96284648c28d305ac18fc1b696ad67c7ca9a8f0287f8ba8c47c2577af987eea630108f071e9e370c6f79113e4263d128b097df6cbf9f87e97aabefb17

Download Submit
C:\Windows\SysWOW64\Bddcenpi.exe

Filesize
56KB

MD5
dcc87becbe9d128b745183d6a8096713

SHA1
54f418ed6fc2e316686b9973e7d6fb02d02a4a5d

SHA256
4dbca6308de0c61955274b2656d85d5729973523d4fdafe81b5f9de2438ef79b

SHA512
a1999be69c7acaa51c44add0eba1db728774cf07615f3405efb648b897272f95debbca778c68ab888f14a558742341a04b76ab2630e30bca275b28758e84a6b0

Download Submit
C:\Windows\SysWOW64\Bdojjo32.exe

Filesize
56KB

MD5
5e9de1fd3b9a4d4946251eabf5160fec

SHA1
a33fbb9cf6f84ac8732ae6727c67eb43163bbd2f

SHA256
b3597eefd08b9a0e94a07d3fa457608e760c63b85b9704ffa84dcc66c5f6c3a0

SHA512
a63398275488a38c88a06605f693949aa794fc11a2f3d2a0cee6ca72fd8beff2f4f4c1298dd97b9d9824ff042b3be56a5ab852abd972269baa7aeaa62a4ce7f1

Download Submit
C:\Windows\SysWOW64\Chdialdl.exe

Filesize
56KB

MD5
cf660c75e8d58fdb45b1e2b525eab90e

SHA1
eafc4181c93540f162232a533605371e36eaeb4d

SHA256
3771655e7e03934c3cde248d9e847e9e200289bc6c03d283fd76bbe04d092469

SHA512
0a12eecc7da77d506be68e4a16907e8166f5271d3abe3ebbef752d0353724f43b36036b755e2f5ed38e2f670750f5f7ce1a157e6e1f76932ce8630c89e8d74a6

Download Submit
C:\Windows\SysWOW64\Mcelpggq.exe

Filesize
56KB

MD5
8f8d0f4f69a983c3706d23b9ccc7636d

SHA1
0f343592978e3b87b95cfcb7136ca6377ccbefab

SHA256
434be63f6cd146cc11323a68c1acb461e50741e3316114b7360acc69d32731cc

SHA512
04f05565c566bb268d4e20be9ab86c5a87296e9f45892875e1228ad0025b2fd11bb0b12596ec352343a79c661f8e0f7ab0d9e506cd2ddb5cf61a3ebcbdd72d06

Download Submit
C:\Windows\SysWOW64\Mcgiefen.exe

Filesize
56KB

MD5
24550536d98f1fbb2ae75ec8afaeb1b0

SHA1
41bab427608522cac8e583f3a7ebd1cb4c6e3bb7

SHA256
4def6efb142acf7fd29fdd6b41b792660c46e6097cad3e39bc3a110eba8e5e00

SHA512
db4a77c2712995f2157cd8b69db4d77e7006c639a2e120ee476f2ff17fa6b5aec236ef58c9fe73aa81b0607013eaced122ea26286ab45033ebc12d9bbfe61351

Download Submit
C:\Windows\SysWOW64\Mcifkf32.exe

Filesize
56KB

MD5
b925677e502ee29cb3b7fd4bc3a175f5

SHA1
24e3c196d601c41248107ebe8e916b2dc2c4535a

SHA256
9dc5e3055146226b812aa6216eb0a034532ee68c375520fb3e5ece9935d5991d

SHA512
319fcd9fdd3c571c52be410aaec1b7ed965f4c58219f08c3546d2003a4b272f1a0262fd69b8d11bd49e13485f42fb7a39eafcbfefe0d1bcae335d872d9f56ec2

Download Submit
C:\Windows\SysWOW64\Mfchlbfd.exe

Filesize
56KB

MD5
26b6f92a4c2340618eed06549648bc4b

SHA1
50bf23343cb69e6809fb766db9411a7c4e315c17

SHA256
ac15f1e6f8915dce9d51c5f34905985c7da3bc437c65265316df5f88dac7a5f2

SHA512
98e637094fc88bef5710975e6407cfb5e553bc26463d0f484f853adf6219698e6bed45bdb303850c6366087db037b56c0f48be8015d046682d4a76ffeeed08f3

Download Submit
C:\Windows\SysWOW64\Mfhbga32.exe

Filesize
56KB

MD5
54b4718f1400b898ca8db827543bd237

SHA1
88b3181148a49274ca5dd35db427e859f6aa3082

SHA256
94eea7ecb07c5ba75af615f921b85fd32f43e6e504551c8cad12004c8f521436

SHA512
67abf0ab7c43dc8377edbca1e2f65d8ee679ad4ad89fa248a9952e4ceb5a57772e8c0a62a91455e55eb2d2a452f034a4eac20a0e818ec81bce22e70c8b0d2d52

Download Submit
C:\Windows\SysWOW64\Mjaabq32.exe

Filesize
56KB

MD5
e2832c93e0eb63d0a0173a9a4046388a

SHA1
42e5226b8561a289a26a64ccf4f52889efabd167

SHA256
5f7a875d8433ef18dabcc4ff61399855a4dbb38120a2bd00ad6f476c59afeff8

SHA512
27f0e66bacf9f3b721a15d3c59a080d9d473538f688988b12a5627cf4b3d4ed7dd5b035b3d8c0a75f111d641ccace66cea34c486e74187bb08ede8ad0a9ff6cc

Download Submit
C:\Windows\SysWOW64\Mmpmnl32.exe

Filesize
56KB

MD5
5b3cc71166e7282ff4e8dbf4287eca1e

SHA1
d883e9f17ea7a9c25aec6655bd3d124c943c15c6

SHA256
2cce53b316a6081986a5d59d7dc0605299f44a15e41beb69f2488482af849a10

SHA512
5891dab98b2757cc5229d04720faf85c907001709f4795113306e7843c71ced3b700e7b8b6f99e078f349ed522e907243606ab93014549b703a4eeafb25de839

Download Submit
C:\Windows\SysWOW64\Mqfpckhm.exe

Filesize
56KB

MD5
3a20b9c40c694197011e123480362580

SHA1
2f823c4eee92d65cbfc5992a2ca5b039699cb879

SHA256
56b3a3103da2ace4c10ffa85bad62f370cec544182b107a7dc45b809b5dad7d8

SHA512
49207292f46c12747e861c8064d4a4de62d0eeb010f0c1fa0a5de553ecd291a1100784c158bc3b939ea5056fac5a307bd816ecaf2fc9d051ef6508990b67ae6a

Download Submit
C:\Windows\SysWOW64\Mqimikfj.exe

Filesize
56KB

MD5
5ab2ce6c415c5f445d2a4515a2bdbc6e

SHA1
56186aa3fe01e17bf877879479b174285ec3c4c9

SHA256
12343e154aced771d9aabdc2fcfd5b25b0652af346537419ce67ad20ff8cada1

SHA512
33caa3bc8dd7766e93ba65bb546171d8d206f172c56b53b10e3b9600050dde83fcc1bdd1e2034a09798cae45dbea65ca362f2c3980bc8b726d42e8bd6be9b7bf

Download Submit
C:\Windows\SysWOW64\Nceefd32.exe

Filesize
56KB

MD5
d419e801173e0c2de18d167cb1aec4ea

SHA1
e47ee92925bf98fc2e26389df258c1b62452763d

SHA256
1f593d0b3a2ac5cdb105e676bdb84c10e48b94e42b28ef7602f5fba407e132a6

SHA512
4958a1a8f62c7dbad7d71bf676505b810367bc28bfcc0def7c05edf556848904d56f4c4948394312acdfd01a4d0531e8a1c6de72c6740c00fe0190203bfe89c2

Download Submit
C:\Windows\SysWOW64\Nclbpf32.exe

Filesize
56KB

MD5
9d969943b54252a4d6e15c7dc81cf55c

SHA1
380eb8e2c5745fd0f1dad6234713078996027b83

SHA256
65ea15d66eb5d590683f34086ea704929cfb3de6bfc893e7a90ea8efac19d1ef

SHA512
710e8b018284e6a57545b0e23a2f79d85b659a4351eaff342f863a9ade605b8fddf83d668e03000c44aede81d6dc3f767d5fd319d83b4627b49be0377a1e8fb2

Download Submit
C:\Windows\SysWOW64\Nfjola32.exe

Filesize
56KB

MD5
99b97c1e5cc6cd2c7f271bba0078bf3d

SHA1
010e8a90d370132fa2bddb54f416073a5a8da0f4

SHA256
7486649c38b42c4084588b0713c37591a6fc8f7fa315d5e3062bd90906b72cd4

SHA512
b8c924adbf18a0fc20c68ef8daff512a3fb6f7a32354ae08819963d98bae60e445e3813bf88b0bdf81ff67aa9bfc1a9343a0cd2c0cc7403438ddc9683e004149

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
56KB

MD5
0acfc5ed2d26bc3fb6e17a1b86c9ce4f

SHA1
d4a7e9aa1af9bba30ee1041a9e5f264b2421b90e

SHA256
9af4b5aedf42d4e9d0689bccf0598d51e2298a65cee4e4fa353d6b9043342277

SHA512
9e7d86218fcb30733b160d0e689044bb20cd8259429bae9bcffb6f751438b470bc0a9e45d8354aae40aabdc13a0d5db3da7b541c7c6ad6d1a1ca40d2ed4c4fbe

Download Submit
C:\Windows\SysWOW64\Ngjkfd32.exe

Filesize
56KB

MD5
fce413b188895190fd2437245502d2d7

SHA1
0773ec915036ca2b85bcfbee371de4b19e090ac0

SHA256
15973da1d680ef86b9d90328fe8e931190dcffa0f7752a17e28bfc0437d44e5d

SHA512
e33e4ad199933e39be540ad92c2cca04b03afd2d663539643518831f540c8615adb2f2e6f7f78ae9077fecec71271a63ddae4d9595fd6eac1075f2f378f6409f

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
56KB

MD5
2f05b423777f75181dd9352e527717d0

SHA1
6ed486aa45a1ce8021ef8a4e7087a444dcf76c5a

SHA256
269da01a05ba586bfbb4db865e2c038dcbb9f31d5ec1a58adca2c71eab9a5b35

SHA512
0210f8f59af2b893e570a7c424978755fb347d40582dd0ba3d2e9af239e4818eef9cc8f342448e5c45787a80b58fff9a050aed04d897a91fe9e4d52bcdefb8df

Download Submit
C:\Windows\SysWOW64\Nmbjcljl.exe

Filesize
56KB

MD5
8621ffe0d0c878b8a0e0083047fb5b52

SHA1
a3a6aaa3e6a80aa4cbbc695523c7c89955e32a81

SHA256
13020d40e9bb1441bbb074dedb2666183dd16f08c66ee5543c0d068b6d66ce2b

SHA512
65b00df8fe90bb8a44746993fe3c8249dd23d634ad7d26047471400f1d6a1e06fd0fa9017e8eef230289fba4fea7c7ee9ad1e400f2e4dd777f63efde3e2a39dd

Download Submit
C:\Windows\SysWOW64\Nmdgikhi.exe

Filesize
56KB

MD5
76e1d7574b985f9bfda2541ff4619f5e

SHA1
e604914dca844d3a7b84ef14df2e0fdf3445725f

SHA256
47681477d1177f3452a624dc4b9c1983fc81b2cc7d29d75dff7aac6e9732bb51

SHA512
9bd7c8f01a33fe3eeae7f1aee8df2638678b406f17e947e78519f0fe571458bfb78d3396150416408780ae93c9789d588fe250e3e8fde33e80702b49bde9315f

Download Submit
C:\Windows\SysWOW64\Nmfcok32.exe

Filesize
56KB

MD5
8b69954cc8cebd835f5408d60f3273ba

SHA1
97eb98c17486950e39040e49bc636e442639476e

SHA256
b5a528b18fc7d27e8a496e876623b087c4395e72bef53baa728573f5cad04e19

SHA512
df559ad5b38d4792c0efc1a5c7ae15a1d7ea208badba958da4077a35f39a4de4f58f037b5465b309865141ea878562b30f9a8400bb5890df7c12cdba39e61dce

Download Submit
C:\Windows\SysWOW64\Nmipdk32.exe

Filesize
56KB

MD5
21cb86ffae69369468be5b25fd0e655f

SHA1
3f70933cdf1d0491b3eb05ce013614685f2c099c

SHA256
457b1f4876c05b5dafaa141ba54fd3d7a353978cd0009c291534417642efcd78

SHA512
7cef099ac55dcc51dcc75db94d58f900bb53246bf9f7b96db8c1547b8b5e0e1045d0e10fc4c7ea173d0c6ecc7c48be6f01fa5d0fbefc2c7a606dd4081f5aeded

Download Submit
C:\Windows\SysWOW64\Nnhmnn32.exe

Filesize
56KB

MD5
86ebe1cc57a35da55b60ae319111a7f4

SHA1
c6d34392abf3ce818228666d94b1e822e80a2eac

SHA256
e246fda7890ed272fc728f9a5230f776896663eec83511381fbabc0cbd56997b

SHA512
8d52f811d68100dad41452c9ebbd4f5c6bb016eb45df311e68db1555b7373e15151cda70ea7eaf15b2d1cb5c69ff62c6ce818164b7ef3324aeb05696aeaf6f7f

Download Submit
C:\Windows\SysWOW64\Nopfpgip.exe

Filesize
56KB

MD5
af1a1c28c3712380a9b75b328711eaea

SHA1
6feff42e3eeb3331adda5aad7d01fee4e8aa2319

SHA256
468348ecc78c5874011b5de249c7e75764135afcbf36b9b440d6f74c49b4afa4

SHA512
bf2e41a5449164979d8f24f8c95f7e1bd8320c9569534718f58cc6ece3beb9fc7e14a861ffbe62dbab68d5e80e4e1f9764294ce622cbae3f709d46c05362fb3a

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
56KB

MD5
df25edccde338870026a2cd4404f5e82

SHA1
8e975de702e64758752b77daa1e22635ebb2c157

SHA256
a6d5842b188591c72d982029362303a89799c46cf4686027fcd19cfb04cc5da8

SHA512
d83c058b018033cfbb34c9bc9494d24d7c6fe78102c8518f9a5a7433dda0b4362a3e659cb557a37ebb159920685f454696912e413006c54b49371c0e3c7bad09

Download Submit
C:\Windows\SysWOW64\Oakbehfe.exe

Filesize
56KB

MD5
a454909606708536a81e933379d035c7

SHA1
bf79f6760b374d33c79ae9a66386b2c3260c2a45

SHA256
b9f01ac3c791f48f8c503245a1d64baafa058066a6ca3f595b3d400c0135498c

SHA512
1f3f78ac4abe06db71d5f286dcb8a17709f121afe1a0b93ef48bf755890f98ef91a7bd41f714fffc7222d329b886736307068004fe21a8151397a0ae227c1d5b

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
56KB

MD5
6665ed07a9dd8a7090b1a3b13b36c36e

SHA1
eee3682d97a4a88b0445647b4153525a685718bf

SHA256
823ff8d25cd6ade7dc4c5118ba1b7c8d3f4052b8d8b794b36a7726d7ed2aaac3

SHA512
48e95969a4b5ec4a6645ff7a6ec68d1440527b1adad32d99aeacdfcfc55a749e0852b2e89b33fde451ad6368c531b5fdb7fc7983df4939fbf52a4d5405d41b36

Download Submit
C:\Windows\SysWOW64\Oclkgccf.exe

Filesize
56KB

MD5
dd1bf94ca722153ca1ed22b3ba61dc3c

SHA1
c0ba642627f0be3a81370c2d13dc225474b53877

SHA256
d57108eaba6dcd141aa816f6b38f2e13be36a50167150fe55770f2e1ccea6b88

SHA512
0f3e078d64a477c840bba4ef0b7aec5a6ad22885e8ad4e8c1fd11b50f3df7dce14dc0403f114bfedd39643ecfee577db34871900b492faa39181a5576055b531

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
56KB

MD5
589e8712531173ac9021a54d29721fcf

SHA1
dd8234b68e521c128de3479fc4b69b0bd8e0b117

SHA256
4c7e4ad10ce3849aaf32189a17b0ac1104b81d1975f98aec9bdf5593b8597480

SHA512
ead92010cd459cb6d2dc4dfafbfb567c5e2a7511a32830d2c22834f410ba9a17f89f5c1e0b41718e2af6531413a6918c0d7fac4670e0d7357f20a408b17b4919

Download Submit
C:\Windows\SysWOW64\Oghghb32.exe

Filesize
56KB

MD5
3de7f60937c777640de79634fd5f3212

SHA1
d535de58933d314c31fa15e5dda7599bd3f3d0d2

SHA256
8ce7d530e4eb31015a37ac813ab1a548b1b366d1c6e5f6420483de86477b81e9

SHA512
0fae61236e96b304ef939f91b9215f9fce16737048692a52060f1d3354d6ea1fccc2c486f79ef5e5f2a4a0920904db88c514a52177aaa26d90836a64367cd150

Download Submit
C:\Windows\SysWOW64\Ojajin32.exe

Filesize
56KB

MD5
ed344f6113970dc1949e1483f37e52f5

SHA1
eb8656e64926f3c779214e8f8f4cbb639ebf6859

SHA256
408a968b1f9a9fef4f6d4f0680fcab1624038d9707ec0ce92d1f2d91c2912ca4

SHA512
80e911392f23d05f199114b1bb97fe50dba23e8d7b884af96d7178c0105a05a346715671da9800f31de840ba6510d06165c7b3798f7ebcd384388651121a54eb

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
56KB

MD5
f47bf10d2b5032e291b6512fd61ab7cb

SHA1
a318e17734f3439c0e46603a048ec84fd0bc0aa0

SHA256
85600d5d7da34c2a182fb17e02cc0138efe176f13ef9f7a775e99e421c138484

SHA512
988babc21220b62885b9727614970f67363786d81ee999f82bfe279813b2e4cfe1315ace82065bd742b41c615bbf82abdef103afb96dbcdd9cd48fd66fe20d4e

Download Submit
C:\Windows\SysWOW64\Omnjojpo.exe

Filesize
56KB

MD5
1ec3c41b407c92a5069c81705245dc9b

SHA1
68d593afeed11127a215f5e1edf13f305c79bd5d

SHA256
958c24f9eaa475732413f3ab6b478468efdabd723afa6f42644fdf97f1328523

SHA512
2174c57f658fb454b3ca7fff094775c9d82f73d2ea9b1000fefdfae748878a86fdf81083614f6faa151117dd15c8919c002c720f59b7ede79f16d33d36e85623

Download Submit
C:\Windows\SysWOW64\Onapdl32.exe

Filesize
56KB

MD5
adc952cd9e025ed6be0f7da80adb280b

SHA1
3424d280c13c7d84dc5c32b6d8ebe0e3e2591d0d

SHA256
edf0bae0918f60d97ff18094158e571ec5987d93680b98881eb58bc28f80c3fd

SHA512
0c8e4eaaf1b39ef7c3c1f80d3fc8b06b13a556735862bfeabaf8d32e2ff62319c6978b414ace130e6e0d013f6e92007e4017bddb3474b38659071dfb49cb3c65

Download Submit
C:\Windows\SysWOW64\Onocomdo.exe

Filesize
56KB

MD5
a54285e0a821c82939c56936ffe954cf

SHA1
7b7336b44b1d4cdd6134940a3ae540781dd90857

SHA256
32c9f9b2c90b7abee6b89e306da6068ac22c5ad4ef1f2c9d364c8e5cdd238e1c

SHA512
0a0e25ce6b91ee2ef65137e128e710304f73afd3628da2ffde7fa97d677089b15565d09fc40f7367773dbfe197ceb6046dd977ec64668bfab7c6cad1a50852c7

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
56KB

MD5
1a6bdcf16696412bd50447b236bff1af

SHA1
1a9f1d8e1391923162a01e38c7513722348f266d

SHA256
2c944c22bfb1efa2ae492f2b082d616f959fe2a7224ff0f7d20e9a39c5e8a188

SHA512
6e6839daa3fbb7f928f81393bad5103c39d2cd970de0db22e089624be4ea1350b4c9892d5a6fd0365f8578f93dbe3c9e9c0be503c7ac1eb50b8aacfa53437516

Download Submit
memory/352-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/352-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/412-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/412-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/576-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/576-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/780-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/780-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/968-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/968-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1324-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4172-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4548-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4800-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5132-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5132-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5140-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5140-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5148-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5304-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5304-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5328-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5328-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5356-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5356-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5456-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5456-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5496-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5496-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5680-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5680-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5752-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5752-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5784-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5784-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5792-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6016-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6016-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6132-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads