a87e3d7f9df279ca860870e42be2cf0ee7ad3c3e977f1b9e0bf1caff82e66214

Analysis

max time kernel
109s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2afd05f68771e4b1daad7b8af092230N.exe
Size

99KB
MD5

f2afd05f68771e4b1daad7b8af092230
SHA1

10e22c39b04ac46d7c26117886c5d11315bf1cc3
SHA256

a87e3d7f9df279ca860870e42be2cf0ee7ad3c3e977f1b9e0bf1caff82e66214
SHA512

3fef5a3022d9fed7366145b69de9466eb2ca10c2cae27df58803a15d331cad8d7ce32f21380986842eafdf8551845ff51bf017fe6e46f2b57de6639590cf26c3
SSDEEP

3072:3dzSlEyhIVmJ21oZt5eyKXpwoTRBmDRGGurhUI:aT2m4EtMYm7UI

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	f2afd05f68771e4b1daad7b8af092230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgioqq32.exe

Executes dropped EXE 64 IoCs

pid	Process
4676	Ndokbi32.exe
2296	Ngmgne32.exe
468	Nilcjp32.exe
1672	Npfkgjdn.exe
3988	Ngpccdlj.exe
224	Njnpppkn.exe
4016	Nphhmj32.exe
2472	Ngbpidjh.exe
1340	Njqmepik.exe
4412	Npjebj32.exe
1020	Ncianepl.exe
3884	Njciko32.exe
4576	Nlaegk32.exe
2024	Ndhmhh32.exe
3680	Nggjdc32.exe
4864	Njefqo32.exe
1644	Ogifjcdp.exe
736	Odmgcgbi.exe
2168	Oneklm32.exe
3060	Ocbddc32.exe
564	Onhhamgg.exe
4252	Ocdqjceo.exe
2316	Onjegled.exe
348	Ocgmpccl.exe
4824	Ojaelm32.exe
3708	Pmoahijl.exe
4384	Pcijeb32.exe
2060	Pnonbk32.exe
4580	Pdifoehl.exe
2452	Pfjcgn32.exe
2528	Pmdkch32.exe
1812	Pgioqq32.exe
2044	Pjhlml32.exe
2224	Pdmpje32.exe
2100	Pfolbmje.exe
408	Pnfdcjkg.exe
208	Pdpmpdbd.exe
5068	Pgnilpah.exe
3660	Qnhahj32.exe
3296	Qdbiedpa.exe
2600	Qjoankoi.exe
3736	Qnjnnj32.exe
1580	Qddfkd32.exe
3900	Qffbbldm.exe
4936	Ajanck32.exe
2984	Aqkgpedc.exe
4344	Ageolo32.exe
4452	Ajckij32.exe
2028	Aqncedbp.exe
4964	Agglboim.exe
2104	Amddjegd.exe
4524	Aeklkchg.exe
4612	Afmhck32.exe
3696	Amgapeea.exe
3420	Aeniabfd.exe
1952	Afoeiklb.exe
2928	Anfmjhmd.exe
2952	Aadifclh.exe
2280	Accfbokl.exe
1112	Bfabnjjp.exe
1044	Bmkjkd32.exe
1432	Bebblb32.exe
1052	Bganhm32.exe
4112	Bnkgeg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6012	5852	WerFault.exe	201

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2afd05f68771e4b1daad7b8af092230N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f2afd05f68771e4b1daad7b8af092230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Oneklm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 4676	2456	f2afd05f68771e4b1daad7b8af092230N.exe	84
PID 2456 wrote to memory of 4676	2456	f2afd05f68771e4b1daad7b8af092230N.exe	84
PID 2456 wrote to memory of 4676	2456	f2afd05f68771e4b1daad7b8af092230N.exe	84
PID 4676 wrote to memory of 2296	4676	Ndokbi32.exe	85
PID 4676 wrote to memory of 2296	4676	Ndokbi32.exe	85
PID 4676 wrote to memory of 2296	4676	Ndokbi32.exe	85
PID 2296 wrote to memory of 468	2296	Ngmgne32.exe	86
PID 2296 wrote to memory of 468	2296	Ngmgne32.exe	86
PID 2296 wrote to memory of 468	2296	Ngmgne32.exe	86
PID 468 wrote to memory of 1672	468	Nilcjp32.exe	87
PID 468 wrote to memory of 1672	468	Nilcjp32.exe	87
PID 468 wrote to memory of 1672	468	Nilcjp32.exe	87
PID 1672 wrote to memory of 3988	1672	Npfkgjdn.exe	88
PID 1672 wrote to memory of 3988	1672	Npfkgjdn.exe	88
PID 1672 wrote to memory of 3988	1672	Npfkgjdn.exe	88
PID 3988 wrote to memory of 224	3988	Ngpccdlj.exe	89
PID 3988 wrote to memory of 224	3988	Ngpccdlj.exe	89
PID 3988 wrote to memory of 224	3988	Ngpccdlj.exe	89
PID 224 wrote to memory of 4016	224	Njnpppkn.exe	90
PID 224 wrote to memory of 4016	224	Njnpppkn.exe	90
PID 224 wrote to memory of 4016	224	Njnpppkn.exe	90
PID 4016 wrote to memory of 2472	4016	Nphhmj32.exe	91
PID 4016 wrote to memory of 2472	4016	Nphhmj32.exe	91
PID 4016 wrote to memory of 2472	4016	Nphhmj32.exe	91
PID 2472 wrote to memory of 1340	2472	Ngbpidjh.exe	92
PID 2472 wrote to memory of 1340	2472	Ngbpidjh.exe	92
PID 2472 wrote to memory of 1340	2472	Ngbpidjh.exe	92
PID 1340 wrote to memory of 4412	1340	Njqmepik.exe	93
PID 1340 wrote to memory of 4412	1340	Njqmepik.exe	93
PID 1340 wrote to memory of 4412	1340	Njqmepik.exe	93
PID 4412 wrote to memory of 1020	4412	Npjebj32.exe	94
PID 4412 wrote to memory of 1020	4412	Npjebj32.exe	94
PID 4412 wrote to memory of 1020	4412	Npjebj32.exe	94
PID 1020 wrote to memory of 3884	1020	Ncianepl.exe	95
PID 1020 wrote to memory of 3884	1020	Ncianepl.exe	95
PID 1020 wrote to memory of 3884	1020	Ncianepl.exe	95
PID 3884 wrote to memory of 4576	3884	Njciko32.exe	96
PID 3884 wrote to memory of 4576	3884	Njciko32.exe	96
PID 3884 wrote to memory of 4576	3884	Njciko32.exe	96
PID 4576 wrote to memory of 2024	4576	Nlaegk32.exe	97
PID 4576 wrote to memory of 2024	4576	Nlaegk32.exe	97
PID 4576 wrote to memory of 2024	4576	Nlaegk32.exe	97
PID 2024 wrote to memory of 3680	2024	Ndhmhh32.exe	98
PID 2024 wrote to memory of 3680	2024	Ndhmhh32.exe	98
PID 2024 wrote to memory of 3680	2024	Ndhmhh32.exe	98
PID 3680 wrote to memory of 4864	3680	Nggjdc32.exe	100
PID 3680 wrote to memory of 4864	3680	Nggjdc32.exe	100
PID 3680 wrote to memory of 4864	3680	Nggjdc32.exe	100
PID 4864 wrote to memory of 1644	4864	Njefqo32.exe	101
PID 4864 wrote to memory of 1644	4864	Njefqo32.exe	101
PID 4864 wrote to memory of 1644	4864	Njefqo32.exe	101
PID 1644 wrote to memory of 736	1644	Ogifjcdp.exe	103
PID 1644 wrote to memory of 736	1644	Ogifjcdp.exe	103
PID 1644 wrote to memory of 736	1644	Ogifjcdp.exe	103
PID 736 wrote to memory of 2168	736	Odmgcgbi.exe	104
PID 736 wrote to memory of 2168	736	Odmgcgbi.exe	104
PID 736 wrote to memory of 2168	736	Odmgcgbi.exe	104
PID 2168 wrote to memory of 3060	2168	Oneklm32.exe	106
PID 2168 wrote to memory of 3060	2168	Oneklm32.exe	106
PID 2168 wrote to memory of 3060	2168	Oneklm32.exe	106
PID 3060 wrote to memory of 564	3060	Ocbddc32.exe	107
PID 3060 wrote to memory of 564	3060	Ocbddc32.exe	107
PID 3060 wrote to memory of 564	3060	Ocbddc32.exe	107
PID 564 wrote to memory of 4252	564	Onhhamgg.exe	108

C:\Users\Admin\AppData\Local\Temp\f2afd05f68771e4b1daad7b8af092230N.exe
"C:\Users\Admin\AppData\Local\Temp\f2afd05f68771e4b1daad7b8af092230N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\Ndokbi32.exe
  C:\Windows\system32\Ndokbi32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\SysWOW64\Ngmgne32.exe
    C:\Windows\system32\Ngmgne32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SysWOW64\Nilcjp32.exe
      C:\Windows\system32\Nilcjp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:468
    - - C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3660
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3736
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3900
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        50⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        55⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        74⤵
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        85⤵
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        87⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        91⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        100⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        102⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        116⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 408
        117⤵
        Program crash
        
        PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5852 -ip 5852
1⤵
PID:5964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Belebq32.exe

Filesize
99KB

MD5
9ac35695ada5d2e1c572d8b2a009dace

SHA1
10ce6da3306f3d184f89abb837b90aa53ac537dc

SHA256
dee5b673a58216626fed9a760dede0cb9385cb972fc40ff44e0ea6eb247f6160

SHA512
2e53fbefdfe43a7ba6f49f625147026dadd8121a66370848124175cb0748d7180dacc6c5113023446a0223a1fbc27d6b4f5a6624f9dfe00a6c269afe79c0cac3

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
99KB

MD5
832717c447e9341c436e0bf39a54a545

SHA1
f30183b900f374e02b303c31163efe1356b02bf9

SHA256
6b61c6674320229139ea542b4ee099b6159bc6ceeb5f80f382674a17e74076ca

SHA512
eb82e50491c4b6e0bae6a3e629f3500ebd05cfe059216527f0b97a7e8eb5af7cdbbc19c89f88e3a2cc3a79f210af4880ebaa87dc080a7f15a4f1efa1dc2d59df

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
99KB

MD5
2ad07a43cb54915d38e52152612f5655

SHA1
5c4cd8cd356ea2038e4e4e2a536131f3d6925f94

SHA256
8c98a1cacd0290cb1c377a8024a8a0881e0d3e229a89e18e3b3e08b24884dd57

SHA512
b39d1fce4deb0f46b976ed18cc4435dcbb93a214cfbb716717cd10c9dce0567eb6a8609b3371b3c101521bb11c514d58453c27b0a6e338b55c4bf45a16c1c62f

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
99KB

MD5
1a7454e1cde9895a3b428491ed913a64

SHA1
bb44e2cbe25502085603408f6053886e7af90435

SHA256
cbd3bedb13fa8b0c7558b854812d00c38b290fec54aa0d30d86fb951c0dab215

SHA512
a9ab0c3c881b6982777265ab8686eb4a4e952496d07c6f53c682cf1d23617e2a90a9ceb68c20c1c1647e25df955f06599424b533935556e2c8c6401eebfb566b

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
99KB

MD5
8c931aea188edbeee2dea99be15eabda

SHA1
64fa1914b9582d0299a1f5d9132d74e2f140c338

SHA256
517e2d26fb13d06d00babdced20ff9c4053dd9f795efdb4798a9f4c35ee2079e

SHA512
5a1155ebb4c92cb747f04dd96b2f6226b8d21e24960fc150292f14e6a620b27e203a17ac3c16e8d219b1a7d239363b2da48b471f1290e93d51a3e386109bca1a

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
99KB

MD5
e8d38ec0746925c69719f184f53e7eb3

SHA1
30d6608a40905e62ae94dd9ce2c91b8d35af7e53

SHA256
8e407f745bb32b4c4b8eaceaba1bd1b47f1b9ff4bbef55104dc924dc18b2f951

SHA512
a4d738d3738ecfb49a65e785ecb1d7acc4317d56bd83198e16281e530317ff78eaf84ae9e12d01ba9916b221c9fde9d1e8b754077316b2f0c74769021139a82b

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
99KB

MD5
0a3be82b4033629ab5cf1ea16c8547d1

SHA1
92335cccbaac8d26b95bac285bb21bdac51dca4d

SHA256
f1f6f246c0d0c71bf8c42deb0cb66d0d58ceb2048a96fb51b756ce92c8d9755c

SHA512
150f1d76b16cb0a907bac096e8aae7625c33a3ce40c46315797285ce1a48364b97a128dc237c6ff5714f26059ac824ca4330bf2e733bbb813157ff307d50d8d7

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
99KB

MD5
ca192dfe943086280b2d8d5ff0bd709d

SHA1
12a8d18abba2fe5ffe039df9d3ab91cc8d01e2ba

SHA256
4d7ffd2823ba250944092ea6a6a530e367216d87eeba9f7d93e45bd6e895e945

SHA512
d9b37fe9540efb8b09ed15a23199a49ff5a731cdca360c7d169bed7d0eb82e5be68f89ed2ee018d53239317bf6f71e8a9b6c0be3b05ca7f2b4f0dcdf67167bda

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
99KB

MD5
e0b00b550320e6e991979b7bb456bdfa

SHA1
199b60644cd02014bc647fae530de0e1d1eca051

SHA256
69b2184d38be7a61077098b84e7e31036c8c8485a09b41fde92e767c916952df

SHA512
0f2a25b2378ce648dcd23c63dc6facb19f97df37fe34ba6258cbb2168ef1a86ec52ae3651eabce6736b6fbe82d3f55aac6a5dfa64c214b3e8bab370d08bd70a6

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
99KB

MD5
7fcc6a0b894a02b6efb8a27200cf708b

SHA1
c7468987f79d80724f2a9800ff1d41d523be3b25

SHA256
053639997cba9afe08c4c296f3f7944c7415ec9a99cec59281f1f84548cb0c76

SHA512
17a59767ab94155aa96bf252a29e89a8f8b57680e3a5c6a8944025f73c3f187c9d2a55078605eed4cb9c1a2b1ae79a028d824116d0033c1a34e74e910f65927d

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
99KB

MD5
f14f153b3803ad41401f8fc2d923af9b

SHA1
5993897a9c75d437b2bb2559c130016997d7b426

SHA256
2a345dbbcecbb4a9233e74724c76dacb33dd8a595d05b090fcc94bc5d59f27f5

SHA512
405c652262d67e5f6d31a903a1acc1cc5d3f58938b9c8b9e21ada79ce791927175d891deecc16385c9e324060e72c079ed84977f6955535eaca0f1f895bf4665

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
99KB

MD5
96b3bf314157c045ba7dd59e4800bc9c

SHA1
7e1ec4642a7dad301d657642dae3a30d1bce66de

SHA256
a47e60768dfb18bc3ac8e0c9e84df76843e130d2a97fbd2e90b76f0d93002301

SHA512
95fa7938650af387857c15d812c75a91c13ebf3d746132dd702dc2809607784dd79538f07b925993cbaaa8abeca66ea619ce5ca9a2efe5c04508ead443f75be6

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
99KB

MD5
87a5eab07db91cb404fc955163a341d4

SHA1
c9491c4ef498877564d89198e000d98edc49706f

SHA256
07283cae46aed727597c542060c23b610248b1e6784fbf37644b191d2c0a1ca5

SHA512
8f6e3cc49e081c10b598ff1ea945391e9073be6864ea35c9288fcaa3a95054a27c4bf5f6a50e1022ba97d8026f93f54e760a8a4f94c5bf9334d0794aaf91e1d4

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
99KB

MD5
2f00919d3cde94be61e4a6130a2a2bde

SHA1
efa8a7ceacfa400b329e9d407d1b63aa861463f1

SHA256
fe48719f6aa3c1ac5de36e1b10eff4d52cefec4f6d5a009055d8d891223b1716

SHA512
2fc50022207f14431861e3dd6e5792b818a095fca0d2fae8dd33baedf0d2353debd9c9085b3c6322483c672c47610ea1c12a6f90a9a9e5df81b24582fd84f244

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
99KB

MD5
d3323ecabee7c955c12117137d305067

SHA1
65acc9a7bba7f4946e684e0a8c056272d8ab8a38

SHA256
dc88d407b754fafedb0bf3a44370dee56f7622a05c93ce5c138385ccd5a6708a

SHA512
afa686dc5f4413d83b5c921d3bb104598e8c40ffd5019f58a7fe92f65a8a31248a28527f2458cdf4d7129daee8c6f614e579a95bf9074740ac2215dbc16e9f9c

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
99KB

MD5
5733339b7020adba4519a8f573f612ba

SHA1
7bc87a5c92ded698f4a317e18b33186ccb8f251b

SHA256
ed655be7240112d40264fce2a2e4ac2d8c5b8b5ed9ffbc0b044e78fdfa735573

SHA512
6e3dd8e1f8195cfa2265aa75ec376d06825c967619a0f9552f44bc5b08c29beadaabbf122c1374d9867dc18e8afbc69a18370830a5235eaf5e68503625c188d8

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
99KB

MD5
4ff4c73fdbcff4908110a2e4ead621bd

SHA1
d0f8fa00c1821d380a76a40e6d65c177dd241c3e

SHA256
7c5f61cf4966571a708607aa3e3bc7ea159252f80c51dd4cec50400be849c45f

SHA512
c040a541e3c7adc27cd9f44d1d37bd58f99c4ccb15f5c9b2c084233884dd3a0c5f801aa7b8d0fe480da1df13bf9a47fd8c530c3d7d55b2c09da63260772738b2

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
99KB

MD5
489d4c6ca8056ea3e82a3be17899db10

SHA1
94ed6edd67fe280e77b081da3d71083581ea1ba8

SHA256
797e7f6b250e7c561e5f324426fc159ec0167b04ee8f73d2318c328241594987

SHA512
31352d607876e534eacbec5aadfa1477974195cc3b2d9fd544e7cbf150128e34612b1890011be2221c642d58ad8adbecd16d5ddfff6a74cefa69b6c022ebbdf6

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
99KB

MD5
e4faab443abfab34f13ba2df68152bd4

SHA1
5d953b5d3d0f5b767ea275bf38fa84bf67796ca1

SHA256
30bdeabdbf97ba920377425e7177ced19b732e68954aa589e555ed9a4fc8b26b

SHA512
c562fc6108490834aeadbbd356b9a2ba667aac173ad83b1d55b9495abffffe0844874941d308456fa094ff6823818a084bec1ab614423fa30d26aa06c644fc91

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
99KB

MD5
b20a23fe4575c2fa453f85128c3308ec

SHA1
31d4d7e82670c86eb08e44afa52b34533d023baa

SHA256
9cfe7a7ac868389342ea58c88a7aa1d8d1be4716cf346d10fedad68c839687dd

SHA512
a793764c871554c4062a4a95522dabb64a1ace03773a1352b1998deb989baca4b2b9e8697ec98795f61092065f162988ad745f507f5b09f67c5a35356d60c292

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
99KB

MD5
4f24e3ef34f6e949b1511d53f36d4d78

SHA1
b516940a7a9105a4f76150130e0b85aac51ea6cb

SHA256
ffcbfef861f3a6eff31192ea851a8072598d7c2f3f8bccc3f61567b073ba17d5

SHA512
3ba7a1d73d8daf8c54ce2b8934c0d4968424834e72c831b0915861e54b7bbc6a5f26e89c41ae00aba7cdf01ca17ee67b050fa4599cd66a0859edecdacb47571b

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
99KB

MD5
9ab223800b2f5fb20b249b2baea5c425

SHA1
54043aec0e96d815c77c5a765bbe940054c3bf9a

SHA256
c0112972af0de9a8f95dbde9db4b7b8db1d957f91204b92f6bdb820789fc5bc8

SHA512
9b4d21e3dcb3d970257ead4fbe389fa562b2fa3fd3a4c60b1d9bd17cb7a2ab13994697f73ec18e7902e8b4874f20e5e84c887b6cbea708d285001e7c0bb69366

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
99KB

MD5
29c8905466efd42f7cc3df6a5da7b704

SHA1
65ea961434b7d91e1d4414d355cf5a19cddab1d8

SHA256
209052ae7ebab2a67d4f6c20b43a4bc3518c1b23f54da3d7177b26dd4fa6043b

SHA512
8e0fddbe37563ebe7a6e47952df79d3cf0c18594b8be8a659ded62babf3bd5168fa42ca88e398f18e6c60d2bdeb7c0816637beb014dda3203e2823257211b2f4

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
99KB

MD5
8f3d4038ab3fd509348ca740b82c75a2

SHA1
ff6e3bfb7d356e4a0a8bfb5324abc70ae99cf79e

SHA256
60c7fd3cfe2870dd26258066a545e94f59a9ea6e28ed0b446b00d4eed23531fc

SHA512
5cd65c8f70d6755ff643e2c8830ac619fd3b80dc2ad3bd43da5895d52be99e84383bd122c8b153384167bc23ee102f4a7b05892ed025dcc9f5b45fbb49afdc78

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
99KB

MD5
bce067f2c4f0ba114f67adf56ff85441

SHA1
a9ff8ee2f9b6937c046ae799d3170e35e87217f2

SHA256
e2fba7a38ec8f9f0f3505a9a85dc30ce4ed328865e85ff560fe2cbe8dcad622b

SHA512
1694c35f0288d75c776cfd66ea75bdd678ecda5e283774a49eb76e73639350bab6b5b58dc79dc3fb1e8a6bfd81b707980ec7e54d7e6af521b075c8360cb8ef26

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
99KB

MD5
df428c28dcf03541565289112b1ccd2e

SHA1
7ae35b03d83c91f31f663a8aedea27ab5117869f

SHA256
f3bddf31a2c5e8c1cb693cc922cad285182ccae0ffc1042086ca8cf5fb73b5df

SHA512
6d8dacf6aa3dc454c7c1ce36c9e08b73fc9ffaafc5550418327b23a3569c8241f928611a681871e135554cb4d97a31415068bb0da00e6ec31a623a3a1d35b24c

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
99KB

MD5
fda2575d5f168e1a0896c642ecb01a91

SHA1
e687066360bcb0fbe5adf2b63ac0f7b9a572d13f

SHA256
7c9beb40b61ec2a7b0630e1feab67136989c0ca686446a6be927f16efbde3aec

SHA512
19e0ec30a8d66b63617193ae0734b9a98b09f95f3c9c6606f0aa632c4bf792c56a1040f8444b7bb4d3387187b85d2a83ab61c86231a810d95e303035a7fe9d5a

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
99KB

MD5
173eea3be49c2147388881af1cea77f1

SHA1
bce037fdc51aeb54cfe20985aa497c1b9638b74d

SHA256
80e28b2ebb69115a0b4e86d675b196082ca92834f3329321beba2c52fdfb93e4

SHA512
b4428cb039e9e54e1de9ba2e4dbd4cde1161da16671d5fcd842e7014ea9987e07363815cb7cd3adb4359c2ee56a5f7646c395e95d6ee2ada452f31fd965c7e6b

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
99KB

MD5
053859d8ebf96fb1b19371f013980fcc

SHA1
992a92c190b8a18cdb6de6d7dd12a9d60ae0db1d

SHA256
54ebbaaf2c29d683d9330e5a0afdf41bb97dcf9af7ecf20d1b5d22236e58be62

SHA512
fca6bf9113de9e4b682e56b2ee69e9d0adc242fd5ddb5ca629487f0084325aac576d88e330bc821b5f099bd96bcc88b44bb708cebfe45b392d00b736904c2f2b

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
99KB

MD5
5309865a1d1ba83c86c4c6ff7405cb02

SHA1
88fb82de1e75c87f628d8b7608fcc05fd43f2586

SHA256
358d0083dd7e577b84eb614ebb39272d48123a00682de44cbf306ddb823d7592

SHA512
a260c2a8a57aa5e4c7990461f5a832509b24f4b921549b4f2b7cbbc736404bf21eefb380c6442056c4eb142e28f45ce48ebaecca228471ff85ed7f82a2fc025f

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
99KB

MD5
e0df24876224677a6031783e48b83631

SHA1
f912cf3dec857be9c589fce5af63573115fc51fe

SHA256
715fc89c89b77d1fd942c8e4be7272489da2174967acaa03c8fda1d6d0d27919

SHA512
cb7d497505aa105194e45c53e6fd183ef07bfe36b85f25b0bb36d1651e358a4bfe116dd1d11667d6d33ac178de2cac92ae36023e781142dfc12f76052a6a6e33

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
99KB

MD5
2a52ef369ebff3e5214b69b84ea0d72c

SHA1
5dc525d44248f7d0aef9c887c8e6b73af4ef4c0c

SHA256
df0edde8aedb7a216adc8347b174c06d3db36bb0f5f03f05fbd9ddab27382613

SHA512
e616176d1694694e2c6b79d1be989de7b0923e9a026e4fd5ff55e5f84a0b94209dfeabb6a0ae237e34ba1ceca76981c8d497a6cbb2e249d715bf02f3ebd61c71

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
99KB

MD5
43956c322eef7c034766bbc94bda9d90

SHA1
6fe91e78770b318404214ab8e301f6415b198897

SHA256
77661aabefe644df60fb7de6193c1bf5e098f13ff6441eb9b635313e285d2949

SHA512
3808d62f4c3af321c34de0b3ea197551add90370307ceab0e69e7101f231f6871f63dae1a1197224f637f6d5433c42e630d4f8b654b2d2f00db0a6472dd5b2b5

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
99KB

MD5
a32528131882e26f8ce6c775bef3c904

SHA1
ce97714b60400099f9ca074a089430e8e582be67

SHA256
dd8aeb5d7eb0eb9cb193687b7790dee6c1d3325ccdde651a8d0d0710d1629c88

SHA512
3c1e2820807d75b556328d1913b314a4fc924952964ba6653812ce6ed3f4b24fc194fd29b89f0258b9cf16640b78fccd7663aff7d7e4047116d56b17d2f7c39b

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
99KB

MD5
d83245978d976f818b4a1b0526fdbe34

SHA1
ff8e8c461124e8dbbea389e0be7d8574fef04d1d

SHA256
41d788c8fc369b84cf3fb63ec26751fd9ce8b6bcbf4809b3c7bb7eba44ba0046

SHA512
ad29bc6ead2f721518a5e7ddbeb0af03b4c21122299d1560a8a0480a01d78fa98d190f330f122042f4ba3e52dd239e24fef3b99a92492ff2a3eedf360f44142e

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
99KB

MD5
d4c3dfeb80dcb67be7348fa150c6dde4

SHA1
efa8837fa48456af9b1d5ae77ff0da0a7f0dd0c8

SHA256
210e7d0459d478006f274a2d732e562e9d1cc0c61b5b97cdfed2627cd133f2ce

SHA512
3b9657dce0db601a96d3a9c87260f65523f3240f0072867df5f1016418b233338ad9dd281dc3b526d9a123d2b962284813266d2c6f12cec5b423aca4b2572f34

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
99KB

MD5
2be35a276bb88409e8d5ebe1de07031e

SHA1
f9af3522ead07ab3764fbe474110cd36e66df50e

SHA256
1c6b6302585b26d6defdb2f63badc51b048d0d92c85e57b24805690bb8ee2ec7

SHA512
7e4fe6a846742ed33935c0f932f3ff9326acf01682c5bf7073f48da16040b12dd2cb73db95ebe26013cc82239abf9d0ab6536bfb4a49620402f4093f0e8d89b8

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
99KB

MD5
275e4322ffe7f1c3458961e861852510

SHA1
3ec7d8fcb67a796388765a63c83eaa7e6fe4b45a

SHA256
c6dff4d9a3ffcebbfd468b2f180f47d0276b3462ab9ce4ea17fc69508ad76872

SHA512
d9168d45f9a062b5d09eaec2b08c464319f6d547fcf6c8c8b3dbfc3f95a53ac3f2c5d18ccb720cb480804979f1ef2c696c93a9864cd2e2a249a3174e3ea785c5

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
99KB

MD5
90a714ccdfca4e67c38fe45eea32b7f3

SHA1
ad3d883cb12dbffdbe3e2ee1424c51475f075651

SHA256
0d1588a8c90849f766e95d6302cb3a7271f774c4162e35ba968e9cb928c4dbe4

SHA512
74dffb65abd8842bb5e3428ba9218c60356cffa67a82d7057378bcbf848a05f0b18f2e22f72f0678b58aca82dd56c71d945a4af98a4e8cecd25b5dddb4ccd077

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
99KB

MD5
cf7413c1d62d7df1e29782a62387282b

SHA1
cea58541bfe38f57f59aa1ac44cd15ab68952f02

SHA256
d11654f17d1470a6edd86e87d495c6c7a617b5d046679f41b0db7d9e5cd7f122

SHA512
9b9084b61a8cde6cee0626fd447ac0ab0b99777d68ed5c4121007c30bdcc00a50163a96e72d1c81e1550bfac4f309ef82737713e6d9b32fda8277a33a19076eb

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
99KB

MD5
68c4e3ebe3a62eca42131e583e1aab6f

SHA1
16a21835de29fad9c2ef4e8e31c9de8987794649

SHA256
7ec7bf82c7093c9ab69244ae7312281885cd00c5e7afc96da25e0621960a56e9

SHA512
8797c7cc780ae9f47cb2dcf2f01999eee5e90f96a1b42f8a57f20c375f7d2754512f37d7cd5f3356cd0cfe3834e10cf8116e49f9f5c1be690497a8842ba73d59

Download Submit
C:\Windows\SysWOW64\Qjkmdp32.dll

Filesize
7KB

MD5
c7fcb9e0140723ec3159f4ebfb5c62d2

SHA1
2b237d2bb1f324affa21a6fafd63a92d4a623600

SHA256
01b3bb243f9af7bbb45ba926054ab7b0b8fae0652edceabefaa5bd44dcbcfee7

SHA512
dcd5e018fa567b06707c310d2e0da407198484993c1e2274b14f2e573cc27ed4c142847e0a330bce439608f47d7449d25d542d595f504f37676717b7de2f3408

Download Submit
memory/208-313-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/208-381-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/224-133-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/224-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/348-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/348-206-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/408-374-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/408-306-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/468-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/468-107-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/564-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/564-179-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/736-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/736-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1020-90-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1020-178-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1340-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1340-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1580-354-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1580-423-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1672-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1672-115-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1812-284-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2024-117-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2024-205-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2028-396-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2044-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2044-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2060-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2060-319-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-367-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2104-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2168-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2168-251-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2224-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2224-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2296-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2296-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2316-285-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2316-197-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2452-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2452-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2456-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2456-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2472-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2472-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2528-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2528-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2600-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2600-409-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2984-375-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3060-171-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3060-260-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3296-402-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3296-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3660-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3660-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3680-219-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3680-126-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3708-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3708-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3736-416-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3736-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3884-101-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3884-187-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3900-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3988-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3988-125-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4016-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4016-142-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4252-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4252-283-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4344-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4384-312-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4384-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4412-170-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4412-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4452-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4524-417-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4576-196-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4576-108-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4580-252-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4580-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4612-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4676-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4676-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4824-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4864-134-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4864-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4936-368-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4964-403-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5068-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5068-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads