2d5ed8e54b11c3e184675f7101d1eb51f73fff3c4c323a978c38c73153109f43

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

174c7865e1c7227e7df0152bf6b3c1f0N.exe
Size

470KB
MD5

174c7865e1c7227e7df0152bf6b3c1f0
SHA1

5101fe8e9140c565d5843c15874594aaa5478b94
SHA256

2d5ed8e54b11c3e184675f7101d1eb51f73fff3c4c323a978c38c73153109f43
SHA512

e5c6f4baafd58bd6e445ed8ef18048272a49e3535717f79545bff4c79721907a9f68df0f0de87bb2c543809970fb4b2488e9f4a25a4237324a514b40dd745245
SSDEEP

12288:UhAWR/Qc8QVj94nLiFzN3b7CUq1u2ztB1XQKTQInqyS6Rm6TIJ3l7DurTG9c8QVH:MR4

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	174c7865e1c7227e7df0152bf6b3c1f0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe

Executes dropped EXE 64 IoCs

pid	Process
3428	Jmmjgejj.exe
3344	Jcgbco32.exe
4772	Jbjcolha.exe
1104	Jidklf32.exe
1940	Kboljk32.exe
4816	Kiidgeki.exe
2392	Kbaipkbi.exe
1512	Kepelfam.exe
2428	Kmijbcpl.exe
4212	Kfankifm.exe
400	Kdeoemeg.exe
1964	Kdgljmcd.exe
664	Llcpoo32.exe
5004	Lpqiemge.exe
5104	Lmdina32.exe
948	Lpcfkm32.exe
1808	Lbabgh32.exe
1284	Lgokmgjm.exe
2032	Medgncoe.exe
2932	Mmlpoqpg.exe
4400	Mmnldp32.exe
3724	Mplhql32.exe
4460	Miemjaci.exe
2356	Mpoefk32.exe
832	Mdmnlj32.exe
1920	Ngmgne32.exe
2888	Ngpccdlj.exe
4812	Njnpppkn.exe
4368	Neeqea32.exe
4136	Ndfqbhia.exe
4232	Nnneknob.exe
3608	Nfjjppmm.exe
3152	Odkjng32.exe
3728	Oflgep32.exe
1084	Olfobjbg.exe
3644	Ocpgod32.exe
2024	Ofnckp32.exe
3672	Opdghh32.exe
2244	Ocbddc32.exe
4628	Ojllan32.exe
2056	Ocdqjceo.exe
4408	Ofcmfodb.exe
2640	Oqhacgdh.exe
4624	Oddmdf32.exe
4872	Ojaelm32.exe
1852	Pqknig32.exe
2072	Pcijeb32.exe
4376	Pnonbk32.exe
4832	Pqmjog32.exe
2668	Pfjcgn32.exe
4144	Pqpgdfnp.exe
2488	Pdkcde32.exe
1680	Pflplnlg.exe
1228	Pncgmkmj.exe
2572	Pcppfaka.exe
840	Pfolbmje.exe
2608	Pnfdcjkg.exe
864	Pdpmpdbd.exe
2396	Pfaigm32.exe
3392	Qmkadgpo.exe
4468	Qceiaa32.exe
1604	Qfcfml32.exe
3596	Qmmnjfnl.exe
1804	Qddfkd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lmdina32.exe	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Mpoefk32.exe	Miemjaci.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Lpqiemge.exe	Llcpoo32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Kdeoemeg.exe	Kfankifm.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Mmlpoqpg.exe	Medgncoe.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Mhkngh32.dll	Kdeoemeg.exe
File opened for modification	C:\Windows\SysWOW64\Kiidgeki.exe	Kboljk32.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Jcgbco32.exe	Jmmjgejj.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Mmnldp32.exe	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Qncbfk32.dll	Lbabgh32.exe
File opened for modification	C:\Windows\SysWOW64\Lbabgh32.exe	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Eonefj32.dll	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Lpcfkm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpoefk32.exe	Miemjaci.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Kepelfam.exe	Kbaipkbi.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Bbjiol32.dll	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Oendmdab.dll	Jidklf32.exe
File created	C:\Windows\SysWOW64\Ffhoqj32.dll	Kepelfam.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Jbjcolha.exe	Jcgbco32.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Neeqea32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4444	5596	WerFault.exe	209

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kepelfam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	174c7865e1c7227e7df0152bf6b3c1f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbjcolha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmijbcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbaipkbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jidklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpafo32.dll"	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllie32.dll"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qgcbgo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 3428	1480	174c7865e1c7227e7df0152bf6b3c1f0N.exe	84
PID 1480 wrote to memory of 3428	1480	174c7865e1c7227e7df0152bf6b3c1f0N.exe	84
PID 1480 wrote to memory of 3428	1480	174c7865e1c7227e7df0152bf6b3c1f0N.exe	84
PID 3428 wrote to memory of 3344	3428	Jmmjgejj.exe	85
PID 3428 wrote to memory of 3344	3428	Jmmjgejj.exe	85
PID 3428 wrote to memory of 3344	3428	Jmmjgejj.exe	85
PID 3344 wrote to memory of 4772	3344	Jcgbco32.exe	86
PID 3344 wrote to memory of 4772	3344	Jcgbco32.exe	86
PID 3344 wrote to memory of 4772	3344	Jcgbco32.exe	86
PID 4772 wrote to memory of 1104	4772	Jbjcolha.exe	87
PID 4772 wrote to memory of 1104	4772	Jbjcolha.exe	87
PID 4772 wrote to memory of 1104	4772	Jbjcolha.exe	87
PID 1104 wrote to memory of 1940	1104	Jidklf32.exe	88
PID 1104 wrote to memory of 1940	1104	Jidklf32.exe	88
PID 1104 wrote to memory of 1940	1104	Jidklf32.exe	88
PID 1940 wrote to memory of 4816	1940	Kboljk32.exe	89
PID 1940 wrote to memory of 4816	1940	Kboljk32.exe	89
PID 1940 wrote to memory of 4816	1940	Kboljk32.exe	89
PID 4816 wrote to memory of 2392	4816	Kiidgeki.exe	90
PID 4816 wrote to memory of 2392	4816	Kiidgeki.exe	90
PID 4816 wrote to memory of 2392	4816	Kiidgeki.exe	90
PID 2392 wrote to memory of 1512	2392	Kbaipkbi.exe	91
PID 2392 wrote to memory of 1512	2392	Kbaipkbi.exe	91
PID 2392 wrote to memory of 1512	2392	Kbaipkbi.exe	91
PID 1512 wrote to memory of 2428	1512	Kepelfam.exe	92
PID 1512 wrote to memory of 2428	1512	Kepelfam.exe	92
PID 1512 wrote to memory of 2428	1512	Kepelfam.exe	92
PID 2428 wrote to memory of 4212	2428	Kmijbcpl.exe	93
PID 2428 wrote to memory of 4212	2428	Kmijbcpl.exe	93
PID 2428 wrote to memory of 4212	2428	Kmijbcpl.exe	93
PID 4212 wrote to memory of 400	4212	Kfankifm.exe	94
PID 4212 wrote to memory of 400	4212	Kfankifm.exe	94
PID 4212 wrote to memory of 400	4212	Kfankifm.exe	94
PID 400 wrote to memory of 1964	400	Kdeoemeg.exe	95
PID 400 wrote to memory of 1964	400	Kdeoemeg.exe	95
PID 400 wrote to memory of 1964	400	Kdeoemeg.exe	95
PID 1964 wrote to memory of 664	1964	Kdgljmcd.exe	96
PID 1964 wrote to memory of 664	1964	Kdgljmcd.exe	96
PID 1964 wrote to memory of 664	1964	Kdgljmcd.exe	96
PID 664 wrote to memory of 5004	664	Llcpoo32.exe	97
PID 664 wrote to memory of 5004	664	Llcpoo32.exe	97
PID 664 wrote to memory of 5004	664	Llcpoo32.exe	97
PID 5004 wrote to memory of 5104	5004	Lpqiemge.exe	98
PID 5004 wrote to memory of 5104	5004	Lpqiemge.exe	98
PID 5004 wrote to memory of 5104	5004	Lpqiemge.exe	98
PID 5104 wrote to memory of 948	5104	Lmdina32.exe	99
PID 5104 wrote to memory of 948	5104	Lmdina32.exe	99
PID 5104 wrote to memory of 948	5104	Lmdina32.exe	99
PID 948 wrote to memory of 1808	948	Lpcfkm32.exe	100
PID 948 wrote to memory of 1808	948	Lpcfkm32.exe	100
PID 948 wrote to memory of 1808	948	Lpcfkm32.exe	100
PID 1808 wrote to memory of 1284	1808	Lbabgh32.exe	101
PID 1808 wrote to memory of 1284	1808	Lbabgh32.exe	101
PID 1808 wrote to memory of 1284	1808	Lbabgh32.exe	101
PID 1284 wrote to memory of 2032	1284	Lgokmgjm.exe	102
PID 1284 wrote to memory of 2032	1284	Lgokmgjm.exe	102
PID 1284 wrote to memory of 2032	1284	Lgokmgjm.exe	102
PID 2032 wrote to memory of 2932	2032	Medgncoe.exe	103
PID 2032 wrote to memory of 2932	2032	Medgncoe.exe	103
PID 2032 wrote to memory of 2932	2032	Medgncoe.exe	103
PID 2932 wrote to memory of 4400	2932	Mmlpoqpg.exe	104
PID 2932 wrote to memory of 4400	2932	Mmlpoqpg.exe	104
PID 2932 wrote to memory of 4400	2932	Mmlpoqpg.exe	104
PID 4400 wrote to memory of 3724	4400	Mmnldp32.exe	105

C:\Users\Admin\AppData\Local\Temp\174c7865e1c7227e7df0152bf6b3c1f0N.exe
"C:\Users\Admin\AppData\Local\Temp\174c7865e1c7227e7df0152bf6b3c1f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\Jmmjgejj.exe
  C:\Windows\system32\Jmmjgejj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\SysWOW64\Jcgbco32.exe
    C:\Windows\system32\Jcgbco32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Windows\SysWOW64\Jbjcolha.exe
      C:\Windows\system32\Jbjcolha.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        23⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:832
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        53⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        59⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        76⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        82⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        83⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        91⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        92⤵
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        99⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        100⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        103⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        107⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5300
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        110⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5956
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        116⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        117⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5596 -s 216
        121⤵
        Program crash
        
        PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5596 -ip 5596
1⤵
PID:5988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
470KB

MD5
f79adfd13e1bea9a247e40f42651b590

SHA1
428e1dc4c5023048ccc3260c0f1ace4c7ba1aa83

SHA256
029b4cb2759aacf328a483ffcc6910136cb0331ce9313b86b4aadb872db90d4e

SHA512
25a3c43710536a7f755501d5ab345cbeb4bb1c9564aedcd662fdb8ebb022110821a3decc113ba88c16730a892b69738f68f4d113be9f2378395e415346b5211f

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
470KB

MD5
6fd4b1b16160c356e2a990480aa60c1b

SHA1
cc54d543e128168b8126000bc3b21f69d3c28150

SHA256
7b0aca2da1de9c10629b88f3281c4f706f6207009afd33806602a8e641577236

SHA512
fbe724d40026559667371f892dce616857dadefe08ae776a44eff62732bc0ffb6f1daf762947d52d61076d2b2f3b5c62dc638406e3cd70adad00542a83e280dc

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
470KB

MD5
fd9793b7c956c482d9af190f2d38966a

SHA1
a4c14d89241afd390269d9a0ed5974a530723dce

SHA256
d7dfb3819a7c9b663367d94d72fda0f9972d08daf721e1135cd20fbd079db5b1

SHA512
32b26080dc542ca2e7987603171eb78921b694ed308ccd29a503eebe54a5a09117136f0b8968ae42e54baea3b6079ec1abff01d2d31d3d518b1d9dd009e109cb

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
470KB

MD5
4f6dac577df321497bf2b638fbd126ae

SHA1
bf079f762f1862ccab73786cb2338bbb0f4b9cb3

SHA256
06bc7bdcc9ee27f00c43c281e3287cfbde6b02d8777a8ea366604d55aeaa93d8

SHA512
ff030b6d5df01245d9842a09dd5956d1a82091b180d55c2ad23d0f81d71f229c30195fa04cc2c9b21cf236375a65adc2123368059e3ccc76aed2c452124ab6b1

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
470KB

MD5
6298784ae09d85c7600b2987e3a522c4

SHA1
4bd7d2ff576cb135342668e5289031e667dd663b

SHA256
3508a95ef1cdf85561ea786360f0e4302565aa6b785deeef925c47a95a92a24b

SHA512
13f80f71361be3fa3dbc4befdb0763259d35fd94b29a7a08e007a0529a1d8795e276ac52b8b8ff54101c2be9af4e5501c5e777b86cb41585976d2b9b7aae6131

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
470KB

MD5
3b380762de8425446b5b28c5aa22a558

SHA1
f14331d8a9a53a180147ccd05f22a9e7ac7847dd

SHA256
bb1f9fd768e8a7cdaf6fc9979ef15a0368e751781a423e5c9868b4ba394252e8

SHA512
5e0d1749128a1c3c41dd4deecc68a18dd1720f93e54d8fb2c2b361e518587bb1228ad63b211ee5e784b51678b9e2ef503481c42671f124f74446d52f2c962fbf

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
470KB

MD5
61669b7c6a24a473e566c6a86aeeb3cd

SHA1
77dcb8ae222b0c33dafc3281095d605b6611e3fa

SHA256
65c504a61592344cb41020b3595017eef81a7001b00103ab7ab1253dcaf58948

SHA512
4e4680c241fe8c81316551c0828f9d6f09ca7d995517620b829530df5ce6d77b675dd3352ba2d3db61ac26ceba0d02617324da869e7a3d7b425c89b8cad51170

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
470KB

MD5
ff4f345994828a87f128068c4d93735d

SHA1
df88b4b052287b2416a3bed79a43c89b63b1a981

SHA256
4480860c29125f75a81292601ea6a74652c896737131399a1ae1cc818cc0a021

SHA512
7b3108815487b9514e26514a45df46b6c740cd252d241b10bf3d637a317eda7459556aaf3bff64a60c1377a56e5c1420f54de9fa8f68c7fa129c6635ff5f1385

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
470KB

MD5
8dd40336c6d693efd27197f22515dcfe

SHA1
704ca240c2b6fbf6214e3e90aa162f77f37036fd

SHA256
71496ce1864492e4070a397f8d1a22cf5dde47e2400c1007c6092e6616188a42

SHA512
c510056dcadbb7be1c153341ee797db07e41eebb655f7bedb493ec875bb3749bd0ac0d27307d857534c473a462bca85eb39c5ea9d0415d47d933d65230fde079

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
470KB

MD5
ff64399a69ce453ba5b8377dcad5bc95

SHA1
6113200212df0fbd2f68a47fb3713d98933b8882

SHA256
f4fc1cbe17d051df6c8f35005ead57b887a4e238e7272f22e8bc2391ba195033

SHA512
26f753c2354efc488ddaff06a5e3d4c9e979875fb152b5db28ae74c0d5c8d10c2f7cdf04a15d7d342bb825798cba1ac7461c343db34a0fec5bc5929372fe67c4

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
470KB

MD5
22bbba7df67ee23af0d076b305bf7d9a

SHA1
ebf8f596620e933fc8b731c632963e3d41972b1c

SHA256
eb0ea2e4be29b953f4772800e58a4e6dca83449103c8e03f19035ba72fb6ddd2

SHA512
b92fbdd8536443c632dba4b5df32d3b4d1c583f61c35b0b28cf71128a89eb8b09b8cc84d494b9c4ebe3d520e25a9b5d6308bbee14f0e4c10a1a77d4a4d2189c2

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
470KB

MD5
a73fa2accd5828b94fb7bba3a014a24d

SHA1
a29c578a2d0a8c4a666b14db08ac1a69091dae68

SHA256
a02543627962264120e4905ec9d20600458dbdde5bdea4d889aa71b287822297

SHA512
4d83c5e835519ee9ebbbfaaa4fcfcc701316648166f8ca1e517294753fdfaaee369f21cd403d6009b5cb3ceda4112421b9c6fcdb4db1a986f89271e293d2f629

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
470KB

MD5
042ecb0cc7852907877f500054f206a3

SHA1
bfadc25ab976d24c7d47ffe96c64d43277264ee0

SHA256
3c4cb040d214663012db5ea4c54375c9f7c7f01c5b8694f81bc1761281afe1e8

SHA512
d6e479217a2908b43f6f1ab12c8d8762627501bac57719bf4ff560178b359222a7675e7fa2acaafef187367089e8e46ea3c1c3715cb40dd3ccd9d5f47ef5b490

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
470KB

MD5
ed451647d430d6457511adb3f10ba940

SHA1
18952b8329952ac7e702424cd7cbe04f44aafd80

SHA256
47ab2b0327748bea270ec462f6217013f98bc209b2a7453b2358225b9502db30

SHA512
3b0a2ea2b2463be3441a29cea0b5a77f3c51d3632ffb3c74b64a199efb7c062174b9f330ab91345f6148fe024b43103ce09955edc11bb49ec9603a525b893f82

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
470KB

MD5
48518e9d26dea9025bec13b6702136b3

SHA1
e1cc8ed14bc37092401e24947a8cf1cf2a504bd5

SHA256
4ed863c35f54618a0231e330286aab55be7bd39083045609e916e88dd0941216

SHA512
df3b5adebc7ac0309531143b202ef361f6290895267e13a855e19a377c3f31e815568bc727584c43d6675eac6a0605fe3cf3f8cd49bc2bdf91286085ab0717cd

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
470KB

MD5
944fecf4ace8f87a47b2335634cadd63

SHA1
2d496669e089156922d3a2e97f06994d858d26ff

SHA256
5a1584a840cd84017a5f8d0982fd7a3d51a25889c8b1dd0a5ac4ca358c0e738d

SHA512
a39fdef78697758ecdecfe34d3fdb71a6e794e755640321c954db9025920fc59e380f7a83e7f7610d705baabaf8217a761aff2cd8b60280478dbb8189d104e55

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
470KB

MD5
a6d9dbff022a0f45f92315fdd18d0668

SHA1
cfb3c2561469a7e74683f184d2aaa06c1419d565

SHA256
0b4ec4251becfcc7209312e377be9e47feb15c17257c9233df376197e158ffc9

SHA512
5abe17136d6e7c365e71c8b6f743502820e6a82588e93b040ecde8f9c6526d89dc7ca463a3cb3f912b62a552bc455e699ff800e15205737ee542101c519d008b

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
470KB

MD5
8d789fb2341176a8f5b3452e22402c96

SHA1
054c82a650d22ab26a3ffbd1e713ebe12a809f6d

SHA256
37e77820aa49adcb1a176f97db42260b79ab739838cfc6488872251bec7e9b63

SHA512
bbf167348cd5482d2c0a46b553979103be72bb9a21a7da66fb43900f7030be9eacbc01496ece8eb0b760372a39ca68f227e642192907d574be7cd4bbbf1e5785

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
470KB

MD5
b0f4bfc24b17f98a2e445c5e4bc66943

SHA1
decea062093cde7a420cd5b7f970af6105fe11b2

SHA256
57ed030d6b1b0bf812468e75e760ad08dd6d8bb8f992d92142cab347b9d604f0

SHA512
23e8191d538c50f57b03f1dd71be5e1fb49571ab20b7691a32d3c2819bd67bb15b444a84cfb544d20f8bcf6573e41f2b8316fa379fa9461e2b2a9bf342768cdf

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
470KB

MD5
78f6bba75e1257469ad58a57ae4998cc

SHA1
3b0e15ed08b9572dac63facb372c6a9dc2bbd93a

SHA256
7954c8efb16e39c0ad30870bd8238b3c16836836e89ecc5a677650fb74ef4f7c

SHA512
11ba1ee2cd6cbeee54fc746b8cd8ea6d1b35e5e88338d21330605c73e4514dce254361fe338dca0ae8a95fb7b8234cde1cb75fdfae780318458bfd6a51d9a608

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
470KB

MD5
8339df437e5c965b2a07fe0be6df562a

SHA1
b7314352f17702641c130b35f432a31715282d39

SHA256
612fa159d89779ffd102d971ebd0ce091fd8ed9f8cf5a39df84058d13664da00

SHA512
90ddfcbbff65966d12d062d1bf24d4223d90465e238fd0d631977dd7e27579da90d4bbe0b160159236c80128a7872f75e02f523b08ab7554fc8c9c59160f8b55

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
470KB

MD5
0059fa3d4839fb413533e5409c9287f9

SHA1
be668014af28b654ad7656d75d4753e60ba6c837

SHA256
945a29dab6978d4ef3acb087b95ec8f6fbe565d3d2df12490f9dea0e20c23636

SHA512
1fccacc117533e4f059df4687773c4a36787928c9f84dd439314ea2c084718696894e4bc7e7ef9d2223836d048b5760f4cf1d8c6783d74f119c293176a002e0c

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
470KB

MD5
07f23980705f27d6d26a2b840ee7ff28

SHA1
3355cf4172a4ca4684542f08c66d06650be8bc4d

SHA256
5728364bdc89303abaa2aa41af563e2b6945a054eb6025114fbd9a080715bbaf

SHA512
a92bf6df7ae9f1141ab9614b1fffb4aee92795933523a58b3ae6253c0ea667a2c7d059e7a15e6447a17f0060b8e177cdd9e6e2520b5be3ee4b26f53589549615

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
470KB

MD5
b118ee9d4b567524f65d4f98af1c7b82

SHA1
eaa3d60404482965ce16205b6e68023f84e8b301

SHA256
54b67d1a239c896d70ebc590760ce30779cab4f468773b26ed2c2d2201f6ac27

SHA512
f9e4239a6e4c839bad6d76c31fa938898c31c8974c8a74a7e32d032d59f89625beb3f3b3e3eff1932d1cc59650b969119f342ad0521c47875f5a2c6baf766cdf

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
470KB

MD5
4af5bd32913fc8468b48691ef7fa2bfb

SHA1
71f2b016b27f13e680f7ad44663c739b4eab5eb9

SHA256
47fe1f9d50b49dab0f069bca1d036e4315283de57c7d703816168f0f25b21210

SHA512
8935bfd12f5a82a7a881e1a0e6de362bf189717655bf37fddcb99659447001ac54f32f04d274ed514ddd0fc82c19ab1068e668e6af4454c85848558001ad4b59

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
470KB

MD5
79eb1006575d86183a62e0e22e4f788d

SHA1
3b0f7b394445404fe0a2dc887b4d54c0013b120b

SHA256
da6f53482328b98c445ef39b8025a8db20f4f63b778b8372b1806647986009f7

SHA512
9e3494f88397010d71d7c7d9f70732fb279a089eb2c2fb1e948b373725c67f750168b1163be3c11991eee064d610c8313f83c0bd8c93154338d1fc9233c2aaa6

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
470KB

MD5
cba03f7e55ce021c2bb8685da16a53b9

SHA1
d7614ecc07c047734c5169ec45fd34de027210dc

SHA256
0f3d4777c97d5536f326f4ab1df9c55bed5d53f3235c8742979f6d5dc0051a3e

SHA512
e9ad28b01dcb433a48ded77f84a7e4642c2e157213ff7e8294b25d2d7fa45690383e24cf488a3b7d94db1ed78486f948596c9199172b500ddf3cf5106a23220f

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
470KB

MD5
37928018a08249b98ff4ed768a7bf2d6

SHA1
35e5cb1a2811bd8d5640ef972a77b47786dea58a

SHA256
1115a32a86e3106fd5e85eeffcd76e96339707c0000cafdbe4da32716080900b

SHA512
04c53c734694578867ef654f5b5909758a95c45736fc8c0562057e23946635de25e9a411452bc6c3b086c625727a4efa63a6d77d79ee431b88d48e2c0a914945

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
470KB

MD5
222aab6549e63ebaf4dc046c444626ac

SHA1
d26254111ea7db063fac3b52e940ef1d985eb93a

SHA256
478827982532d326bcd65a6c18ead937a3b102f336e988cff101a877be557156

SHA512
52b7c3261c18e9a9e974154242ee66c714f539d882edf5e2ffb3ebc6fe508857e360047a98b370beb26ca66bc9a1f4a7d6d07d31af144ea952a7377f195a0c1d

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
470KB

MD5
509c14617102ec4389223304af3ba5b2

SHA1
a19416ae2d06c5c15b1696044e09aa5f4d7f3261

SHA256
90ee32c87ab6a73df03d3790b0b5a368c79314773d5f9c83a523556d4963ff5c

SHA512
adcc87ec53a83c036b7c3151db1a9342d1880d09fcd8db92840abd77f563fd09c7f7bad8e1c8fedd7c096e7796bdf19e66278d952e479e64fb46e3967934496c

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
470KB

MD5
b22646c5696a53227ff7d150b6c461e7

SHA1
c35ccdedaec4cc8072c40a31eaf74087b9c00ff3

SHA256
106e813672777ee933c3d48ea65b1bc5a75a0f7b064e05c5d83a14cc32ac1442

SHA512
d169c44d4e1e5f4efdb455e37d9b384ff5d12bd6f4ccb2ca4a2808b1ec806778e764f5af428648c828e8052db389984d6f5a4fd5d99f982aee1bcf962c35b9e5

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
470KB

MD5
4f1df0fb09f6460619c848a849b57928

SHA1
a238308d202c3b4501d93e3d63bee6938e49d1a6

SHA256
497e19b1fcd4cfd4166e92bcc203c7c6316b90eafe33bdb0d4b0d70394168295

SHA512
552024460cc2bc2666d90fe5ae3fd4a38760494c5dfe07f38d2caf498211b75ec2f95153ff2f261bdd3021ef70091654c706550c82dd17bfb00e1a391e5c1f98

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
470KB

MD5
2b91c1dbe22cf986be1b8984e16d3fd5

SHA1
9dd9a2b0cbdfb69aaf40972cc85fab47c74e079d

SHA256
0a5038a382d304c6fdde295b991a87153efc3abe3b73555c1fed71761611d2f0

SHA512
e525204e89eb453a26310e37db802b5301d754e4055aaa8aec542e01c95a55371606d5f4e19571464774e51f4fa0a9a83d29c8b927de3c1098bd3b97a62a4a2e

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
470KB

MD5
5c3e351b9901e994c44f2046ad96a616

SHA1
ec97e8211bc875b1ccb070b16fb415b6922373f8

SHA256
fa99a187aac1789eea8353e0aba0b223ab2b8292702d47e349c5d83217e74538

SHA512
50c0afb6ede8d57de02393e447ce08d4ccc501776c6a2304785404de83940516c7fefa24709a084c4a0b9f1e7853df05d07f9ec9d9091530ac7aa4ca7796c2f9

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
470KB

MD5
d880e990a3630fa72628ee74a1a17891

SHA1
baeb8d8f83eade0c9ca350eec84470c01a4b4069

SHA256
61a655b559082fe87ffc1dd2a14922cc94b4930d5317886b201e68ed331954a4

SHA512
0c8002bfd0b4874d5571a40ffca794ef84f752a420a9978e1e1903e5d1746879ee97559ed54cc4b96610a93eeed0562667cb43314070ae89eab8f70d3f6dd791

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
470KB

MD5
253b3843999caf1a45925cf2bf159023

SHA1
0634d2d0d0a25bf232f52f93a8ccca088665a99d

SHA256
354f5ae19772b47071e7e47208d6b9f28c0af45b80840a89e041740584ebe0a1

SHA512
b9b8fba5d796f89766c52f07f9666248e48fbd48156910e84b29e25eb3b379cf5422bf618764c7749ceb5f642abd3eab7df416862e5cc3d53783a81da5a6ebba

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
470KB

MD5
c87e3e767b5a0ef79e3c0afc5efc3680

SHA1
0aba1004f3cc314a56c0b39eebc595c182081467

SHA256
3ef3b4fa623c073143122b188446dc1255e90726b470341aad1bab6f7558853c

SHA512
e503f0164a8c46758670b80f946bbeade212d95660b074cbc99fe0e6f828c94027f3e3c901770d88a2694f13962f756f4652c6daa4ddda1a80acd9fcaf98b411

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
470KB

MD5
caf8265afea99be76f6d45294bdefd28

SHA1
bfd8ef7f1c41b898711a09b5c6ba88a531e392b7

SHA256
8d75ebc057fbaea93d1dd334689e01f36985aa7dc12b7974daa8d4a141545736

SHA512
50dc760a28667dc9eddacbbb7b3b73795384163ef8e0c0d6618303288d9c46c9409813be50291ca2934d011ae3cb1b13335095c0bc1e421729b4d40aa11890ae

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
470KB

MD5
8a07553dc126749f362914269d11897a

SHA1
a110b3faad4208b3b4433a36314f432220b6da08

SHA256
a10fd7e0b75aeb124ea83315232dbbc7132e7c23a39ad6f0590a248a793d7711

SHA512
cc39b33f7fd1dd845eaf4cd48e8310d0299cce8420cebe28f2866dae7f3d66f42487e6fcdf683e42a03c052cd71a72b12abf22e24169ab24382b5b9d1611e9cf

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
470KB

MD5
7201cd6497734b5adda01ff78be3e1e3

SHA1
145cb4903e5c5eb269bdaec382dece735c88b32d

SHA256
0be3c22838c9d9e90f20711e45e19c0d042f08380b2548bd3b3e461830477153

SHA512
da5ca7467f8de640e013d3e34ef70adde7f45d404a5056b42b09e9545ce9da97de61447c39542048abc989b6ac31b00940c812b63268159708070fedc61779c6

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
470KB

MD5
475136bfa59f4bd4e9387631173d7235

SHA1
f81d8559220ed808ee308a0b68623f0d90647667

SHA256
b4ff30cb5e8ac45000bdd550ee087d752e6bd065ac8b6b832766d73da5307496

SHA512
f5ea0e2f8710f091a8d4e3753350b17109a6a1db29e4a3af4d94457c85f0d18fee35f6ffcc28bf97c8be602df1ff178030987652324291fe1c256f0e8abd48e3

Download Submit
C:\Windows\SysWOW64\Oendmdab.dll

Filesize
7KB

MD5
a7899c72ffeef5a2da7854bb4a2d97d0

SHA1
64f1370fb41d5e61614db38a9da35b5a4254bb02

SHA256
0c59a0221a203ef340bf349ee772b79310a94f73b7b714d6eed98dffbb590d9a

SHA512
16a6c4a2930cfec08a0f53a62d7f7c6aeaaa9d77c30547b91e61dcb856c8c60d4cff40d25f3ef5a87e3f86c1b975170edc518ed3c6044a67c442dec87b9dea34

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
470KB

MD5
001d28cee60fa66df0c8b88ed1d7e606

SHA1
6634d4a21b3573946f8fd20447f050862cc2e002

SHA256
798c4f893c54f4ac9ba9cf9a534586311b66d303c462265663d31a6a2b0393b3

SHA512
547a15581662592885a5371015e63f874b8338c162c87d46b8ccbb02c69b1a6aca27d7c93f0f542490341d8cf15c959960e1d0bd24470044a0a49374c4e6c537

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
470KB

MD5
42b5f528ba7026119b65a62e3fd89f65

SHA1
320a5ae7759cfd29048430856fcff6634b70c1db

SHA256
ace81364e3e2d6d11a8bff7113ed57417310d4da05eb4944fc6184421482708b

SHA512
51312973797d2441841c248525ed5159e865bcaec090c536fe966c2ba2e17bb895180f394288f5421d975f366cc3ac58cddb3a4e0ab44dbea2d968ff989cf7a4

Download Submit
memory/400-88-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/664-103-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/832-198-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/840-398-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/864-410-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/948-128-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1084-273-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1104-32-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1104-567-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1228-386-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1284-143-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1284-1003-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1480-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1480-542-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1512-594-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1512-64-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1604-434-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1680-380-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1804-446-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1808-135-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1852-343-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1920-206-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1940-574-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1940-40-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1964-95-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2024-285-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2032-157-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2056-309-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2072-345-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2220-452-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2244-297-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2268-468-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2356-191-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2392-587-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2392-56-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2396-416-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2428-71-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2428-601-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2456-481-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2488-374-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2572-397-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2596-500-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2608-404-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2640-321-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2668-363-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2888-215-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2932-160-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2964-482-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3152-261-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3344-20-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3344-554-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3392-422-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3428-548-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3428-7-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3448-470-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3596-443-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3608-254-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3644-279-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3672-291-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3724-176-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3728-267-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3824-488-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3928-494-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4136-238-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4212-79-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4212-608-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4232-246-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4368-230-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4376-351-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4400-172-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4408-315-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4468-428-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4580-458-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4624-327-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4628-303-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4772-561-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4772-24-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4812-223-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4816-582-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4816-47-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4832-357-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4872-337-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5004-111-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5104-124-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5180-510-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5220-514-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5292-518-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5372-528-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5412-534-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5452-540-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5572-555-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5668-568-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5732-575-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5816-588-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5896-595-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5944-602-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/6004-609-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads