b5095091aae558396f7e778ca9503c237d7157205ae3e0701df0dcb93b7cbb41

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8c08aacf04e520bda222808b3d45bb0N.exe
Size

80KB
MD5

f8c08aacf04e520bda222808b3d45bb0
SHA1

6a34952d65423edb70c274b85eeb71e5739b52bf
SHA256

b5095091aae558396f7e778ca9503c237d7157205ae3e0701df0dcb93b7cbb41
SHA512

484ab69c99824c6d74486afb8c152adc8b0e103401a0af6d9dd36d61a919a28193cd1144ca7654136ae712297ab8316360441489548148e2cc0ad9ff194ba2c8
SSDEEP

1536:yEXqP3WoLJEyCFqhtpIUfMVqASb2LSJ9VqDlzVxyh+CbxMa:yEXU3tLJeshvIVXS4SJ9IDlRxyhTb7

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmpkakak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdofpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phmnfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhcfleff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eieplhlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpedgghj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplkhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onqdhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdofpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnjgog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agqhik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dijppjfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deejpjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nffceq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niglfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opopdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pklkbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpmmfbfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqfolqna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Celgjlpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niihlkdm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okbhlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgkegn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pklkbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbpolb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdnkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnghhqdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pphckb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aamipe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhgjcmfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfoac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbbkbbkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbgndoho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmbgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkdlkope.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Naqqmieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgabj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgihanii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paomog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppffec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpmmfbfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqbohocd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjdfgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dilmeida.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Decmjjie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfoac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdiamnpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njmejp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nffceq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odaiodbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbbqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiqomj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgkegn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqdbfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgaiffii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnbapjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqdbfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinpdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agnkck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmmpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Decmjjie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calbnnkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Naqqmieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogdofo32.exe

Executes dropped EXE 64 IoCs

pid	Process
956	Mhjpceko.exe
2660	Mmghklif.exe
3504	Mpedgghj.exe
1320	Mhmmieil.exe
4448	Minipm32.exe
1924	Mdcmnfop.exe
4452	Njmejp32.exe
4360	Nagngjmj.exe
4008	Nhafcd32.exe
2244	Nkpbpp32.exe
4236	Nmnnlk32.exe
1820	Nplkhf32.exe
3776	Nffceq32.exe
2020	Nkboeobh.exe
1372	Nmpkakak.exe
4408	Npognfpo.exe
4768	Ndjcne32.exe
1872	Nkdlkope.exe
3756	Niglfl32.exe
5064	Nmbhgjoi.exe
4264	Npadcfnl.exe
4500	Nhhldc32.exe
440	Ngklppei.exe
2088	Niihlkdm.exe
1748	Nmedmj32.exe
4116	Naqqmieo.exe
1616	Ndomiddc.exe
1752	Ohkijc32.exe
1740	Okiefn32.exe
3464	Oileakbj.exe
1488	Omgabj32.exe
4104	Opfnne32.exe
1824	Odaiodbp.exe
2228	Ogpfko32.exe
4548	Okkalnjm.exe
3240	Omjnhiiq.exe
3736	Oaejhh32.exe
3688	Ophjdehd.exe
3044	Ohobebig.exe
2216	Ogbbqo32.exe
3720	Oiqomj32.exe
680	Omlkmign.exe
5104	Oahgnh32.exe
904	Odfcjc32.exe
2296	Ogdofo32.exe
1340	Okpkgm32.exe
2800	Oickbjmb.exe
4844	Oajccgmd.exe
892	Opmcod32.exe
4388	Ohdlpa32.exe
1800	Oggllnkl.exe
4656	Okbhlm32.exe
3956	Onqdhh32.exe
1868	Opopdd32.exe
4824	Pdklebje.exe
3572	Pgihanii.exe
2888	Pjgemi32.exe
1544	Paomog32.exe
2948	Ppamjcpj.exe
4632	Pgkegn32.exe
380	Pjjaci32.exe
2372	Pdofpb32.exe
3744	Pgnblm32.exe
3616	Pnhjig32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cqghcn32.exe	Cnhlgc32.exe
File opened for modification	C:\Windows\SysWOW64\Eblgon32.exe	Enpknplq.exe
File created	C:\Windows\SysWOW64\Eifhac32.dll	Nmedmj32.exe
File created	C:\Windows\SysWOW64\Ajmkad32.dll	Ophjdehd.exe
File created	C:\Windows\SysWOW64\Ppffec32.exe	Pnhjig32.exe
File opened for modification	C:\Windows\SysWOW64\Bhgjcmfi.exe	Bbmbgb32.exe
File created	C:\Windows\SysWOW64\Ploobn32.dll	Bglgdi32.exe
File created	C:\Windows\SysWOW64\Kjgegjko.dll	Minipm32.exe
File created	C:\Windows\SysWOW64\Ndomiddc.exe	Naqqmieo.exe
File opened for modification	C:\Windows\SysWOW64\Oahgnh32.exe	Omlkmign.exe
File created	C:\Windows\SysWOW64\Dhcfleff.exe	Diafqi32.exe
File opened for modification	C:\Windows\SysWOW64\Agqhik32.exe	Aqfolqna.exe
File created	C:\Windows\SysWOW64\Cqghcn32.exe	Cnhlgc32.exe
File created	C:\Windows\SysWOW64\Dhfcae32.exe	Dbijinfl.exe
File created	C:\Windows\SysWOW64\Aidjgo32.dll	Nkdlkope.exe
File created	C:\Windows\SysWOW64\Cnhlgc32.exe	Bkjpkg32.exe
File opened for modification	C:\Windows\SysWOW64\Qpmmfbfl.exe	Qpkppbho.exe
File created	C:\Windows\SysWOW64\Bdnkhn32.exe	Bqbohocd.exe
File created	C:\Windows\SysWOW64\Ckcbaf32.exe	Ciefek32.exe
File created	C:\Windows\SysWOW64\Deejpjgc.exe	Dbgndoho.exe
File created	C:\Windows\SysWOW64\Nmnnlk32.exe	Nkpbpp32.exe
File created	C:\Windows\SysWOW64\Nlaakbkm.dll	Pjahchpb.exe
File created	C:\Windows\SysWOW64\Adkelplc.exe	Aamipe32.exe
File created	C:\Windows\SysWOW64\Qcoaqo32.dll	Bnfoac32.exe
File created	C:\Windows\SysWOW64\Dbijinfl.exe	Dhcfleff.exe
File created	C:\Windows\SysWOW64\Omjnhiiq.exe	Okkalnjm.exe
File created	C:\Windows\SysWOW64\Oajccgmd.exe	Oickbjmb.exe
File opened for modification	C:\Windows\SysWOW64\Bbmbgb32.exe	Bnaffdfc.exe
File created	C:\Windows\SysWOW64\Bhgjcmfi.exe	Bbmbgb32.exe
File opened for modification	C:\Windows\SysWOW64\Opfnne32.exe	Omgabj32.exe
File opened for modification	C:\Windows\SysWOW64\Omjnhiiq.exe	Okkalnjm.exe
File created	C:\Windows\SysWOW64\Ckmmpg32.exe	Cinpdl32.exe
File opened for modification	C:\Windows\SysWOW64\Mmghklif.exe	Mhjpceko.exe
File created	C:\Windows\SysWOW64\Lifmdfkg.dll	Eblgon32.exe
File created	C:\Windows\SysWOW64\Dfhlfj32.dll	Nhhldc32.exe
File created	C:\Windows\SysWOW64\Okpkgm32.exe	Ogdofo32.exe
File created	C:\Windows\SysWOW64\Bglgdi32.exe	Bdnkhn32.exe
File opened for modification	C:\Windows\SysWOW64\Bkhceh32.exe	Bglgdi32.exe
File created	C:\Windows\SysWOW64\Mlkngglh.dll	Dhcfleff.exe
File created	C:\Windows\SysWOW64\Pjgemi32.exe	Pgihanii.exe
File opened for modification	C:\Windows\SysWOW64\Nmbhgjoi.exe	Niglfl32.exe
File created	C:\Windows\SysWOW64\Aqdbfa32.exe	Aglnnkid.exe
File opened for modification	C:\Windows\SysWOW64\Dhfcae32.exe	Dbijinfl.exe
File opened for modification	C:\Windows\SysWOW64\Oaejhh32.exe	Omjnhiiq.exe
File created	C:\Windows\SysWOW64\Mnailf32.dll	Odfcjc32.exe
File created	C:\Windows\SysWOW64\Aamipe32.exe	Qjeaog32.exe
File created	C:\Windows\SysWOW64\Cnkilbni.exe	Ckmmpg32.exe
File opened for modification	C:\Windows\SysWOW64\Mhjpceko.exe	f8c08aacf04e520bda222808b3d45bb0N.exe
File created	C:\Windows\SysWOW64\Fdpnbald.dll	Opfnne32.exe
File created	C:\Windows\SysWOW64\Oahgnh32.exe	Omlkmign.exe
File created	C:\Windows\SysWOW64\Donloloo.dll	Cgjcfgoa.exe
File created	C:\Windows\SysWOW64\Dijppjfd.exe	Dbphcpog.exe
File created	C:\Windows\SysWOW64\Njiccd32.dll	Pjjaci32.exe
File opened for modification	C:\Windows\SysWOW64\Bglgdi32.exe	Bdnkhn32.exe
File opened for modification	C:\Windows\SysWOW64\Mpedgghj.exe	Mmghklif.exe
File created	C:\Windows\SysWOW64\Bcnehb32.dll	Onqdhh32.exe
File opened for modification	C:\Windows\SysWOW64\Phmnfp32.exe	Ppffec32.exe
File created	C:\Windows\SysWOW64\Hkkofdlq.dll	Aqdbfa32.exe
File created	C:\Windows\SysWOW64\Pecpko32.dll	Bjhgke32.exe
File created	C:\Windows\SysWOW64\Opmcod32.exe	Oajccgmd.exe
File created	C:\Windows\SysWOW64\Pdklebje.exe	Opopdd32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkilbni.exe	Ckmmpg32.exe
File created	C:\Windows\SysWOW64\Nhafcd32.exe	Nagngjmj.exe
File created	C:\Windows\SysWOW64\Igehifaa.dll	Nkpbpp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7020	6936	WerFault.exe	243

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enpknplq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhafcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onqdhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgkegn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbgndoho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjahchpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpmmfbfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agnkck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgjcfgoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Minipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpkakak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbhgjoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paomog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niglfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnaffdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjpkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calbnnkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohobebig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjgemi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akopoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcmeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njmejp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naqqmieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oggllnkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abflfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdnkhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfoac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbiabq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niihlkdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omjnhiiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okpkgm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnbapjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciefek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohkijc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogdofo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdklebje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkpbpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngklppei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbbqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agqhik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmedmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgaiffii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eieplhlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eldlhckj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilcol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opfnne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohdlpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqfolqna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqnemp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deejpjgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnnlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjhgke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbpolb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhlgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkelplc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglnnkid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhhlccb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkilbni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhjpceko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omlkmign.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phmnfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qggebl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnghhqdk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dilmeida.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clclnfln.dll"	Okpkgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgeam32.dll"	Pnjgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gafnik32.dll"	Agiahlkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adnbapjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgeadjai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqnemp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niglfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfgna32.dll"	Naqqmieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqfolqna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bggnijof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npadcfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbbqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpkppbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmedmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oajccgmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcmeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbcfe32.dll"	Cicjokll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdcmnfop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngklppei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Naqqmieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdmmg32.dll"	Oahgnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enpknplq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepidp32.dll"	Niglfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjaci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdofpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgjjoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkilbni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndjcne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbiabq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciefek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npadcfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdnkhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Canocm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dilmeida.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmghklif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agqhik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okiefn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkboeobh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgnqqq32.dll"	Cqghcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gglnncqg.dll"	Cnkilbni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdqekdcj.dll"	Ceeaim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckcbaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djipbbne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deejpjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhmmieil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apleaenp.dll"	Eieplhlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elaobdmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daeddlco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjeodp32.dll"	Qggebl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Naqqmieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okbhlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkgdlkh.dll"	Pjgemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqhdfhck.dll"	Adkelplc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdnkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfgkjnai.dll"	Nmpkakak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjahchpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbhgjoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjgemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pklkbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajodef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhhldc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfckpa32.dll"	Bkjpkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Decmjjie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niihlkdm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 956	4528	f8c08aacf04e520bda222808b3d45bb0N.exe	93
PID 4528 wrote to memory of 956	4528	f8c08aacf04e520bda222808b3d45bb0N.exe	93
PID 4528 wrote to memory of 956	4528	f8c08aacf04e520bda222808b3d45bb0N.exe	93
PID 956 wrote to memory of 2660	956	Mhjpceko.exe	94
PID 956 wrote to memory of 2660	956	Mhjpceko.exe	94
PID 956 wrote to memory of 2660	956	Mhjpceko.exe	94
PID 2660 wrote to memory of 3504	2660	Mmghklif.exe	95
PID 2660 wrote to memory of 3504	2660	Mmghklif.exe	95
PID 2660 wrote to memory of 3504	2660	Mmghklif.exe	95
PID 3504 wrote to memory of 1320	3504	Mpedgghj.exe	96
PID 3504 wrote to memory of 1320	3504	Mpedgghj.exe	96
PID 3504 wrote to memory of 1320	3504	Mpedgghj.exe	96
PID 1320 wrote to memory of 4448	1320	Mhmmieil.exe	97
PID 1320 wrote to memory of 4448	1320	Mhmmieil.exe	97
PID 1320 wrote to memory of 4448	1320	Mhmmieil.exe	97
PID 4448 wrote to memory of 1924	4448	Minipm32.exe	98
PID 4448 wrote to memory of 1924	4448	Minipm32.exe	98
PID 4448 wrote to memory of 1924	4448	Minipm32.exe	98
PID 1924 wrote to memory of 4452	1924	Mdcmnfop.exe	99
PID 1924 wrote to memory of 4452	1924	Mdcmnfop.exe	99
PID 1924 wrote to memory of 4452	1924	Mdcmnfop.exe	99
PID 4452 wrote to memory of 4360	4452	Njmejp32.exe	100
PID 4452 wrote to memory of 4360	4452	Njmejp32.exe	100
PID 4452 wrote to memory of 4360	4452	Njmejp32.exe	100
PID 4360 wrote to memory of 4008	4360	Nagngjmj.exe	101
PID 4360 wrote to memory of 4008	4360	Nagngjmj.exe	101
PID 4360 wrote to memory of 4008	4360	Nagngjmj.exe	101
PID 4008 wrote to memory of 2244	4008	Nhafcd32.exe	102
PID 4008 wrote to memory of 2244	4008	Nhafcd32.exe	102
PID 4008 wrote to memory of 2244	4008	Nhafcd32.exe	102
PID 2244 wrote to memory of 4236	2244	Nkpbpp32.exe	103
PID 2244 wrote to memory of 4236	2244	Nkpbpp32.exe	103
PID 2244 wrote to memory of 4236	2244	Nkpbpp32.exe	103
PID 4236 wrote to memory of 1820	4236	Nmnnlk32.exe	104
PID 4236 wrote to memory of 1820	4236	Nmnnlk32.exe	104
PID 4236 wrote to memory of 1820	4236	Nmnnlk32.exe	104
PID 1820 wrote to memory of 3776	1820	Nplkhf32.exe	105
PID 1820 wrote to memory of 3776	1820	Nplkhf32.exe	105
PID 1820 wrote to memory of 3776	1820	Nplkhf32.exe	105
PID 3776 wrote to memory of 2020	3776	Nffceq32.exe	106
PID 3776 wrote to memory of 2020	3776	Nffceq32.exe	106
PID 3776 wrote to memory of 2020	3776	Nffceq32.exe	106
PID 2020 wrote to memory of 1372	2020	Nkboeobh.exe	107
PID 2020 wrote to memory of 1372	2020	Nkboeobh.exe	107
PID 2020 wrote to memory of 1372	2020	Nkboeobh.exe	107
PID 1372 wrote to memory of 4408	1372	Nmpkakak.exe	108
PID 1372 wrote to memory of 4408	1372	Nmpkakak.exe	108
PID 1372 wrote to memory of 4408	1372	Nmpkakak.exe	108
PID 4408 wrote to memory of 4768	4408	Npognfpo.exe	109
PID 4408 wrote to memory of 4768	4408	Npognfpo.exe	109
PID 4408 wrote to memory of 4768	4408	Npognfpo.exe	109
PID 4768 wrote to memory of 1872	4768	Ndjcne32.exe	110
PID 4768 wrote to memory of 1872	4768	Ndjcne32.exe	110
PID 4768 wrote to memory of 1872	4768	Ndjcne32.exe	110
PID 1872 wrote to memory of 3756	1872	Nkdlkope.exe	111
PID 1872 wrote to memory of 3756	1872	Nkdlkope.exe	111
PID 1872 wrote to memory of 3756	1872	Nkdlkope.exe	111
PID 3756 wrote to memory of 5064	3756	Niglfl32.exe	112
PID 3756 wrote to memory of 5064	3756	Niglfl32.exe	112
PID 3756 wrote to memory of 5064	3756	Niglfl32.exe	112
PID 5064 wrote to memory of 4264	5064	Nmbhgjoi.exe	113
PID 5064 wrote to memory of 4264	5064	Nmbhgjoi.exe	113
PID 5064 wrote to memory of 4264	5064	Nmbhgjoi.exe	113
PID 4264 wrote to memory of 4500	4264	Npadcfnl.exe	114

C:\Users\Admin\AppData\Local\Temp\f8c08aacf04e520bda222808b3d45bb0N.exe
"C:\Users\Admin\AppData\Local\Temp\f8c08aacf04e520bda222808b3d45bb0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\SysWOW64\Mhjpceko.exe
  C:\Windows\system32\Mhjpceko.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\SysWOW64\Mmghklif.exe
    C:\Windows\system32\Mmghklif.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\Mpedgghj.exe
      C:\Windows\system32\Mpedgghj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3504
    - - C:\Windows\SysWOW64\Mhmmieil.exe
        
        C:\Windows\system32\Mhmmieil.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
      - C:\Windows\SysWOW64\Minipm32.exe
        
        C:\Windows\system32\Minipm32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Mdcmnfop.exe
        
        C:\Windows\system32\Mdcmnfop.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Njmejp32.exe
        
        C:\Windows\system32\Njmejp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Nagngjmj.exe
        
        C:\Windows\system32\Nagngjmj.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Nhafcd32.exe
        
        C:\Windows\system32\Nhafcd32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Nkpbpp32.exe
        
        C:\Windows\system32\Nkpbpp32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Nmnnlk32.exe
        
        C:\Windows\system32\Nmnnlk32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Nplkhf32.exe
        
        C:\Windows\system32\Nplkhf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Nffceq32.exe
        
        C:\Windows\system32\Nffceq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Nkboeobh.exe
        
        C:\Windows\system32\Nkboeobh.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Nmpkakak.exe
        
        C:\Windows\system32\Nmpkakak.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Npognfpo.exe
        
        C:\Windows\system32\Npognfpo.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Ndjcne32.exe
        
        C:\Windows\system32\Ndjcne32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Nkdlkope.exe
        
        C:\Windows\system32\Nkdlkope.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Niglfl32.exe
        
        C:\Windows\system32\Niglfl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Nmbhgjoi.exe
        
        C:\Windows\system32\Nmbhgjoi.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Npadcfnl.exe
        
        C:\Windows\system32\Npadcfnl.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Nhhldc32.exe
        
        C:\Windows\system32\Nhhldc32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Ngklppei.exe
        
        C:\Windows\system32\Ngklppei.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Niihlkdm.exe
        
        C:\Windows\system32\Niihlkdm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Nmedmj32.exe
        
        C:\Windows\system32\Nmedmj32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Naqqmieo.exe
        
        C:\Windows\system32\Naqqmieo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Ndomiddc.exe
        
        C:\Windows\system32\Ndomiddc.exe
        28⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Ohkijc32.exe
        
        C:\Windows\system32\Ohkijc32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Okiefn32.exe
        
        C:\Windows\system32\Okiefn32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Oileakbj.exe
        
        C:\Windows\system32\Oileakbj.exe
        31⤵
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\SysWOW64\Omgabj32.exe
        
        C:\Windows\system32\Omgabj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\Opfnne32.exe
        
        C:\Windows\system32\Opfnne32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Odaiodbp.exe
        
        C:\Windows\system32\Odaiodbp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\Ogpfko32.exe
        
        C:\Windows\system32\Ogpfko32.exe
        35⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Okkalnjm.exe
        
        C:\Windows\system32\Okkalnjm.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Omjnhiiq.exe
        
        C:\Windows\system32\Omjnhiiq.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\Oaejhh32.exe
        
        C:\Windows\system32\Oaejhh32.exe
        38⤵
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Ophjdehd.exe
        
        C:\Windows\system32\Ophjdehd.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Ohobebig.exe
        
        C:\Windows\system32\Ohobebig.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Ogbbqo32.exe
        
        C:\Windows\system32\Ogbbqo32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Oiqomj32.exe
        
        C:\Windows\system32\Oiqomj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\Omlkmign.exe
        
        C:\Windows\system32\Omlkmign.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Windows\SysWOW64\Oahgnh32.exe
        
        C:\Windows\system32\Oahgnh32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Odfcjc32.exe
        
        C:\Windows\system32\Odfcjc32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:904
        
        C:\Windows\SysWOW64\Ogdofo32.exe
        
        C:\Windows\system32\Ogdofo32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Okpkgm32.exe
        
        C:\Windows\system32\Okpkgm32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Oickbjmb.exe
        
        C:\Windows\system32\Oickbjmb.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\Oajccgmd.exe
        
        C:\Windows\system32\Oajccgmd.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Opmcod32.exe
        
        C:\Windows\system32\Opmcod32.exe
        50⤵
        Executes dropped EXE
        
        PID:892
        
        C:\Windows\SysWOW64\Ohdlpa32.exe
        
        C:\Windows\system32\Ohdlpa32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Oggllnkl.exe
        
        C:\Windows\system32\Oggllnkl.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\Okbhlm32.exe
        
        C:\Windows\system32\Okbhlm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Onqdhh32.exe
        
        C:\Windows\system32\Onqdhh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Opopdd32.exe
        
        C:\Windows\system32\Opopdd32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\Pdklebje.exe
        
        C:\Windows\system32\Pdklebje.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\Pgihanii.exe
        
        C:\Windows\system32\Pgihanii.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3572
        
        C:\Windows\SysWOW64\Pjgemi32.exe
        
        C:\Windows\system32\Pjgemi32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Paomog32.exe
        
        C:\Windows\system32\Paomog32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\Ppamjcpj.exe
        
        C:\Windows\system32\Ppamjcpj.exe
        60⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\Pgkegn32.exe
        
        C:\Windows\system32\Pgkegn32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\Pjjaci32.exe
        
        C:\Windows\system32\Pjjaci32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Pdofpb32.exe
        
        C:\Windows\system32\Pdofpb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Pgnblm32.exe
        
        C:\Windows\system32\Pgnblm32.exe
        64⤵
        Executes dropped EXE
        
        PID:3744
        
        C:\Windows\SysWOW64\Pnhjig32.exe
        
        C:\Windows\system32\Pnhjig32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\Ppffec32.exe
        
        C:\Windows\system32\Ppffec32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\Phmnfp32.exe
        
        C:\Windows\system32\Phmnfp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Pklkbl32.exe
        
        C:\Windows\system32\Pklkbl32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Pnjgog32.exe
        
        C:\Windows\system32\Pnjgog32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Pphckb32.exe
        
        C:\Windows\system32\Pphckb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Pjahchpb.exe
        
        C:\Windows\system32\Pjahchpb.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Qpkppbho.exe
        
        C:\Windows\system32\Qpkppbho.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Qpmmfbfl.exe
        
        C:\Windows\system32\Qpmmfbfl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Qggebl32.exe
        
        C:\Windows\system32\Qggebl32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Qjeaog32.exe
        
        C:\Windows\system32\Qjeaog32.exe
        75⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Aamipe32.exe
        
        C:\Windows\system32\Aamipe32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Adkelplc.exe
        
        C:\Windows\system32\Adkelplc.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Agiahlkf.exe
        
        C:\Windows\system32\Agiahlkf.exe
        78⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Adnbapjp.exe
        
        C:\Windows\system32\Adnbapjp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Aglnnkid.exe
        
        C:\Windows\system32\Aglnnkid.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\Aqdbfa32.exe
        
        C:\Windows\system32\Aqdbfa32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Agnkck32.exe
        
        C:\Windows\system32\Agnkck32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\Aqfolqna.exe
        
        C:\Windows\system32\Aqfolqna.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Agqhik32.exe
        
        C:\Windows\system32\Agqhik32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Ajodef32.exe
        
        C:\Windows\system32\Ajodef32.exe
        85⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Abflfc32.exe
        
        C:\Windows\system32\Abflfc32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Akopoi32.exe
        
        C:\Windows\system32\Akopoi32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Bbhhlccb.exe
        
        C:\Windows\system32\Bbhhlccb.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Bgeadjai.exe
        
        C:\Windows\system32\Bgeadjai.exe
        89⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Bjcmpepm.exe
        
        C:\Windows\system32\Bjcmpepm.exe
        90⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Bqnemp32.exe
        
        C:\Windows\system32\Bqnemp32.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Bdiamnpc.exe
        
        C:\Windows\system32\Bdiamnpc.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2708
        
        C:\Windows\SysWOW64\Bggnijof.exe
        
        C:\Windows\system32\Bggnijof.exe
        93⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Bkcjjhgp.exe
        
        C:\Windows\system32\Bkcjjhgp.exe
        94⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Bnaffdfc.exe
        
        C:\Windows\system32\Bnaffdfc.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Bbmbgb32.exe
        
        C:\Windows\system32\Bbmbgb32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Bhgjcmfi.exe
        
        C:\Windows\system32\Bhgjcmfi.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Bgjjoi32.exe
        
        C:\Windows\system32\Bgjjoi32.exe
        98⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Bjhgke32.exe
        
        C:\Windows\system32\Bjhgke32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\Bbpolb32.exe
        
        C:\Windows\system32\Bbpolb32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Bqbohocd.exe
        
        C:\Windows\system32\Bqbohocd.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Bdnkhn32.exe
        
        C:\Windows\system32\Bdnkhn32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Bglgdi32.exe
        
        C:\Windows\system32\Bglgdi32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Bkhceh32.exe
        
        C:\Windows\system32\Bkhceh32.exe
        104⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Bnfoac32.exe
        
        C:\Windows\system32\Bnfoac32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Bbbkbbkg.exe
        
        C:\Windows\system32\Bbbkbbkg.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Bdphnmjk.exe
        
        C:\Windows\system32\Bdphnmjk.exe
        107⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Bilcol32.exe
        
        C:\Windows\system32\Bilcol32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Bkjpkg32.exe
        
        C:\Windows\system32\Bkjpkg32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Cnhlgc32.exe
        
        C:\Windows\system32\Cnhlgc32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Cqghcn32.exe
        
        C:\Windows\system32\Cqghcn32.exe
        111⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Cinpdl32.exe
        
        C:\Windows\system32\Cinpdl32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Ckmmpg32.exe
        
        C:\Windows\system32\Ckmmpg32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Cnkilbni.exe
        
        C:\Windows\system32\Cnkilbni.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Cqiehnml.exe
        
        C:\Windows\system32\Cqiehnml.exe
        115⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Ceeaim32.exe
        
        C:\Windows\system32\Ceeaim32.exe
        116⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Cgcmeh32.exe
        
        C:\Windows\system32\Cgcmeh32.exe
        117⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Ckoifgmb.exe
        
        C:\Windows\system32\Ckoifgmb.exe
        118⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Cbiabq32.exe
        
        C:\Windows\system32\Cbiabq32.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Calbnnkj.exe
        
        C:\Windows\system32\Calbnnkj.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Cicjokll.exe
        
        C:\Windows\system32\Cicjokll.exe
        121⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Cjdfgc32.exe
        
        C:\Windows\system32\Cjdfgc32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Canocm32.exe
        
        C:\Windows\system32\Canocm32.exe
        123⤵
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Ciefek32.exe
        
        C:\Windows\system32\Ciefek32.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Ckcbaf32.exe
        
        C:\Windows\system32\Ckcbaf32.exe
        125⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Celgjlpn.exe
        
        C:\Windows\system32\Celgjlpn.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6056
        
        C:\Windows\SysWOW64\Cgjcfgoa.exe
        
        C:\Windows\system32\Cgjcfgoa.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5340
        
        C:\Windows\SysWOW64\Djipbbne.exe
        
        C:\Windows\system32\Djipbbne.exe
        128⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Dbphcpog.exe
        
        C:\Windows\system32\Dbphcpog.exe
        129⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Dijppjfd.exe
        
        C:\Windows\system32\Dijppjfd.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Dnghhqdk.exe
        
        C:\Windows\system32\Dnghhqdk.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6160
        
        C:\Windows\SysWOW64\Daeddlco.exe
        
        C:\Windows\system32\Daeddlco.exe
        132⤵
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Dilmeida.exe
        
        C:\Windows\system32\Dilmeida.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Dgomaf32.exe
        
        C:\Windows\system32\Dgomaf32.exe
        134⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Decmjjie.exe
        
        C:\Windows\system32\Decmjjie.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Dgaiffii.exe
        
        C:\Windows\system32\Dgaiffii.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6388
        
        C:\Windows\SysWOW64\Djpfbahm.exe
        
        C:\Windows\system32\Djpfbahm.exe
        137⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Dbgndoho.exe
        
        C:\Windows\system32\Dbgndoho.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6484
        
        C:\Windows\SysWOW64\Deejpjgc.exe
        
        C:\Windows\system32\Deejpjgc.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Diafqi32.exe
        
        C:\Windows\system32\Diafqi32.exe
        140⤵
        Drops file in System32 directory
        
        PID:6564
        
        C:\Windows\SysWOW64\Dhcfleff.exe
        
        C:\Windows\system32\Dhcfleff.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Dbijinfl.exe
        
        C:\Windows\system32\Dbijinfl.exe
        142⤵
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Dhfcae32.exe
        
        C:\Windows\system32\Dhfcae32.exe
        143⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Elaobdmm.exe
        
        C:\Windows\system32\Elaobdmm.exe
        144⤵
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Enpknplq.exe
        
        C:\Windows\system32\Enpknplq.exe
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Eblgon32.exe
        
        C:\Windows\system32\Eblgon32.exe
        146⤵
        Drops file in System32 directory
        
        PID:6812
        
        C:\Windows\SysWOW64\Eejcki32.exe
        
        C:\Windows\system32\Eejcki32.exe
        147⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Eieplhlf.exe
        
        C:\Windows\system32\Eieplhlf.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Eldlhckj.exe
        
        C:\Windows\system32\Eldlhckj.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:6936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 400
        150⤵
        Program crash
        
        PID:7020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6936 -ip 6936
1⤵
PID:6996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4432,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=1420 /prefetch:8
1⤵
PID:7044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bnaffdfc.exe

Filesize
80KB

MD5
4a93026dce397a056d62a45faed3a0d8

SHA1
6ef87bd725dcefabfd44e9db1fef4b9abf0547a0

SHA256
405897685d12e4034bf989ecda125ce8a1252c876da3f61fe62e24c6f6cf3598

SHA512
e526bb4e4c8e5da8a256f2c111b339c3959222fa0c0c566d99f0a7ed0a48b300029c00b9bfe4b422b4b700fe1a123583430cfb4f68d992998ea3da2f8318991a

Download Submit
C:\Windows\SysWOW64\Dgomaf32.exe

Filesize
80KB

MD5
7e64c3276f9fd483cfbccf1bc250c63a

SHA1
c9c5e7228d36b7317901d67e01a533aa81be999d

SHA256
6fedf5317f2681f93aee1ee4a12d90193df7c5def7a845da32f46adfab627bb1

SHA512
0cc1ddb7741a772489abfe6427cac29decd504effdd301554d146fecde6ae643a1996b3d09fcd737a3340e619d0a03ec57eed03a6d1a8ebee6967a432507d097

Download Submit
C:\Windows\SysWOW64\Dijppjfd.exe

Filesize
80KB

MD5
6c1240f428fe6df7bd7621465ac4844f

SHA1
df91f4eb5212c48c3bbab62ec9b070b322e63982

SHA256
1a9b09de2679ac81521a02fb475aa0274234002cb8b32396eeeecff9acd3fa58

SHA512
633aae87e7f2031864f01c4b953af86310bdaf377ce73d5e47222bd3563769d50c4f18afdfaa0fbb9e4792d22e5c6b85d6b401e35b929e5e6cd5d547ee5292c7

Download Submit
C:\Windows\SysWOW64\Eblgon32.exe

Filesize
80KB

MD5
cb053f1eae8d74cfc41cf7b795a97c22

SHA1
6e22ec58f63d5d6e264ad7c9db11ad0425d69a19

SHA256
9b7aa4e2a5cb0be460207b49ddf225e8f57de4afbeab40577470ee0f7ac69ac6

SHA512
b420a16e11dbd5631544524f5e13bf2acbdbff86eb50e77e7c90f64a7475e1a717f1b3f698ccf843376ac499bae2e62712a28b89780cfe0061110b76839754ed

Download Submit
C:\Windows\SysWOW64\Mdcmnfop.exe

Filesize
80KB

MD5
795d8053e712f6a2cdfcd29e56a4fe9b

SHA1
55ddc92884c0102b062c97d620af49a7bb262ce1

SHA256
1942fa6f55695c0bc2e19b0f564c51260ee8f0fbf0353143cac5b754443bcfd0

SHA512
392d27833e11af4c7275a5ab2df4025ee56748ea1e8ff4ef29dad8bd5839d42a28fc6da3beb5fc4632f99bb34b98a409223acf1a44fc9e5fb944dd5c4f999bfe

Download Submit
C:\Windows\SysWOW64\Mhjpceko.exe

Filesize
80KB

MD5
c7a114ba6bc3edb2d55951bb3de6b789

SHA1
42b87d377951a813c28f92f4a4e8674f7b94def7

SHA256
8542c07d398407a300d5dfe56f854f2521bdd7ef0969f7612e3b74ee2875cc1b

SHA512
78262ee9c03bbbf9128bcf0f9e547b5c9e12fde4c00a75e9d5cf45492c3411362d90aa53bc99320850b0a60e3bb42650d73e12138e92ec6f2b963aca53459538

Download Submit
C:\Windows\SysWOW64\Mhmmieil.exe

Filesize
80KB

MD5
fbacbdba5864658fdc8216f05254f89e

SHA1
37eea73ca1ca3283696bf0b88acf0b70c0ae88d7

SHA256
e125dee167628f7036f69579a1c9e2bfc6e8303ca7bfadfb0e979910510b10b4

SHA512
02e8bc2c654c42ea50c0360936bf6651869a35ff3f8c0f28ec517c2fd71a1830474dfb8934da34028f296975422d9083bfad94b36d19d2a5dc27645679cbed08

Download Submit
C:\Windows\SysWOW64\Minipm32.exe

Filesize
80KB

MD5
887572525068412e6844763390158eeb

SHA1
a2696c06459f39754b2fb19ef178bab70d8c828a

SHA256
417e22787c89916b057ccd5912b9b9974609a0bfcc0dfe5302b696407e31c9f7

SHA512
e8e2d6649d3e70c4c4ab4c061be2b1b9ed5db9d3fdbb1dbaf021fa964dc89d46de9e21279226dcad151db86f08e034b167ae14872bf3ed9ee93ff8f34acf2b82

Download Submit
C:\Windows\SysWOW64\Mmghklif.exe

Filesize
80KB

MD5
5cb476981d654cad0e46c58a535fbe07

SHA1
c68e35ff55e68f3a2046ba47a5fcf21f980035cf

SHA256
055d188110dd1f50a5270e21891d6971368b07dac9efa3738ca4003c46735c9e

SHA512
ad87c53d848a211549fb95cdbc1738f68966c3397157bf8419a95324850b888b235079039deb0257463c1f967eefff047dd220461b61a965061472e0d1f9edb8

Download Submit
C:\Windows\SysWOW64\Mpedgghj.exe

Filesize
80KB

MD5
24a92f5a787e1a77b465ddc9b70d3feb

SHA1
476da6b97d39fab943b74c940165bf4abcb64099

SHA256
4c4eb0290c5b5ef997958a9f967424aab9a4d6160169ebafa4e3737af9de975b

SHA512
e264a2cfdade2c3ec8316d4823fc560900743a2ea9b60305f358e71dcf3a60a5cc668f783042192668ca7d14643c2fb5838bbf174ee55495a04b205b3273da2d

Download Submit
C:\Windows\SysWOW64\Nagngjmj.exe

Filesize
80KB

MD5
f76a2dfe1a55cb08829256284f65600f

SHA1
a43f083e546097ec716aec37ca2f734c347f3d0a

SHA256
3206b011f363fb56bd375e3a746d46523928c08b30f10fe5ce0e11726a0061d9

SHA512
b4b7738d174a2484fffbac6cc06789e3397ec1dfea7e404b7455c1efa633691c29144820eea3acd11e5e29ae72c58ad643a7b1e71d562eab0721a1d2412c9300

Download Submit
C:\Windows\SysWOW64\Naqqmieo.exe

Filesize
80KB

MD5
1bc5cdf3579b965d125bee347e01b1c7

SHA1
baf207f25b0e4fb7fdc5b2b8aed51d92451ed120

SHA256
297d686f0b992fe2f4d763446cdb7431dfe500bd53f80bf0d38c363398ecd0fe

SHA512
5d2330dc1825d133bd5ef7a2d836a6848d2dc50db4b745815985a58ae8e586ae9d54e0fc27bc66b6e194aa862200d1974dd262bfb665fcdf0813a811747e5509

Download Submit
C:\Windows\SysWOW64\Ndjcne32.exe

Filesize
80KB

MD5
d515798da3d8392399a0d4a4a410a0a6

SHA1
eb0784dbceab55ad96f04442f8af2a74a527ae5f

SHA256
4a32ebfeba209df9b90235032ceb43354dcbf2eb2e3777dbe6a1e276599a1656

SHA512
f17e3641e19adf467f91299634fd7080bda2c6a6659c1330567cdd26277913b8c1d5a89b039bee3cce32812b2ab61cb59f9ea890d38a7ad0dc94130a1ce80149

Download Submit
C:\Windows\SysWOW64\Ndomiddc.exe

Filesize
80KB

MD5
5e919e38787a321c869c05f17194ce21

SHA1
ed3a90add75c0c6d4a5b9f661fcd7cc348ce9b81

SHA256
6c6077140928e6a86c03a7132a245b95d73322ffb3ec2db21d1e8b48c6dd1642

SHA512
e3e0aa04eeb1bfccc3bc45f5c3cba7bb0d22f9ec97356394b3a5b8baf7a4106b6c6663d32af95b7775962e33dfc3811d72cb0d7285ea9433ae61b6e0f61eba56

Download Submit
C:\Windows\SysWOW64\Nffceq32.exe

Filesize
80KB

MD5
0d55136c7f88579e892e5b69307b7956

SHA1
b5b62cd2bfb6202187ba4c12a931d95dd68af58e

SHA256
c3905da195de075ac1be179d43ed0aa387932a0a60b20d3a28c8b2ce608c1882

SHA512
95101a1b34ec65c3c86e42412e09226418cde849dd453551392e636258e75d17799db193c6773267bd19f4111be8db03080764716436f0036b42c7898b8dd4de

Download Submit
C:\Windows\SysWOW64\Ngklppei.exe

Filesize
80KB

MD5
c1b7b2c022100dc105c2af72dd189ba8

SHA1
97b3a73e8141d4e2037a90ac5e81779d1d120dfd

SHA256
03eb95bfb0eff43626e9f7aa3b4347a80836b46d76fe26a187ec54820b4e73b5

SHA512
eba84451ec0b194ba54820b208f8d0be31b01c77435ec2e6df9ebedc01635fb5d7d05ee8e6e6f96fe3849dd5fea529bd5000d241fdc6408c10c9e602e0c50d49

Download Submit
C:\Windows\SysWOW64\Nhafcd32.exe

Filesize
80KB

MD5
e153a8a586fe22bbba839b4b7e61f2f4

SHA1
af0943dc854ddeedc1ad68e63ff3224c91d7c4e6

SHA256
2ee657b2e0c2f30a630c407ff99bd76abbc8f9726492b72b94e3ff117e0ef1a9

SHA512
eba2ccba84412e1c94a58eb5164704c01f317f7d0ba86f76a9195537b34db2b84857d7e4796059511283e4939f918119b8b14e811541dc0b58c533bf9b8ae83d

Download Submit
C:\Windows\SysWOW64\Nhhldc32.exe

Filesize
80KB

MD5
28a8bf95b63cfec4fa1269465f78634b

SHA1
eae93047cd9f81b19b4fc47c8b90e18432394b44

SHA256
b4402594631f03f8f0a19391838c7c31ffaeb2765e72154b604d1f38655f480e

SHA512
3a75bee38cfa4c1dae247a5b990ecb5fa5f4170d2fa0c27ccf31371cdfd45aec68494eb7d9117b0e94e88660c5732d7baa101ab6d8c03a98f6a40448981067df

Download Submit
C:\Windows\SysWOW64\Niglfl32.exe

Filesize
80KB

MD5
20a9a8c9b4e0823d9908a0d13a11fd54

SHA1
c760faa10d545e9493ffcda8df18b5d66cdbfe8b

SHA256
fd4540d9a25b7b8fb4a972510e58015dc8ae1517d8e7ddc925ba4121c748945b

SHA512
24f5532a93fffea20aad08c60924dd68b7c2e273c28baa69882c9cabce77c4920d441b0c5766e718cbe68c0d68e5a2b27631772722cb02cb0d342917ea8b14b3

Download Submit
C:\Windows\SysWOW64\Niihlkdm.exe

Filesize
80KB

MD5
db9fdafa07f238e76bcb4ec074586aef

SHA1
20c9dd4198d96c431a4f25ee07ebb6541fb36571

SHA256
4323d81375639d0c6d83d382096d69ba6a290090b9bcc154b82223c280504e18

SHA512
16c581b310498a6d9cbd19ee93c66fcfa5dd1e1bcd6f62c3d80942c1418e1ff141b4962bb61a761d72765006b9fa12e8013ef525cabf899419c15561c98e49ea

Download Submit
C:\Windows\SysWOW64\Njmejp32.exe

Filesize
80KB

MD5
0e9c6ffa00a9766abedcdf431836f292

SHA1
462b46582c1ca0af46f4e3b1fef86ac13cfa9bf7

SHA256
92a8c42a71dd8d0089de0923cab5065bf1096364eb3802f52f466d61fce876e2

SHA512
38abff42fda228be2ad3f17aacfcd7faa8fdef09c7ebe1382a579aa34f6baa74ee61dc028b8817de03cddca4d107d2d92af2be7f15541ef0dd2309e068e8fe44

Download Submit
C:\Windows\SysWOW64\Nkboeobh.exe

Filesize
80KB

MD5
7fdd43fd9e6e85f89f6a2cecb2933442

SHA1
e59488293ce558e3a0a9d10facdbfe5d7dca733a

SHA256
3b52fecfccbfa35682b06c3b7b17044a1bed482de07515ce233bfb9314e89499

SHA512
d06ee9737a703a4dc7e4e18b55dec3afeb6aa9f813a011c1e9d4c180277387e7a9a6ba7777f993b73ca8abe2acc2094ca5a39eeb58040fae2dec826d689614c6

Download Submit
C:\Windows\SysWOW64\Nkdlkope.exe

Filesize
80KB

MD5
e61cb20db7263e5900c6f0ac447227d4

SHA1
f60b90fc0c9f9d11944768388a9c269b901c3611

SHA256
8b3daf96b60677f92381e7e5e85841cd0508143dd6b272c6b1f768c2437f3b35

SHA512
6f06d02bf0d09a535f1d631652af9b4eecd3c97d8ca691c382e7f42bceed099dd3afb9029ca680902955d6b5840d0e7b78b8e3fca60e0a55b394885b4635a5fa

Download Submit
C:\Windows\SysWOW64\Nkpbpp32.exe

Filesize
80KB

MD5
19dbf4710d07e92a6d0e3d24bfe56ab6

SHA1
4b4b92bab1847e17c2bdbb96f5d4cda530cfe3bc

SHA256
af58dbc8f6cd3070f970a3bfaa2295ac490a32d0fd202de7a49fded64c0c117d

SHA512
f5914f160d663b2c93e7efadd3b3b230d58935a3065140a2f6d6660ba562552336f2c384e08397c86907403b5e1563fda6ccd536455b7f01af9a2edc8bee2bf5

Download Submit
C:\Windows\SysWOW64\Nmbhgjoi.exe

Filesize
80KB

MD5
eebecfbb1bcea5879a02b7685bffad36

SHA1
f469c0739648899bb089ae382097046cdffd4748

SHA256
adc78193e3e49d4f2ecd0d40cf4f7dbedcb28da10256631455fec66fea504537

SHA512
153875392057afac238fdf7b4f7fbef067fc75bb0da28ba59ef38c6003743973e7326e5f3b42681c7d44f30805aa091e913c766244af4a849f1900d9cef1f031

Download Submit
C:\Windows\SysWOW64\Nmedmj32.exe

Filesize
80KB

MD5
be32230cb21d107b01776de2bd9afd63

SHA1
0fb50b18ed8fd93efe08b6f20ba2e716217760c5

SHA256
fcf48d00f77497a33c500ac9d5abbdd81fac470bf045ada818ea99966e1c5390

SHA512
b3ae55e3331e8fd5456d022d0e956dada0b48ff0ade8b0c27a09eb86bdbbf095c8d9630b686e68ad510b764ac7fae8892dec7f7d0f1ba8d8144e2875ef0f7e71

Download Submit
C:\Windows\SysWOW64\Nmnnlk32.exe

Filesize
80KB

MD5
2acc0224b6c9e46a0758371c2f359e6c

SHA1
5c27593ec68642475934a6c4e5e0587793c04189

SHA256
5cb1d93e6da25493fab2d755a6b880d71626bacd280f60ca99e24114dc2fbe4b

SHA512
885c9666afa92e3e9bdb1993018edf55f4711773e2ca55037c81cfb4fb97b97852afa98ab9aee48ec6a8867b3618fae250a1c735e97beeb9cd892d88e8ae94f2

Download Submit
C:\Windows\SysWOW64\Nmpkakak.exe

Filesize
80KB

MD5
56ca5d729aa61f03548a4fc9137d684e

SHA1
38a790ab8111d3cbc4606953b810ed722c9bad3b

SHA256
6b72286f222e78a8e08bd61efaaf8722b0e8383de5879e4c337c2a3750760c25

SHA512
a2be9f81538b12274b8a035e0f1a10b7f504ba9ea9404fe9a06b5d4aab229edd4b890860e6f310ad6aee7667adec6ec0fd801f4d9aba6941baea07b2370a3f92

Download Submit
C:\Windows\SysWOW64\Npadcfnl.exe

Filesize
80KB

MD5
cf3c668d9f23f9f843c4f12209dfa471

SHA1
c831b89545608a2b46d561480b69ab3c65702c4c

SHA256
0e2168c6f695574c4f0ca986f04f8f100677635ce0e223b682ee7a1babec941b

SHA512
140635d20fc74cedccdbb7eac610ef7c5a9b84f2680c2d89a18892556dd669f4c750a9275076f94e5a7f3f04480b71b002c20d9e1da75ad5b07ab3160ce56796

Download Submit
C:\Windows\SysWOW64\Nplkhf32.exe

Filesize
80KB

MD5
cd6b11cefbcb8d172cfbd6b7f5d8c709

SHA1
e9d4cb2d0cc80c0cbb9f8509a2450bbeb2ca43fa

SHA256
74a39f7f31c9f936e2b8c49154481bf8a2299136defdb1f1eca1afb94bcdef93

SHA512
d2316121642b5c5bb7b439271f029ab368547a27ad64ad7c64fef0f499b23b5c3d5a565a3c6c6220495540efd69a198e48ed954a7eb96bf246f1f7a290ae524d

Download Submit
C:\Windows\SysWOW64\Npognfpo.exe

Filesize
80KB

MD5
8b23042b1c5439a09e9962ab70741ace

SHA1
5417344332f22913ddc861b814a848a128cae1d8

SHA256
086150f05a76fce5eea4525307478107be477c74ebaed45ca5ea874c11fb6c85

SHA512
ee762b6e1e61a86f40902cada6489e97ff6d74501fb9b801a6a2865418eb0f9554c815b26d4c764f81b4aaddce3c2a7a76002f01e6300c6cbe84f9829ae82563

Download Submit
C:\Windows\SysWOW64\Ohkijc32.exe

Filesize
80KB

MD5
8b6403c3a09c9b669146963068cebf3e

SHA1
1c606371ec81d13f83a32929267c5803dc2197db

SHA256
2fdca520bd668dfa24f3c03faab2912f394b0b6890f2a5f13f170a98a996f990

SHA512
3f8209a5160a75f159e2ed62a317783dadc0b1d631dadf3bcc58f1670b3c1b84d0fc4cf84d70b6ab92c7de0044ba4b9c316d48397c1c72e0649b7a241ea26abd

Download Submit
C:\Windows\SysWOW64\Oileakbj.exe

Filesize
80KB

MD5
b4b03ec34d0724e1de19165a71cafc00

SHA1
c12df492a908fa786dbee8d8139a62b824a7b075

SHA256
d7026d674c8e7489f4a0f9d7bb72aa34a4f45e93576bc87dc4e9315b5f0556ac

SHA512
b0a4265a27df754ad096fe586f690962e137c1cf8558fd6efd160b50c6106ee76584b88cb9c065ac9b841223f89bb4db823ef5914deb9b357c0da44ba5b7b12f

Download Submit
C:\Windows\SysWOW64\Okiefn32.exe

Filesize
80KB

MD5
e1601578b41e23d1c244cdfaa117c8f8

SHA1
2dbc02384a2cf29d5d6fa06d47bf723a84775446

SHA256
0b7aa9035ad6e060c89881c7a9fb547a6e5e43890697088657e55dce3ecdd173

SHA512
bc9a5cfc9e0bb32a27470b3c4998739a0e40c799c1605b3ed6c61cd7c330c1fb45b57b707250c090a5fd63b7b50cb0b1b4b01e0c4b3d3a0349ad555688a24db5

Download Submit
C:\Windows\SysWOW64\Omgabj32.exe

Filesize
80KB

MD5
e57edbe7062d8b3a974a59649d452bd5

SHA1
80dc54375431bf61f00b25f486a662bdfca4680e

SHA256
7e431c332e50456878a7c23cc077a0433502c294cbbc8b7059094e8f27faa586

SHA512
db027865083fc0bbcddca334e201aacee04cc3a70ed0a30106658aee2c263e5648aef58d2772f3fb8d0c60364edbd8ba931c5791caf2f2fcf1a83cc7b9ee5f50

Download Submit
C:\Windows\SysWOW64\Opfnne32.exe

Filesize
80KB

MD5
3d041cd27401e450d10b4892f39abced

SHA1
814fbc5859aabad144f542e1eca8c7522ce4695f

SHA256
cbe33f3bba8ce8546390dd4bef994a880e584592d154ba9934f3fd6b7ab4c1f4

SHA512
fbbab5e7e9bdda4beef6063efd74df7b06fda7c239575df2c42d4917ce0ae401d528603437bbdca637d06cc5f33e95bedf12c0f135ac9d6bb4372cc8c9986465

Download Submit
memory/380-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/440-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/680-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/892-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/904-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/956-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/956-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-472-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1320-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1320-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1340-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1372-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1544-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1616-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1740-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1752-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1760-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1800-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1820-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1824-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1868-398-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1872-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-586-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2088-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2216-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2244-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-446-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2948-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3464-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3504-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3616-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3688-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3720-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3744-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3756-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3776-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3956-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4008-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4104-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4236-93-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4264-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4408-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4448-579-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4448-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4452-593-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4452-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4528-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4528-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4528-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4548-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4656-381-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4768-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5000-477-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5136-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5192-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5240-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5288-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5328-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5372-514-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5408-520-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5448-526-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5488-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5544-537-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5584-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5632-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5680-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5724-561-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5776-571-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5816-577-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5864-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5916-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5964-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads