b5da0ca6f4a588f3df4e85ade64f183b948718a2ea4c0a9f5fdc820e4780f582

Analysis

max time kernel
138s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5da0ca6f4a588f3df4e85ade64f183b948718a2ea4c0a9f5fdc820e4780f582.exe
Size

56KB
MD5

30c341d1ca747cd3d4bab2a4519a0974
SHA1

3adb7106b72967d205013cac29db4f177a0f3799
SHA256

b5da0ca6f4a588f3df4e85ade64f183b948718a2ea4c0a9f5fdc820e4780f582
SHA512

76cb2408ef855a1adce26c53e3ffdb0cfb781bd677a213e058e4b321540c36881ab5badef94ae644d753923661ab742efac7faeb68e26209b1d70a3764011311
SSDEEP

768:TGOWlxEQUOf4ic68YIrgM1gUK/dabTyhFZC36iQUNbOsiFZfu/1H5HXdnh:TBGGY1MgQOM3yXZCKZYCfE7

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmmeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpdnjple.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiblk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b5da0ca6f4a588f3df4e85ade64f183b948718a2ea4c0a9f5fdc820e4780f582.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omgmeigd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfdjinjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b5da0ca6f4a588f3df4e85ade64f183b948718a2ea4c0a9f5fdc820e4780f582.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boihcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncqlkemc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmipdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgpcliao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggimh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onkidm32.exe

Executes dropped EXE 64 IoCs

pid	Process
4072	Ncnofeof.exe
3556	Nncccnol.exe
3368	Ncqlkemc.exe
3988	Njjdho32.exe
400	Nmipdk32.exe
2324	Ncchae32.exe
2672	Njmqnobn.exe
4536	Nagiji32.exe
3256	Ngqagcag.exe
4932	Onkidm32.exe
2292	Oaifpi32.exe
2712	Offnhpfo.exe
1168	Ompfej32.exe
2784	Opnbae32.exe
4936	Onocomdo.exe
2464	Opqofe32.exe
1228	Ofkgcobj.exe
2104	Onapdl32.exe
3320	Opclldhj.exe
1928	Ofmdio32.exe
4444	Omgmeigd.exe
552	Pfoann32.exe
3952	Paeelgnj.exe
3152	Pfandnla.exe
3580	Pnifekmd.exe
404	Ppjbmc32.exe
2680	Pfdjinjo.exe
1664	Pmnbfhal.exe
2976	Pplobcpp.exe
2028	Phcgcqab.exe
3996	Pnmopk32.exe
4884	Pdjgha32.exe
3264	Phfcipoo.exe
3024	Pmblagmf.exe
456	Panhbfep.exe
2668	Qhhpop32.exe
3660	Qmeigg32.exe
1448	Qpcecb32.exe
4356	Qfmmplad.exe
4260	Qodeajbg.exe
3544	Qacameaj.exe
3824	Ahmjjoig.exe
848	Afpjel32.exe
4700	Aogbfi32.exe
4044	Adcjop32.exe
3252	Ahofoogd.exe
1508	Aagkhd32.exe
2216	Agdcpkll.exe
1060	Akpoaj32.exe
1880	Aajhndkb.exe
2744	Adhdjpjf.exe
3060	Akblfj32.exe
5008	Aonhghjl.exe
1628	Aaldccip.exe
652	Ahfmpnql.exe
4148	Aopemh32.exe
3616	Bdmmeo32.exe
4656	Bgkiaj32.exe
2960	Bobabg32.exe
4320	Bpdnjple.exe
1516	Bgnffj32.exe
2828	Bmhocd32.exe
2816	Bdagpnbk.exe
2280	Bgpcliao.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nmipdk32.exe	Njjdho32.exe
File opened for modification	C:\Windows\SysWOW64\Ahofoogd.exe	Adcjop32.exe
File created	C:\Windows\SysWOW64\Agdcpkll.exe	Aagkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bdmmeo32.exe	Aopemh32.exe
File created	C:\Windows\SysWOW64\Ccoecbmi.dll	Bobabg32.exe
File created	C:\Windows\SysWOW64\Chkobkod.exe	Cocjiehd.exe
File opened for modification	C:\Windows\SysWOW64\Pmblagmf.exe	Phfcipoo.exe
File opened for modification	C:\Windows\SysWOW64\Ahmjjoig.exe	Qacameaj.exe
File created	C:\Windows\SysWOW64\Nflnbh32.dll	Cggimh32.exe
File created	C:\Windows\SysWOW64\Lbpflbpa.dll	Offnhpfo.exe
File opened for modification	C:\Windows\SysWOW64\Opqofe32.exe	Onocomdo.exe
File created	C:\Windows\SysWOW64\Akpoaj32.exe	Agdcpkll.exe
File created	C:\Windows\SysWOW64\Kajimagp.dll	Aajhndkb.exe
File created	C:\Windows\SysWOW64\Ecpfpo32.dll	Bdagpnbk.exe
File created	C:\Windows\SysWOW64\Ddgibkpc.exe	Dhphmj32.exe
File opened for modification	C:\Windows\SysWOW64\Phcgcqab.exe	Pplobcpp.exe
File created	C:\Windows\SysWOW64\Pmblagmf.exe	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Qbkofn32.dll	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Mfgomdnj.dll	Aogbfi32.exe
File opened for modification	C:\Windows\SysWOW64\Bhpofl32.exe	Bphgeo32.exe
File created	C:\Windows\SysWOW64\Mmlmhc32.dll	Caojpaij.exe
File created	C:\Windows\SysWOW64\Hlhefcoo.dll	Paeelgnj.exe
File created	C:\Windows\SysWOW64\Godcje32.dll	Qpcecb32.exe
File opened for modification	C:\Windows\SysWOW64\Qacameaj.exe	Qodeajbg.exe
File opened for modification	C:\Windows\SysWOW64\Aagkhd32.exe	Ahofoogd.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Ddgibkpc.exe
File opened for modification	C:\Windows\SysWOW64\Qpcecb32.exe	Qmeigg32.exe
File created	C:\Windows\SysWOW64\Jkmjlphl.dll	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Dkbnla32.dll	Bpkdjofm.exe
File created	C:\Windows\SysWOW64\Mpolbbim.dll	b5da0ca6f4a588f3df4e85ade64f183b948718a2ea4c0a9f5fdc820e4780f582.exe
File created	C:\Windows\SysWOW64\Dgfnagdi.dll	Njmqnobn.exe
File created	C:\Windows\SysWOW64\Opnbae32.exe	Ompfej32.exe
File opened for modification	C:\Windows\SysWOW64\Paeelgnj.exe	Pfoann32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Ddgibkpc.exe
File opened for modification	C:\Windows\SysWOW64\Bmhocd32.exe	Bgnffj32.exe
File opened for modification	C:\Windows\SysWOW64\Opnbae32.exe	Ompfej32.exe
File opened for modification	C:\Windows\SysWOW64\Ofkgcobj.exe	Opqofe32.exe
File created	C:\Windows\SysWOW64\Dgegjnih.dll	Opqofe32.exe
File created	C:\Windows\SysWOW64\Ppjbmc32.exe	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Baiinofi.dll	Ncchae32.exe
File opened for modification	C:\Windows\SysWOW64\Pfoann32.exe	Omgmeigd.exe
File opened for modification	C:\Windows\SysWOW64\Panhbfep.exe	Pmblagmf.exe
File created	C:\Windows\SysWOW64\Kioghlbd.dll	Qacameaj.exe
File created	C:\Windows\SysWOW64\Akblfj32.exe	Adhdjpjf.exe
File created	C:\Windows\SysWOW64\Dhphmj32.exe	Dddllkbf.exe
File opened for modification	C:\Windows\SysWOW64\Oaifpi32.exe	Onkidm32.exe
File opened for modification	C:\Windows\SysWOW64\Pdjgha32.exe	Pnmopk32.exe
File created	C:\Windows\SysWOW64\Bmhocd32.exe	Bgnffj32.exe
File opened for modification	C:\Windows\SysWOW64\Nmipdk32.exe	Njjdho32.exe
File created	C:\Windows\SysWOW64\Kmephjke.dll	Pplobcpp.exe
File opened for modification	C:\Windows\SysWOW64\Afpjel32.exe	Ahmjjoig.exe
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Caojpaij.exe
File created	C:\Windows\SysWOW64\Qodeajbg.exe	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Afpjel32.exe	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Gikgni32.dll	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Bnoddcef.exe	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Lnmodnoo.dll	Njjdho32.exe
File created	C:\Windows\SysWOW64\Hehhjm32.dll	Pdjgha32.exe
File created	C:\Windows\SysWOW64\Aaldccip.exe	Aonhghjl.exe
File opened for modification	C:\Windows\SysWOW64\Bobabg32.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Lahoec32.dll	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Onocomdo.exe	Opnbae32.exe
File created	C:\Windows\SysWOW64\Bobabg32.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Bgnffj32.exe	Bpdnjple.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5180	6088	WerFault.exe	180

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opnbae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofmdio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhhpop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncqlkemc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omgmeigd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfoann32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akpoaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdagpnbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgpcliao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnofeof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgibkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahofoogd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmeigg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmmplad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhocd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boihcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ompfej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opclldhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qacameaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaldccip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgkiaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpdnjple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhphmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmipdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onapdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paeelgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adhdjpjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhblllfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onocomdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpcecb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aonhghjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggimh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdkifmjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmnbfhal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjdho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdcpkll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajhndkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahfmpnql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmmeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bogkmgba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5da0ca6f4a588f3df4e85ade64f183b948718a2ea4c0a9f5fdc820e4780f582.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaifpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfandnla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppjbmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcgcqab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjknfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncchae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akblfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnmopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplobcpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcjop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opqofe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdjinjo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmjlphl.dll"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nagiji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll"	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll"	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmikmcgp.dll"	Onocomdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmmde32.dll"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njjdho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedckdaj.dll"	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahofoogd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafphi32.dll"	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figmglee.dll"	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckbcpc32.dll"	Panhbfep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbfan32.dll"	Nmipdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onocomdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfnagdi.dll"	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaagdbfm.dll"	Opclldhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omgmeigd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhmleng.dll"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjceejee.dll"	Pmnbfhal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnmodnoo.dll"	Njjdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgegjnih.dll"	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opclldhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkgohbq.dll"	Adcjop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekppjn32.dll"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngqagcag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfoaecol.dll"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paeelgnj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 4072	4116	b5da0ca6f4a588f3df4e85ade64f183b948718a2ea4c0a9f5fdc820e4780f582.exe	91
PID 4116 wrote to memory of 4072	4116	b5da0ca6f4a588f3df4e85ade64f183b948718a2ea4c0a9f5fdc820e4780f582.exe	91
PID 4116 wrote to memory of 4072	4116	b5da0ca6f4a588f3df4e85ade64f183b948718a2ea4c0a9f5fdc820e4780f582.exe	91
PID 4072 wrote to memory of 3556	4072	Ncnofeof.exe	92
PID 4072 wrote to memory of 3556	4072	Ncnofeof.exe	92
PID 4072 wrote to memory of 3556	4072	Ncnofeof.exe	92
PID 3556 wrote to memory of 3368	3556	Nncccnol.exe	93
PID 3556 wrote to memory of 3368	3556	Nncccnol.exe	93
PID 3556 wrote to memory of 3368	3556	Nncccnol.exe	93
PID 3368 wrote to memory of 3988	3368	Ncqlkemc.exe	94
PID 3368 wrote to memory of 3988	3368	Ncqlkemc.exe	94
PID 3368 wrote to memory of 3988	3368	Ncqlkemc.exe	94
PID 3988 wrote to memory of 400	3988	Njjdho32.exe	95
PID 3988 wrote to memory of 400	3988	Njjdho32.exe	95
PID 3988 wrote to memory of 400	3988	Njjdho32.exe	95
PID 400 wrote to memory of 2324	400	Nmipdk32.exe	96
PID 400 wrote to memory of 2324	400	Nmipdk32.exe	96
PID 400 wrote to memory of 2324	400	Nmipdk32.exe	96
PID 2324 wrote to memory of 2672	2324	Ncchae32.exe	97
PID 2324 wrote to memory of 2672	2324	Ncchae32.exe	97
PID 2324 wrote to memory of 2672	2324	Ncchae32.exe	97
PID 2672 wrote to memory of 4536	2672	Njmqnobn.exe	98
PID 2672 wrote to memory of 4536	2672	Njmqnobn.exe	98
PID 2672 wrote to memory of 4536	2672	Njmqnobn.exe	98
PID 4536 wrote to memory of 3256	4536	Nagiji32.exe	99
PID 4536 wrote to memory of 3256	4536	Nagiji32.exe	99
PID 4536 wrote to memory of 3256	4536	Nagiji32.exe	99
PID 3256 wrote to memory of 4932	3256	Ngqagcag.exe	100
PID 3256 wrote to memory of 4932	3256	Ngqagcag.exe	100
PID 3256 wrote to memory of 4932	3256	Ngqagcag.exe	100
PID 4932 wrote to memory of 2292	4932	Onkidm32.exe	101
PID 4932 wrote to memory of 2292	4932	Onkidm32.exe	101
PID 4932 wrote to memory of 2292	4932	Onkidm32.exe	101
PID 2292 wrote to memory of 2712	2292	Oaifpi32.exe	102
PID 2292 wrote to memory of 2712	2292	Oaifpi32.exe	102
PID 2292 wrote to memory of 2712	2292	Oaifpi32.exe	102
PID 2712 wrote to memory of 1168	2712	Offnhpfo.exe	103
PID 2712 wrote to memory of 1168	2712	Offnhpfo.exe	103
PID 2712 wrote to memory of 1168	2712	Offnhpfo.exe	103
PID 1168 wrote to memory of 2784	1168	Ompfej32.exe	104
PID 1168 wrote to memory of 2784	1168	Ompfej32.exe	104
PID 1168 wrote to memory of 2784	1168	Ompfej32.exe	104
PID 2784 wrote to memory of 4936	2784	Opnbae32.exe	105
PID 2784 wrote to memory of 4936	2784	Opnbae32.exe	105
PID 2784 wrote to memory of 4936	2784	Opnbae32.exe	105
PID 4936 wrote to memory of 2464	4936	Onocomdo.exe	107
PID 4936 wrote to memory of 2464	4936	Onocomdo.exe	107
PID 4936 wrote to memory of 2464	4936	Onocomdo.exe	107
PID 2464 wrote to memory of 1228	2464	Opqofe32.exe	108
PID 2464 wrote to memory of 1228	2464	Opqofe32.exe	108
PID 2464 wrote to memory of 1228	2464	Opqofe32.exe	108
PID 1228 wrote to memory of 2104	1228	Ofkgcobj.exe	109
PID 1228 wrote to memory of 2104	1228	Ofkgcobj.exe	109
PID 1228 wrote to memory of 2104	1228	Ofkgcobj.exe	109
PID 2104 wrote to memory of 3320	2104	Onapdl32.exe	110
PID 2104 wrote to memory of 3320	2104	Onapdl32.exe	110
PID 2104 wrote to memory of 3320	2104	Onapdl32.exe	110
PID 3320 wrote to memory of 1928	3320	Opclldhj.exe	112
PID 3320 wrote to memory of 1928	3320	Opclldhj.exe	112
PID 3320 wrote to memory of 1928	3320	Opclldhj.exe	112
PID 1928 wrote to memory of 4444	1928	Ofmdio32.exe	113
PID 1928 wrote to memory of 4444	1928	Ofmdio32.exe	113
PID 1928 wrote to memory of 4444	1928	Ofmdio32.exe	113
PID 4444 wrote to memory of 552	4444	Omgmeigd.exe	114

C:\Users\Admin\AppData\Local\Temp\b5da0ca6f4a588f3df4e85ade64f183b948718a2ea4c0a9f5fdc820e4780f582.exe
"C:\Users\Admin\AppData\Local\Temp\b5da0ca6f4a588f3df4e85ade64f183b948718a2ea4c0a9f5fdc820e4780f582.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\SysWOW64\Ncnofeof.exe
  C:\Windows\system32\Ncnofeof.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\SysWOW64\Nncccnol.exe
    C:\Windows\system32\Nncccnol.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\SysWOW64\Ncqlkemc.exe
      C:\Windows\system32\Ncqlkemc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3368
    - - C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
      - C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        68⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5520
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5644
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5692
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6088 -s 408
        89⤵
        Program crash
        
        PID:5180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6088 -ip 6088
1⤵
PID:5136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4408,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:8
1⤵
PID:5860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nagiji32.exe

Filesize
56KB

MD5
51a67dadee7632bc5d8a33ef89c1c5f3

SHA1
90e5db68aeac98a7048f681f0ee7bf309b6dc3a6

SHA256
342801c1983a71bfc2d2375b90bd6b622d8db0a6b24bb0e05361bdf343e20e8a

SHA512
00bfd75cb6373c0b8d2e73373a75c20d9d2f71bba70beaf14545dd293ba306e66480e22e8ae8ecf8d582885cd506fb8b99882a2d3a88d7d6a168be336ff68014

Download Submit
C:\Windows\SysWOW64\Ncchae32.exe

Filesize
56KB

MD5
6394a6c56fafe8c886eddded63675ff5

SHA1
17940a2e8349941b122dec86d19bedab78dfbaf2

SHA256
d37886291a69e2889985d1ebad850252e19f5743806f152ae6bc9d8072ee82c3

SHA512
5713ebedfba54c93faae4e8782a61fc6ed3616d4d7cdac8468a2deaeaeb4d99313bdf164ee9522ac879c41c9966a42ed5481005a8a0cb1cf245157e19b718ab3

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
56KB

MD5
0dc1a8b29f7d3ec33360c14a29fa9148

SHA1
996d086ed29c1486166a87c806ccfa2b5f507533

SHA256
9c4e240013e88099d552c247d4b3ce4650c308b0fc83b61b82556030e073d5f1

SHA512
cb3851464d52479a88571eb3060c4c1b8854f9101c62912464c24bc1554b2dc148bed5daaacde94f6ebb89d17af08b361b0e89741ff85877b7ea323717d5711a

Download Submit
C:\Windows\SysWOW64\Ncqlkemc.exe

Filesize
56KB

MD5
ca7708d38bdec1c76428570960ce4a96

SHA1
439123dc0fabf14e73f50a9e11b852092ab551e4

SHA256
337168389acac33ad0c19c8838493be77d7079ee99b4e938844962d6787af2e7

SHA512
ad8aaf712d572ad63789987fc9d99ed3adfaec1652eea002f0a547e3a2b0387d43559d3185843b097688377d17525c5ae52e0bdb4e272ac9f88d3247d26174f0

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
56KB

MD5
ea90db14d1433af9f6f790be80bf9995

SHA1
180ffc83963c51b223a3141ee8a4117057eba7d3

SHA256
5b8e8672464c66d44cbebad92fd2cd60377eb168249bd2b71156e3751ec3b246

SHA512
b619f4f9ae6025f0332ed45171383f2f6496ba52a31c6650a9a74f83ff76ababd647b07c4eff9592a7f7601b123c363c88adb028f68e92d0a1d866aa54abd3f3

Download Submit
C:\Windows\SysWOW64\Njjdho32.exe

Filesize
56KB

MD5
2d91557624abe7872e1847d02388582c

SHA1
f49631ff34fce01c9dbc25dda6383637760056a8

SHA256
323acbb718f34d1b14943ae7f9c0ca7bcb9e8d1e8fa4479d0d6800e771069169

SHA512
c04229732769ffccff477818eab2568d5536d059731359756f74ff1e347d1e9e8f2754482ff4c1f24118fba7a9fe0cefa9726b4494d6d8d345e1062276170a0f

Download Submit
C:\Windows\SysWOW64\Njmqnobn.exe

Filesize
56KB

MD5
4a0fc9578ec36533c78b41e1a3a0b8f6

SHA1
8662129d3912909269afc6ffdd78dbaef4761001

SHA256
1bbdcd744d16b47ca501e1d63e03dc9a202deb0ae015b3705283a623df62e1c9

SHA512
dd1727d7523e7a28906528c28d6945a410065e98a6f0c5364db67545a089363c114dedef39949db131e25c67a429beeaac839801f3c297b4c0d28380d81cbdfa

Download Submit
C:\Windows\SysWOW64\Nmipdk32.exe

Filesize
56KB

MD5
e096239c25ddcdb732b964060a28a169

SHA1
d1ddde381c05573e081ded8e765541ba63bc8687

SHA256
ee7cd3a526c67c6b4e00c267421184e4d8010af99d51632ba0affea2b067bee4

SHA512
02c7dfc62563e1f130b370bbe0898869263a11aad57c72ecd6b01b5dc060b11042e047a4272eb1e111340fbbc3b9d988f0a376372e84adbc064c32adef5c6127

Download Submit
C:\Windows\SysWOW64\Nncccnol.exe

Filesize
56KB

MD5
c0345f4874245e66f82e860814d7f396

SHA1
9d36bb1aa0c0b7835bece3ea992a61e9ca50d46b

SHA256
5024e9e826a72f114be9282ea584c0c240da0bf099d1e71dbcc1f9dd77031817

SHA512
0f0762ace7ec330e2b7abd4ab0e6bd3cd0134872f8aebfaab7f098650ab9d300609606bf1c262b1eec0d2774d6d4a4704c611bc035ba29aeec4612749af29b4e

Download Submit
C:\Windows\SysWOW64\Oaifpi32.exe

Filesize
56KB

MD5
7128804a2e962f7e9bc3191f0f1664d6

SHA1
a186e3ca67524f1d1f4f714cf5251cb97da56f4c

SHA256
a1df9a02894078eb66c4a1239eb36e07fb3e1c68c86845a6fa1a7a2995c81a43

SHA512
4857bb7c16afc4d6c699dff1f32927ac0c6346b480fdbf85e634813c29f59eed5a5023e2f2cc82f967d69f6dbe6f4d8b98f543ca1ba045dfce12ffc68e704847

Download Submit
C:\Windows\SysWOW64\Offnhpfo.exe

Filesize
56KB

MD5
42908862103286df7327ff7e71c1caab

SHA1
3fcbcbfb02fe4cc1ddd1fbacbc8348843f1b1d49

SHA256
4d2eebccc94a57d10509a00f7f1d118b34e60e9e96cff4cfa2c10e8c23d40e4b

SHA512
315d7ebcd7e6b8d5c47c3b0d0cb5ccb27c0184896c78f7fa7e4c2a53a5c89eedf1f8aa59e5be497b988c82e85982f6bc103a21e80cfa355c8bfa7d905fbb8021

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
56KB

MD5
3fe0203eb9e64095d0a0f5c022518e34

SHA1
b5ce999cda7a2192d03e78a8e7308230f0c90451

SHA256
7cf0c8459ff1a7ac657caccc1871469500342bb440c9b638cb267835cba8e194

SHA512
e88fc9a9115f20465267fe3e2b034efc7dda48bfbed076040eba78f64a3865937708637d3fa4fa2ae75e0bda0c4b258ebe4410d564bfe35f92ddfb5c7eced874

Download Submit
C:\Windows\SysWOW64\Ofmdio32.exe

Filesize
56KB

MD5
48cef043c4842a64e0d4ad9a41804e79

SHA1
b570e5134b6b654555d24e416435b4e0b3aea421

SHA256
33c767a89be30b0559522462e08f1c83ff32ffb07f6643b95fbd047e354d0f8a

SHA512
f397fc5074684004afa6982be96f9ab0ca9959ce2ac38e19a5c1fc43f294926e60b395e6c1f0e92c3d51f69da7d17919a431d97dc4993a00e936170feb4b4499

Download Submit
C:\Windows\SysWOW64\Omgmeigd.exe

Filesize
56KB

MD5
83b075c9bf8c8ca97e211d9ad60306d6

SHA1
7b843f21362f087007f3dbec3b3498b5dd0c6678

SHA256
35574d863dd9e2da14deabda8d0c87e2d87140d68320bd24075a90b836b8943f

SHA512
b905936fe58b1744195138f1568681151f14cf7e51ad593f1f0e8ea7d1f4db7c288d8fcf57c093910684d894e40f38fb2ea476f6318bf948c0b394ae371d61ef

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe

Filesize
56KB

MD5
1774beb1314e1de764d15ddc4d4a7ff7

SHA1
937a1ad7f5a7275f5a035cc750668831d72eaa82

SHA256
2551fdfb20e53e8dc2872ae99646b048681750f1835997225a5903e339a0a80c

SHA512
b8a45ea7cadb4593603cbb0872aa7c8678c9b919fe56d303f7b6acd2b88c75637c21a0ecc35e7c6a873e9d130c57e73b6b11e6c772ab26dbc2c20a8443291877

Download Submit
C:\Windows\SysWOW64\Onapdl32.exe

Filesize
56KB

MD5
8cf5ac9bfb08f040f278d10dd4c32e1b

SHA1
b323535c1a08dca6050c318f14f08878b78ba45f

SHA256
a5dba3fb138a8efeb1a3910b477cf0121b69965e6d71f94438fe8966152aed23

SHA512
a1b9bbeb99907cc8104c82a6f5393a0ddeb6f4483379cd0a9bd127561908c758b4002aa07a76f5c4924ef35db7cb5cf050f30d58de91424749fdcbb7ba67d29e

Download Submit
C:\Windows\SysWOW64\Onkidm32.exe

Filesize
56KB

MD5
e3ef09b0a2fd464cb05043bed2a334d2

SHA1
c014295c712b88c76f078b3afbc4b91941588658

SHA256
cb668ffa0bf32c9b60293ceb938875cd861cc7bee5400e89215cbbe446098d22

SHA512
09e7785940e2060d47fdbc0d8972cf75d16271407c78b8922839c0bafdeabff089b2db836f5d66a66c7fa7fdddf41903250852f2adfb186c067ccbcffdc7128f

Download Submit
C:\Windows\SysWOW64\Onocomdo.exe

Filesize
56KB

MD5
993e907c23e7db15e9b0400c42ef65bc

SHA1
6c8d3c1dbd6b1228dfb01494ccdec060820dfbcd

SHA256
d546a5101b6686497531b556df1592297bd731e13d026548d3587a4f9f02b47f

SHA512
1755a28e652b1db8a03cd5c096edb9da5d2a286d06c8f66b7fee558300bacb4684bfcb76d6ae86e3a27fc5d0ac880a2fee33a4c338eababb6083b9b56331078d

Download Submit
C:\Windows\SysWOW64\Opclldhj.exe

Filesize
56KB

MD5
0584e0a29ba78691646ce69d1c96f1c1

SHA1
954c38e882bcd79652fd30f46d76a76108ac283c

SHA256
49b36409e38582e15fdcc68adc6582453a34c259b02c3eebf0cb2510c6870c91

SHA512
ed012ed245e53c6f5009946c3c46063b1f639bdb3b677ae7933f5ce90342ca57f8c086261419f27a221f5984997faf98f2f8e5fda99800caf5cbac4fc9eff924

Download Submit
C:\Windows\SysWOW64\Opnbae32.exe

Filesize
56KB

MD5
ae3a337e5fb60e5b73677fdb45b55108

SHA1
d5f61a3b8228fe3280bc3de7cc03e4225b5defd0

SHA256
979830088933ae1c274f7012dbc5ccb01ea30d3f3f38781115a9b0f86f954420

SHA512
13dd74acd93cd11337d251ee674e49e72bc4191709d1744e70ec7e6774ac659197305bb0cf7a3e09da4cb0952ef7689ccc97416620f908abf366fadeabb994d4

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
56KB

MD5
9ce12a6dd9d92cf7cacf0fe00e07e94d

SHA1
0e398c28ed01d6f9135f58a10889dacfdce9ac84

SHA256
34c82d3b1d7fd4f35b7bffeeba32cad27d4cffefcb26ebd3092bedd28e37dba9

SHA512
db74cfd88070fb75708b4221f7ef1250a9d6472580bfc230f8203578e9f628c404ade3420defdfdab2aafb2c6fe9690d5cd0883cc716d0145f4273eb04682e84

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
56KB

MD5
d07b75bd625d734b1916136b4a6e3c17

SHA1
64e5a22eb76979c654754edef86f3b1873e939d3

SHA256
213570c7aba01fa5cf54b347bd66342dbd68d7c5bc49061b2e821a4b614ca0ed

SHA512
9b04e122715094bee46d2d4d877cd27ca548b98a573bed98fac7a89a8ecff69ace04f226227904693adabf6a26bfd84df9d4f3730d3b07d594f3f7e192946204

Download Submit
C:\Windows\SysWOW64\Pdjgha32.exe

Filesize
56KB

MD5
4f780bd771c10ee262560c7e24954b0a

SHA1
4d4434a6be2757a76bbb10b8c87c9dd65b8d98f4

SHA256
934b5442f8ef623fa00c2c8ac9e86c96ed4612a45703da7642cf231f4ce3d925

SHA512
02ce701f355d4c474a3bae3ed0fb22b9316bd699490302037c55c584e9573bcf9713c6c204cba6f0df33a8aa66e100da86092f731e64eea74118ad91606e72ec

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
56KB

MD5
f44399981fcf25a72380a40826135b78

SHA1
e34d6e05bad0cdfef57c84f026a4736dba622c40

SHA256
1f2a205909352a121832066a9274e8b6cbba40b47510e6108c79e275a6835974

SHA512
50aa0268bdfdd4b93ca96f3c7e5fb4e7d9f69e959ccc0fe25cff13bc53d51ac6bee968f7d882f6b85939309bd96556c34c936350580b3f5dde3b458b70192a52

Download Submit
C:\Windows\SysWOW64\Pfdjinjo.exe

Filesize
56KB

MD5
87b8f91b6e5c33efb79afe50a79c1b13

SHA1
688f778cc041b863f6787e8e7c07410ff1f536d0

SHA256
0b127a6cc6019bc2192f47d654c03591c7373f28a7b1b511ae99713d1056a3dd

SHA512
876520d979169c7c684aa693acb994424c95a95cbb43b221ecaf79cc7803b42648f56dd81f2e9788db653b86bf896b956c844fa66b1f198fb91ab409db2bcb1a

Download Submit
C:\Windows\SysWOW64\Pfoann32.exe

Filesize
56KB

MD5
d634b43defadb3c528cd879dde86d377

SHA1
fc98a486ec5783eda2c20de3bb2163f8ecd0e6fc

SHA256
3a4649b06a6a858688b62831c1d99e33e946154cf120be4cc603c32b2ac37ba2

SHA512
6f8fdac87a17ffa94c6cdd1b34e272862ea9867731454a76a552e2500de6e396ba7873ada188a0b10cdf9e9ad2fed84a829faa4cf1f7d7bfc1c7fb33ae418758

Download Submit
C:\Windows\SysWOW64\Phcgcqab.exe

Filesize
56KB

MD5
b90a706f17db772f9feb339ab3042d2b

SHA1
897423401cc5389400bd5ec1128e9c083adb0d91

SHA256
98f1712afe2fb7f1b735a0fb08497d960bd0df4675f7597ae6646b03dec7fa1e

SHA512
ab372ed1abe81128152815675a7df5f881db4394752ed78241152cc182b3024c1399e506b18eb846133e732d8a0b7657bd985e054a164df2f55506080741fa60

Download Submit
C:\Windows\SysWOW64\Pmnbfhal.exe

Filesize
56KB

MD5
2d6b93f8cb47c9f32db4593ce79a06ba

SHA1
8012bfac41781ca46c7630c0f82d7347ec570d79

SHA256
dfeccc682a7cca976759b76b19855e0209c2bd5dd51cd709f25e56399d018921

SHA512
787043e0c7566a01e989e5b99667d459601488875da26569211c32ab73b3c1712c5878cb156e5fa5949df09f95e9e35e7fd6487f4239b5dc6878adea735818a5

Download Submit
C:\Windows\SysWOW64\Pnifekmd.exe

Filesize
56KB

MD5
dab9f7e0201a88226338ad5cf4b65caa

SHA1
d1057be5ac844bf3046399892520142b700fa1a1

SHA256
752d376caa5a1b1f85d0f85ef79340fd513e75aff853bf8357f080fcc77ac03b

SHA512
77f7f6099c870953122ae87ad9ebb0c6054d5c9993b45084a56bf2ad3cfe5b1b77426914a48bd2e275f2dd7d8a2755145d6f6ff544a6636fdd30dc2920238254

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
56KB

MD5
e5e7e6c28a4049617508fa9eb98253fd

SHA1
8cb0cc4f67b4b90e9e67d7f706e1bb0433d9da99

SHA256
59b8a1dd92508d0cf670fb5254043334357efc2507e7e217089f40e9afbe8798

SHA512
ebf7f096e0721ee8b36e5e80fa4760271020c362d0b35942dd888fd3184ed1f3d8ed9f1a684b36b5d982833e9bba0849f5cf951c722e44914097ca4c12094452

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
56KB

MD5
4730205809e9db8ebb65a7c83e49f605

SHA1
48ff370284088525bed6a552730d71c68ca48a06

SHA256
e0b6dcd00c0de56ad3a2d57e1006daa5fdf9c8774c25f434c2b0cfd8a6cb47d8

SHA512
cb9e54ed0ee74fdea5e6e67c30d0d1fa0a91aec4d41d9fd6742f632218750f07c3d49f8b7b67a61ecf99e43c76e0fd04bbf2e293624de7e74c00f2946a55ca14

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
56KB

MD5
d74c12476292ff87e5feb40b14978e25

SHA1
7b96639a958f8a6a7755bd136e37dbca3e5f31a8

SHA256
90a5bf0899330d3ae2eaf24623e346f0a7b54d9bd0b7ab0e306ef2cfb47a956a

SHA512
5f1c5ae7049de48df1468dc8ff787691853696adeb2e7f3bab97cc9ee3105db4d5504c0d761ce5e24d3c95c29d08e0c78172fdea07f4b3fd50f796db9b5f982e

Download Submit
memory/400-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/456-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/552-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/652-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1060-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1880-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-664-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3152-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3320-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4072-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4072-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4148-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5148-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5192-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5232-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5272-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5316-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5356-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5396-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5436-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5480-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5520-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5560-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5604-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5644-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5692-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5732-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5776-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5816-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5860-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5904-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5956-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6000-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6044-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads