fdf2dbff7669ae89a10438ca22aa7e6cc9337bdf28133eebe1e0d880e598934a

Analysis

max time kernel
103s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56d1211ba63441a98cb59bf110c033b0N.exe
Size

304KB
MD5

56d1211ba63441a98cb59bf110c033b0
SHA1

4ffcfcd041b26e1671c5106378b7a6de734f5326
SHA256

fdf2dbff7669ae89a10438ca22aa7e6cc9337bdf28133eebe1e0d880e598934a
SHA512

7ad995bb7bb835212e79cce491a87fec6d1c1e1e8c950d8d04c955beb88fed4c8fb2230ffba9d6485097dbe0fa64dd48dc7388cb628bca1f6dfe12abf8e62416
SSDEEP

6144:zHmRrjLZmFeJLbnCBbC+nVLjOPj194oQAPJiduHyFfeoHiWmVlWaPxqZcNpCLh:jmRwFeJLbnCN3xjOPj1Gg2uHyFfeoHH1

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	56d1211ba63441a98cb59bf110c033b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe

Executes dropped EXE 64 IoCs

pid	Process
1100	Lmiciaaj.exe
3636	Mbfkbhpa.exe
1860	Mipcob32.exe
900	Mpjlklok.exe
720	Megdccmb.exe
3892	Mmnldp32.exe
4088	Mckemg32.exe
2476	Meiaib32.exe
2068	Mpoefk32.exe
2084	Mcmabg32.exe
3168	Melnob32.exe
1220	Mpablkhc.exe
364	Mcpnhfhf.exe
2764	Mlhbal32.exe
4848	Ncbknfed.exe
1856	Nilcjp32.exe
2216	Npfkgjdn.exe
1900	Ndaggimg.exe
1084	Nnjlpo32.exe
3540	Ndcdmikd.exe
2888	Neeqea32.exe
1792	Npjebj32.exe
4768	Ncianepl.exe
2972	Nfgmjqop.exe
2044	Nnneknob.exe
2448	Nckndeni.exe
3436	Oponmilc.exe
4124	Ocnjidkf.exe
4400	Ojgbfocc.exe
4968	Odmgcgbi.exe
1616	Ojjolnaq.exe
4760	Opdghh32.exe
3284	Ocbddc32.exe
4328	Ojllan32.exe
3128	Olkhmi32.exe
4244	Odapnf32.exe
4116	Ogpmjb32.exe
2056	Ojoign32.exe
4700	Oqhacgdh.exe
1928	Ocgmpccl.exe
3420	Ogbipa32.exe
2940	Ojaelm32.exe
2856	Pmoahijl.exe
2224	Pqknig32.exe
3224	Pcijeb32.exe
4152	Pfhfan32.exe
3236	Pmannhhj.exe
4612	Pdifoehl.exe
4820	Pclgkb32.exe
4936	Pfjcgn32.exe
3776	Pmdkch32.exe
4708	Pqpgdfnp.exe
4808	Pcncpbmd.exe
1588	Pflplnlg.exe
1652	Pncgmkmj.exe
2796	Pqbdjfln.exe
5012	Pgllfp32.exe
3316	Pjjhbl32.exe
1508	Pmidog32.exe
8	Pcbmka32.exe
2304	Pfaigm32.exe
4092	Qmkadgpo.exe
3900	Qdbiedpa.exe
3648	Qgqeappe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Mpablkhc.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Nodfmh32.dll	Mckemg32.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Mipcob32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Hlfofiig.dll	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Hleecc32.dll	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	Melnob32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Gdkkfn32.dll	56d1211ba63441a98cb59bf110c033b0N.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	56d1211ba63441a98cb59bf110c033b0N.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5132	5884	WerFault.exe	215

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56d1211ba63441a98cb59bf110c033b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Melnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleecc32.dll"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mipcob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 1100	2860	56d1211ba63441a98cb59bf110c033b0N.exe	84
PID 2860 wrote to memory of 1100	2860	56d1211ba63441a98cb59bf110c033b0N.exe	84
PID 2860 wrote to memory of 1100	2860	56d1211ba63441a98cb59bf110c033b0N.exe	84
PID 1100 wrote to memory of 3636	1100	Lmiciaaj.exe	85
PID 1100 wrote to memory of 3636	1100	Lmiciaaj.exe	85
PID 1100 wrote to memory of 3636	1100	Lmiciaaj.exe	85
PID 3636 wrote to memory of 1860	3636	Mbfkbhpa.exe	86
PID 3636 wrote to memory of 1860	3636	Mbfkbhpa.exe	86
PID 3636 wrote to memory of 1860	3636	Mbfkbhpa.exe	86
PID 1860 wrote to memory of 900	1860	Mipcob32.exe	87
PID 1860 wrote to memory of 900	1860	Mipcob32.exe	87
PID 1860 wrote to memory of 900	1860	Mipcob32.exe	87
PID 900 wrote to memory of 720	900	Mpjlklok.exe	88
PID 900 wrote to memory of 720	900	Mpjlklok.exe	88
PID 900 wrote to memory of 720	900	Mpjlklok.exe	88
PID 720 wrote to memory of 3892	720	Megdccmb.exe	89
PID 720 wrote to memory of 3892	720	Megdccmb.exe	89
PID 720 wrote to memory of 3892	720	Megdccmb.exe	89
PID 3892 wrote to memory of 4088	3892	Mmnldp32.exe	90
PID 3892 wrote to memory of 4088	3892	Mmnldp32.exe	90
PID 3892 wrote to memory of 4088	3892	Mmnldp32.exe	90
PID 4088 wrote to memory of 2476	4088	Mckemg32.exe	92
PID 4088 wrote to memory of 2476	4088	Mckemg32.exe	92
PID 4088 wrote to memory of 2476	4088	Mckemg32.exe	92
PID 2476 wrote to memory of 2068	2476	Meiaib32.exe	93
PID 2476 wrote to memory of 2068	2476	Meiaib32.exe	93
PID 2476 wrote to memory of 2068	2476	Meiaib32.exe	93
PID 2068 wrote to memory of 2084	2068	Mpoefk32.exe	94
PID 2068 wrote to memory of 2084	2068	Mpoefk32.exe	94
PID 2068 wrote to memory of 2084	2068	Mpoefk32.exe	94
PID 2084 wrote to memory of 3168	2084	Mcmabg32.exe	95
PID 2084 wrote to memory of 3168	2084	Mcmabg32.exe	95
PID 2084 wrote to memory of 3168	2084	Mcmabg32.exe	95
PID 3168 wrote to memory of 1220	3168	Melnob32.exe	97
PID 3168 wrote to memory of 1220	3168	Melnob32.exe	97
PID 3168 wrote to memory of 1220	3168	Melnob32.exe	97
PID 1220 wrote to memory of 364	1220	Mpablkhc.exe	98
PID 1220 wrote to memory of 364	1220	Mpablkhc.exe	98
PID 1220 wrote to memory of 364	1220	Mpablkhc.exe	98
PID 364 wrote to memory of 2764	364	Mcpnhfhf.exe	99
PID 364 wrote to memory of 2764	364	Mcpnhfhf.exe	99
PID 364 wrote to memory of 2764	364	Mcpnhfhf.exe	99
PID 2764 wrote to memory of 4848	2764	Mlhbal32.exe	101
PID 2764 wrote to memory of 4848	2764	Mlhbal32.exe	101
PID 2764 wrote to memory of 4848	2764	Mlhbal32.exe	101
PID 4848 wrote to memory of 1856	4848	Ncbknfed.exe	102
PID 4848 wrote to memory of 1856	4848	Ncbknfed.exe	102
PID 4848 wrote to memory of 1856	4848	Ncbknfed.exe	102
PID 1856 wrote to memory of 2216	1856	Nilcjp32.exe	103
PID 1856 wrote to memory of 2216	1856	Nilcjp32.exe	103
PID 1856 wrote to memory of 2216	1856	Nilcjp32.exe	103
PID 2216 wrote to memory of 1900	2216	Npfkgjdn.exe	104
PID 2216 wrote to memory of 1900	2216	Npfkgjdn.exe	104
PID 2216 wrote to memory of 1900	2216	Npfkgjdn.exe	104
PID 1900 wrote to memory of 1084	1900	Ndaggimg.exe	105
PID 1900 wrote to memory of 1084	1900	Ndaggimg.exe	105
PID 1900 wrote to memory of 1084	1900	Ndaggimg.exe	105
PID 1084 wrote to memory of 3540	1084	Nnjlpo32.exe	106
PID 1084 wrote to memory of 3540	1084	Nnjlpo32.exe	106
PID 1084 wrote to memory of 3540	1084	Nnjlpo32.exe	106
PID 3540 wrote to memory of 2888	3540	Ndcdmikd.exe	107
PID 3540 wrote to memory of 2888	3540	Ndcdmikd.exe	107
PID 3540 wrote to memory of 2888	3540	Ndcdmikd.exe	107
PID 2888 wrote to memory of 1792	2888	Neeqea32.exe	108

C:\Users\Admin\AppData\Local\Temp\56d1211ba63441a98cb59bf110c033b0N.exe
"C:\Users\Admin\AppData\Local\Temp\56d1211ba63441a98cb59bf110c033b0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\Lmiciaaj.exe
  C:\Windows\system32\Lmiciaaj.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\Mbfkbhpa.exe
    C:\Windows\system32\Mbfkbhpa.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\SysWOW64\Mipcob32.exe
      C:\Windows\system32\Mipcob32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1860
    - - C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:900
      - C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1792
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        29⤵
        Executes dropped EXE
        
        PID:4124
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        31⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        35⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3128
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        69⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        71⤵
        Modifies registry class
        
        PID:68
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        72⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4444
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        75⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        76⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        78⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        81⤵
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2412
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        87⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        88⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        91⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        98⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        102⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5332
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        113⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        117⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        125⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        127⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 408
        129⤵
        Program crash
        
        PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5884 -ip 5884
1⤵
PID:6120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
304KB

MD5
729771d9a62b68e62e717aac51e672c7

SHA1
1cabef1d31f3b78ffecd74f163ba63d730ced5c2

SHA256
7ba934e758ced5ca4336cdf943eb4538bbe384ab252fa626c36cb4562f87df09

SHA512
ce32f1d91d55c6eb59a28c523a7bf65960c8c7dbb527b10e59bbaafd98cc83ff9d5b5fbc0f46c3c39b69e14ecc9e3a0b5e3e4e0640ad733431d3acc45a6f55e6

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
304KB

MD5
00a2772520ead383f452c92a7acf43c8

SHA1
2108c3f26e0e2ab73a3303eb17216c37f346a0ce

SHA256
b1213cc1ec99dbe8767a489b180c683cf190ca36d8e9e10790e58ba8e294fd27

SHA512
ad98ab5743bf68a00f3d312c30a3b6ab8f67ec5f2ea19c25d21f72364c4fd88447948fabf3fd787d13137aac7bea5c7a5a784e8e7d8cb8b37af0526d0d1a0387

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
304KB

MD5
3fe31f941ff1e3ee8ae2254ee9b1669b

SHA1
a8fcd9cb0e0cd46a2672481167b5feb2e3c12b85

SHA256
799bd3683c8c20c8a9166f0127c7f5ae15390c09c34bac9160866c69ba94332d

SHA512
4da9527b58baca22ec47f1a5874025d7863dc6e2e0665be34e103674e331a5b61985bc9493a402cd640341c344b3f09d6259bb75d5005e4ba156373f673ccaaf

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
304KB

MD5
2904b9bb703042532f2a9a1aa661a8d8

SHA1
3baba628f9f39e8b88247b4fba411cdeac7ee3ae

SHA256
ef8ad25f727a21c6c12a56ebab2f328c16ff7f1c973948ef6114d112bd3eb4ff

SHA512
62160d0e60577c41adf948dbff5a3ff866377c5af5c1216dcd1a597e67976fdcb5a4058528be5ffa81f8ac4c43db45fda1dfafa921d02597e0f78dd10e7a7552

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
304KB

MD5
9a190fead1143bc4e7e0c1f3edf840a8

SHA1
a86db4c3fe9c27a46c2a727de32bb1a1f08238d2

SHA256
89de1dd169c59794dbcad14f99d9bc080c893a996ec717c503e5dd751aea0d9e

SHA512
b8aa0760bde0d04dbdcbee54fc527adcbfdedd299b0fa5434e23c64d7893e5ffa1a9d7f7a661655f196939ea421d6bfc7a183aaca53e9b28eed97dbb73fc4011

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
304KB

MD5
82b7d330c17147ee78d924bcb3ff9e4d

SHA1
e364bba293052dbf0f1a0c5f005d432effe9f67f

SHA256
8781598d18a044b050a4b8a045d4dd134cd144891af6fcde46f1aca755640090

SHA512
def9cdcadd30a278dcd1687078b64afd43fe36499f65eebf9b9f5625c43fe6e18cdd143cdca6ace7722ad89906fb310efc048b8bd968c8f48d9fc2833dffbcd5

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
64KB

MD5
258b4458be0f149abdedc3fcbc347da9

SHA1
bb9f4e1623be347ec7eb4abe84e4ac60ebced113

SHA256
e172edb271726fdc272bc5e917b1133d7ad02499a8fe51606bc6a97fa551c84e

SHA512
9963a12b254caafd68c833ae674a21e2802e6e782425976f79e518b10834f6fea3b24e624013678cb19f4f771e05ba21e9488db82838f756f38a6fa7c653360c

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
304KB

MD5
9d53fb95fcec5846cfaab84341eba376

SHA1
62669ecc1048ffa778940bb7d44c876562cea3ed

SHA256
fe1c0b517deb6c6d12b59cdedaccb0320780165daacd3694858a7093ea32495f

SHA512
2053a69b2a3b8c47d1d356684c9e051d3ffdc82d8862c174bfb6a430274661793b40bae094028191eb52f0d70fe4e1466a5b813d9f9f5bf1adf6b26c0d4cffc1

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
304KB

MD5
7eaaa25de160f3d2c29b43239c95c790

SHA1
1dd3b0b615fa9e42fe8bc8f788df892396042c0d

SHA256
51c8e68f5fc01a35513ff46be870598e2d1e57b5df6237becd4f1dd5b26c2c40

SHA512
cf2305c215a4b6f8cae9f71312e281fa6780d1d28f6d20756c8bdf106c5283a11f3a2f55fbd966e751a0596fa16fcecce153cb1666debad81833ca2bffb9d0d2

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
304KB

MD5
501d4f3ae8376b385c3d997575b8ea21

SHA1
f8225e24e3fcb867e45f8f11096525e566d80cad

SHA256
20202b7cdb4aece619089b6942d0df63b65452b5738d5f812c555ab243880815

SHA512
cffb98bc042887d790a5f2d2652dee3059198040d8681e2a64a3e34119e484f2bcf09e5ad517daff591f699d32ce9eec9b0920785413eeb8a00f91bdf15505f6

Download Submit
C:\Windows\SysWOW64\Hleecc32.dll

Filesize
7KB

MD5
2ad9269601bb6714d037f9595cbfa834

SHA1
09113bc30957fb5000b979d2decbc9206b2c1beb

SHA256
98a01ff4a7bd6332dfd41aa587b028d1780f98cda8eee8858ee21408f6192fad

SHA512
67923c18aa85250d5e500602902f6426f93de57da9c07ab89a08180171fe31b82bf1cc10c7debfe815bc3fe9450777eb1edf38ca44c063f2bddd34183c8a6185

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
304KB

MD5
23d149d96ff65f8ec400e0cf73129da6

SHA1
2c8b4d68068703ff4c3641a5857ee57f79e11c96

SHA256
d0559cd48e08c97f6bf34e6280edff1b9f5a07cd6ff21a22828c480cf108f862

SHA512
3e9353df8bc1577d2221e58a75a4488fe29f5d1a8cc01a22fb63fdd3a84abea98e3933041df8a9c75c7cd4cbb50ced051833ae79624fc440eba84dce57c5ac1d

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
304KB

MD5
ce99c8bf653cc861724da3bdf137afaa

SHA1
66426337cba3dbf966f2a0cd63fe2ac43a73e459

SHA256
f95c3bba92551d529a80c781335d879f76e361de0cfaa54905f480b79f7fe290

SHA512
3e21eecb30d5b6dc02018c17f3ac0b0f96c40edd68022bea8629916180c7b017025003e20bdfea09c4bc118d50a2c1abae6ae972cab8a7399bfa41e847037450

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
304KB

MD5
909304ef1e6d46f70d960c2161e8c0ef

SHA1
519c3c35a474030d8cfbcfad9aabfb0793871a8d

SHA256
7bd7e82c17fdb9e79403d67ccc0151e0f088396ad057901de7dab2bd314411bb

SHA512
be2e461ec5b9dd5b3784c088558d50c20bf7ca0b2bcdddc171c4431e1e3120dc195716ff7c36c151316f48bb1b97d5572b2b1c44d79c6a0db912a5f558e776c3

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
304KB

MD5
f6c5b02a6b043d480a354a4121a79a61

SHA1
4e1bc228ff2dba665e9bf237daa0c8a3d0ff8592

SHA256
541a94085efae0129262d923a2809c15e3e0fb107537e7c20602ff32608e5962

SHA512
7341254d7fadafae248b0feb852d205a848588f1d500c3616e84da63085fc0615236ab7ef049cc426734b3c871debe50ada080d685919416793f294ee9ae9363

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
304KB

MD5
7993615c5d693ea239738bcc0e944078

SHA1
2bf67d188b41b24379c384ba259649d85bd892da

SHA256
852e4400b7e89db1fa31827c4ebcc2c0cea665ab8c5904ec493b26d169e1839a

SHA512
ecfdb5d1083ca66e7e0a4b5f53727d5fd1d5c1a449a4be05056bda400eb50fd9b44ce6c2507b736c7f7a61da21a40825bfdc6595cd6ff105c6b69b220b4cb065

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
304KB

MD5
59b3a9cd32ce583f02a6b03e118797b7

SHA1
2682fdb7b34d33cb1c0d821d3e8bf5f906a656c1

SHA256
73eb2098a158b5a369266377a905676e480731383b636653b3d44143623c23e5

SHA512
785d1ae206eeea2c630ef4bf8db70bd81afdada2f1d6ea627c1e55b3d9d39482b046774a7a0c5bac33b6b40718246f85375a405e2ca5ca3b892cc8fc10744980

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
304KB

MD5
451a3f06bb551e8b45009ce8c9dc284d

SHA1
244ebe362b90ae6f35dc9ea321d8b6e983557879

SHA256
e163f59a0fe19bc9b4e02cbbfb4baf09e3673300468872165487b7549408f581

SHA512
29f1d546c228cc6a3966c649570515adc060b4b34227a3bfc33ebc3454c72c5e192053c425dea85df61304b60cc1ee99993c010f2aefc0bc8581edbca342e34f

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
304KB

MD5
99fb52408ad8f2251880083c86fda4ef

SHA1
556f57b79133728d7323b3c89f0376401e51fc32

SHA256
e1a64dda58338ef9f1e0a95f9bf79bedf384b8a5e70deacc320126387ce22f0f

SHA512
cc6f2b7be27fe1285be1067c90b4fc4906e5cf886e76bc41b08dc1190f7129b4395b7050dc93e14455565bd5260e38fa1ebc7bf3078c9f92f04e64b0b3bb3b38

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
304KB

MD5
a9892d1bbe3b8661bc3e4ccec69eb990

SHA1
fd4d41d0ba0fa1d9cb6c68f5d173d21bc5c576aa

SHA256
6e378b81df36b15e8c45fdc1ab1220e05614c46be04e64d743df02a9e446d04b

SHA512
caadaf1682f8c261aa43a12fcaee654b0dd00a8fa4f7f5c6e693407dbc11e465e7cbb9563b1d0d0f3d70fad19a6b6a221b761404528eef6402f3fc3bf2a9ec96

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
304KB

MD5
3c1a2f33307de19724f3132e83da1e41

SHA1
832922e99c2db20844a4afff059db6f66b446a6f

SHA256
0fe5806a8fe87f716c0dec3a6448093c8e5f1d97997546126b007087a02cb850

SHA512
e9fba1837577e90e88c56a9ad85f4f2f669025da21e71773a02e4f34cbbbfa25e989523d5f041fe551f417fbb08e03efb02166f9c1b9052184a685b4cd9bd553

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
304KB

MD5
1ef18fdfff0aadbbdbca6c3e6b8c64a9

SHA1
536e60e09c8d104442051078db4ed9b7d31f9464

SHA256
d4e2fa9766cd2c4bfaa765ad073c7ea50755d96fbbd2103cdefa922b13a7be66

SHA512
844f53d0a183f1983d7564b67b23f954b3cb247e24ed692fb23a2cd3adaefd23dfe0856d8320fa6d0755e8333c81538e7d34b64cfcf60a1853c09d0a932613c3

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
304KB

MD5
299d215cc9fc401d614a4cef8ca8b6ea

SHA1
f38ffda87a6f6c9a57c279adfb9cfc616a41d788

SHA256
17f4d0c843c2289457171d8b1c1d02873565c33b40b4ba3133969622d3ba3900

SHA512
05294a707bd0010fdf0e2b78ac8c5efc10a4051317947153a09bfba41cdc1258dd1635256daa8235c2bcf4039e8a708de96f25b51af4788f6db6d24ab0699571

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
304KB

MD5
8492c6aa649e7835f83bb7462dc355fa

SHA1
53c5d9135957af76e0d2c369f413b89e4db66c53

SHA256
eb69f4aa6a55b2c43fe41b07a1402dcfacac1b245fa02c4704d7ce5cf4cab939

SHA512
0dab8ffaa63b55397e78c9caa2faa42c323a875432893268133903cf2986309c2ef53b7dd26c7f1d16b9d27420ff4987110d09d089caef0c55d07bdf8edd3c0b

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
304KB

MD5
b460e62051075900030dc82b1d56af50

SHA1
1e5987e3c8dead5f167692c288562f72115ef4ab

SHA256
e01a38b9913aa67ba8af1a26c0db7ba8d7a48e743144a8b3095012a00d811979

SHA512
8c5ce0bd284b07cfce86e04760142cbbd53e74da670fe15c956d3d42eadb04b404609945410306b52af3690b4eb0478322fc965b07847c037c3135d17c6753b0

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
304KB

MD5
1dce0c84fb5dbfbfc18bfd0b3587fd28

SHA1
6ba59ac124967669e8b9efd67e2fabe0a0f707dc

SHA256
d27bdd88f6a19e248d0a57cfabf6c4c2e4b2bd1c3c46a8584b48a8054788f336

SHA512
59ac0adc000c047579c337758c639ed064cba564618991706d092083987d89018af5dbeb415fb96e9cf2114d8874729ee188082286058bbd44e2e380da9753bf

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
304KB

MD5
5e6fdfab6453144c40a0ab3bbfd68acf

SHA1
b0dfbbb4188e8ad58d18f064b88fecdff8105dc8

SHA256
2fc25b925408d2c1701ca2feab36e3171c32f187888e8aa29963ce59980a17c3

SHA512
ab90a89a37085afeedf83593e81b17544b729ce24da34ef8d01be49046b2f2220da26768a0a72f842de8075da7ddd76e05164f243e335e02b5580b17dd736255

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
304KB

MD5
e5397098a4e52f7f5e7a502109d8e357

SHA1
ce75bf54e0aca0060ceb30faf6d9749c72fd1b0f

SHA256
7fd11ffb76a1d252a4dd4774f03c48ccbb4fe740096e988cbe7016707cdc8b5a

SHA512
ca145c42eb88283b0ade899815661fe2ba9b72b9979193d1259e96dc70126b96c82438fc179fd3739fd544cb603844f0b9731650b6a8a147f5bc3bea03683574

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
304KB

MD5
35459d1af869872017f6275e36425b8d

SHA1
8fef417cf2e66f196a8ec1d867b8df06d6b381ad

SHA256
468501fbbe0acc7d62b090a61009294609a9f37744175d3d07417f746aae7959

SHA512
1fe5743226f53ce74c72155994cd987b37f4ab2e5463958c3e285c0e30ce68a689de4673150e9fcd3d63af540d0e82da5a976c4efe5c8aa9e126ca1a2e1116ab

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
304KB

MD5
1a58840b94685094db4001818a4aedd2

SHA1
bc63533a315d5bb69c73c2f2709d840529eab4a8

SHA256
79fc151ec80668fcd7e6492cd9c091d4c7a8bc4e5587b1bdd98239b8547c300c

SHA512
e228780aea5864677a01493459c44b688b06040d20983bfa5b0700e8df2d995baca474f7a752a5df3a9a26e8867e9cc8eec025807913512b5e576a43b426ab07

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
304KB

MD5
3588cc506e93f22bfc98664d8f5e3544

SHA1
a100ee8cce7a68480319f376db2af58b56c785f1

SHA256
27fd2dc478bc5e6cb082f305c003f4280d7c7c0f0e4be9ed2b45cdd6a0540cba

SHA512
fa8cd466dcbcdee9261b3b6e978f9248eaac9ae1ae53188cbf473ecb9acb761db497e0061e1f606f9752bdfd0e6cdef1259197ae76a46b1691d01eba19c316d5

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
304KB

MD5
1c65748293ca086f3e39ac98e8b415e1

SHA1
b6c9cb39159969931e5b5e64e4638bf62627006d

SHA256
7782fa4dfd592928d7163d2405eed977c22155fccbfa2f23038a0fc87ca2d83d

SHA512
7d5ec1e04a7f01fb3c4a08669daf3f3300749e5b6ea59c3538b65b9eb92a0eecae467fed09b20d5ae3de9c17b0c1c0e719ca0a2bec8bf4108529bee023952445

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
304KB

MD5
a8e3fbe82507d787ac8d948b45950a38

SHA1
50406258953bf211d7e08b0d934ec379b6e1f1e3

SHA256
dbc9e985fe992997e5ef459355cc485953e57e27f36fc507ca840e2806a8699a

SHA512
f48e2b9f762810f5a90c3865148941d62ac52975c2338a41ba9d565db568c86a0aa1d2613bee637faf3d4dcae5dd3b3dc028194e17f364d579d0ac0fb9b4cc9a

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
304KB

MD5
b0ad0f2046e2de0eeb324d99827b24c3

SHA1
9f4f5e6c71fea896bbb6bdc6160e7107e547370e

SHA256
0013f3c0c0a2cccd1cc573096ec418c61a96aae7d3ca39be7bd72491df94b48a

SHA512
2d6e6f3cff8385575837170a08f6d88e9badf5b5649510e19c701f059ac508e8cf9270a57a67e5133ae44c4ede570d49808c335bc34d8c23cd09aae75ede6fe6

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
304KB

MD5
4781e83e49bf16278036ba162c840da9

SHA1
236a586899ae5b281c5ff1914eb5ba10f10574e4

SHA256
92ff87c352590656f37989676d3c5bbd0753ebcc0d65fcdaf03539ce85fe9828

SHA512
24a924c1652603a0d0d3edfe13f63b23ce77060ee57bd162180c044f8d0207154a1ddd647e556cc0431a745485f0446a904a016be6a065ead436e488158d7ca1

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
304KB

MD5
ed254527996745de0f611067908399f7

SHA1
68eb98ad4667b9053247cda04bbc1115f26b96da

SHA256
2ac1821484cc8e245eb30f33fc7ddfaca98a518a0757e9a228145568af8e8515

SHA512
3cd3e0e17e85c431f3aab4fbe4e7080e0a9e9c13d413df6448c3a807f62cf2cf018f5ca29207c36216249ff424acdacec6b326bdf6ee771957807163affbf17d

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
304KB

MD5
145dc64e81d640f0404869c102baf435

SHA1
7cd13421b525fdced35324778d0197275a20091d

SHA256
784b0953880e2d667b9a18aa008342b2abb56df2437fe7007118f40a23c9c3e3

SHA512
c400f8e4dbeeb5a1fa3eac9a89ffd2186d0276ec6934a241e6a251dd1f507a7fa83713b0ecc263de678aafce2f44df29cae858c343dc4b0af1903a8e008a44f3

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
304KB

MD5
c2e5f16e01f37c485eca95e72ce326f9

SHA1
1fe18096f46ce7d8075572991cbd4fd7f3ba769d

SHA256
28549ef6fe532ffb7d6dbb1a0fcc4e0590030852feda505e3c46857ad90bc0aa

SHA512
04e067fdd369094fdfd7ddc3a6ed7b87f8374f71447318c240e5cfadb1d10e2809797ae2f96299c33b361da8f10fc0a8eda6066fea33fe607656ec9bab21b85d

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
304KB

MD5
1e923e289e3cfa08d0c13cc893a08b46

SHA1
f346860379c2213878c07a97374ec219b9ae63e9

SHA256
8bbac403067d319693868a7c151cc498f63ff8f0eedf323434fc31e677f6b8ba

SHA512
9d2c5a2c77d917c0ef9e8a99b7ba7a1826f3fcbaa86cf9658604f7ce48c7a6826a4cadd495be8bb274e29c9741938bdec673914d0fc260a2f34891062d6878db

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
304KB

MD5
d54b82a5170185268c4428d82e8a2b6b

SHA1
f30b2209016c88ed9cb6906f40a07a58ad976f3c

SHA256
49d8fa01b701e953a4c47dfa934bd0d2c48efc7c9334d46d23bf6e0cfc390d6c

SHA512
10472f4a6529e33c8148687c1e30eb2e70d44e2de151519bd3ea41abf32f8973b30fb01cb0359fd37c9e569a12884810496d61b688fa4ce0019f8787da9fbb2f

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
304KB

MD5
3b35e9868f28b0a2ae34239fed3eed87

SHA1
7365d6aadf0214191fd8e61df4446b7a9e28a76d

SHA256
235396b4a16b39dcd1d9218865efff33e97a125f4f7817b90bdf1209fa4c7b2a

SHA512
2afcb0d3ec31997c6e45b71673e1464814e14c2295e7a6a77f0f02ec864c06f807dde4d30c9cc4e396dd6e49c7ba001960b8482d489ad84584945624d8351db7

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
304KB

MD5
258998782649c2990b5cc40d13dc36ea

SHA1
7f294d844c9e3de7659edb4d5c170ff738f65fd4

SHA256
27d27b00296a73d1a047771dbd617cbb9e94bbe655f64dfb329454b1678cc0d2

SHA512
3a751b269ed82600a1c31007485b1cc253c5114f5f9055c188e7843d435920922188bf0e437d2432e7a39c299896d11e47682d66a50b2d14851670b906c358e1

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
304KB

MD5
608338cc607c92fafa5ac7888c74befe

SHA1
7ffb211a46129c79af2cc21d6f34dd1d2587a4ae

SHA256
46d94af8a46086ef88c013d65eae87c1a46fd90bd426742a5e18f543b90516b6

SHA512
6252eab91e9064c7ef74689a12591fe625603fbb2216b7f5e1bc7b9c242b268c4b9014a37af6c77533080807c9edbae42a9e0c4514466f31b98fd4c9095d9398

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
304KB

MD5
7f3068f1e94a022df06f61a08624827c

SHA1
5f614b175ee3222517662fd3f3d20e6a07f6a185

SHA256
9aa631cb0b212b390a369579ecd1b2162f878df20e58ad67a08e8f7182350f40

SHA512
e5554291ef609b3fbd7fd1d19d0ca8df1575cd0ccfe70140f43b409362c3c0dd5b097bd45bf42656d51222d4acbacbdf78e542b135e52162b242b3403ac4c7ce

Download Submit
memory/8-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/68-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/364-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/688-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/720-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/720-579-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/900-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/900-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1032-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1084-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1220-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1588-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1652-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1792-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1856-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1860-565-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1860-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1900-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1928-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2056-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2084-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2184-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-140-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2292-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2304-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2412-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2424-545-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2448-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2476-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2608-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2764-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2856-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2860-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2860-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2888-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2940-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2972-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3128-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3168-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3224-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3236-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3244-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3284-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3316-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3420-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3436-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3540-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3636-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3636-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3648-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3660-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3696-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3716-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3776-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3892-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3892-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3900-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3904-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4068-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4088-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4088-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4092-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4116-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4124-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4152-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4244-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4400-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4440-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4504-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4612-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4700-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4708-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4760-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4768-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4808-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4848-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4936-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4968-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5108-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5148-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5192-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5236-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5280-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5324-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads