d9603fb0e2f055aea77838746633b2b386f1accbba5bf7bf70adbd194146c75c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 04:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d9603fb0e2f055aea77838746633b2b386f1accbba5bf7bf70adbd194146c75c.exe
Size

64KB
MD5

26afcd8f1772a491d136587b7f57b4a8
SHA1

946551a067c7673aba9a4d39e0575a28ff6396bb
SHA256

d9603fb0e2f055aea77838746633b2b386f1accbba5bf7bf70adbd194146c75c
SHA512

2a5689fc5d08272d0010cdd1ed63793ce07194202b6f66f0b8a51b33d90aafc91575b91d79f7d05b7a66730bab7f19dfdab226910c1e0e891430a3e01a8a31e6
SSDEEP

1536:Eoul6VQV22o2bRjRzZMuiHkavVtKLWJivl7ly5VP:EHVprFRzZFiHkavVPJivl7lkt

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe

Executes dropped EXE 64 IoCs

pid	Process
4504	Npcoakfp.exe
1012	Ngmgne32.exe
4004	Nilcjp32.exe
1708	Npfkgjdn.exe
1108	Ncdgcf32.exe
2312	Nebdoa32.exe
5096	Nlmllkja.exe
4660	Ncfdie32.exe
3752	Neeqea32.exe
2656	Nnlhfn32.exe
3452	Ndfqbhia.exe
924	Ngdmod32.exe
3468	Njciko32.exe
2712	Npmagine.exe
580	Ndhmhh32.exe
208	Nfjjppmm.exe
4864	Nnqbanmo.exe
656	Oponmilc.exe
4808	Ocnjidkf.exe
736	Oflgep32.exe
4516	Opakbi32.exe
880	Ogkcpbam.exe
3096	Opdghh32.exe
1320	Ognpebpj.exe
4512	Ojllan32.exe
5064	Oqfdnhfk.exe
1984	Ocdqjceo.exe
3492	Onjegled.exe
3176	Olmeci32.exe
1628	Ogbipa32.exe
1384	Ofeilobp.exe
4484	Pmoahijl.exe
4876	Pdfjifjo.exe
1976	Pfhfan32.exe
4016	Pnonbk32.exe
2912	Pdifoehl.exe
5024	Pfjcgn32.exe
2216	Pmdkch32.exe
2008	Pdkcde32.exe
2748	Pgioqq32.exe
4112	Pflplnlg.exe
1764	Pncgmkmj.exe
336	Pqbdjfln.exe
232	Pcppfaka.exe
2292	Pgllfp32.exe
3220	Pjjhbl32.exe
384	Pmidog32.exe
2316	Pdpmpdbd.exe
568	Pgnilpah.exe
2652	Pjmehkqk.exe
4488	Qmkadgpo.exe
4924	Qqfmde32.exe
4860	Qceiaa32.exe
4868	Qgqeappe.exe
3664	Qjoankoi.exe
4964	Qqijje32.exe
812	Qddfkd32.exe
3984	Qffbbldm.exe
3068	Ajanck32.exe
456	Ampkof32.exe
3400	Acjclpcf.exe
3192	Ageolo32.exe
4252	Ajckij32.exe
4776	Ambgef32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Oponmilc.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Neeqea32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Npmagine.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6360	6248	WerFault.exe	226

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d9603fb0e2f055aea77838746633b2b386f1accbba5bf7bf70adbd194146c75c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 4504	2468	d9603fb0e2f055aea77838746633b2b386f1accbba5bf7bf70adbd194146c75c.exe	84
PID 2468 wrote to memory of 4504	2468	d9603fb0e2f055aea77838746633b2b386f1accbba5bf7bf70adbd194146c75c.exe	84
PID 2468 wrote to memory of 4504	2468	d9603fb0e2f055aea77838746633b2b386f1accbba5bf7bf70adbd194146c75c.exe	84
PID 4504 wrote to memory of 1012	4504	Npcoakfp.exe	85
PID 4504 wrote to memory of 1012	4504	Npcoakfp.exe	85
PID 4504 wrote to memory of 1012	4504	Npcoakfp.exe	85
PID 1012 wrote to memory of 4004	1012	Ngmgne32.exe	86
PID 1012 wrote to memory of 4004	1012	Ngmgne32.exe	86
PID 1012 wrote to memory of 4004	1012	Ngmgne32.exe	86
PID 4004 wrote to memory of 1708	4004	Nilcjp32.exe	87
PID 4004 wrote to memory of 1708	4004	Nilcjp32.exe	87
PID 4004 wrote to memory of 1708	4004	Nilcjp32.exe	87
PID 1708 wrote to memory of 1108	1708	Npfkgjdn.exe	88
PID 1708 wrote to memory of 1108	1708	Npfkgjdn.exe	88
PID 1708 wrote to memory of 1108	1708	Npfkgjdn.exe	88
PID 1108 wrote to memory of 2312	1108	Ncdgcf32.exe	89
PID 1108 wrote to memory of 2312	1108	Ncdgcf32.exe	89
PID 1108 wrote to memory of 2312	1108	Ncdgcf32.exe	89
PID 2312 wrote to memory of 5096	2312	Nebdoa32.exe	90
PID 2312 wrote to memory of 5096	2312	Nebdoa32.exe	90
PID 2312 wrote to memory of 5096	2312	Nebdoa32.exe	90
PID 5096 wrote to memory of 4660	5096	Nlmllkja.exe	91
PID 5096 wrote to memory of 4660	5096	Nlmllkja.exe	91
PID 5096 wrote to memory of 4660	5096	Nlmllkja.exe	91
PID 4660 wrote to memory of 3752	4660	Ncfdie32.exe	92
PID 4660 wrote to memory of 3752	4660	Ncfdie32.exe	92
PID 4660 wrote to memory of 3752	4660	Ncfdie32.exe	92
PID 3752 wrote to memory of 2656	3752	Neeqea32.exe	93
PID 3752 wrote to memory of 2656	3752	Neeqea32.exe	93
PID 3752 wrote to memory of 2656	3752	Neeqea32.exe	93
PID 2656 wrote to memory of 3452	2656	Nnlhfn32.exe	94
PID 2656 wrote to memory of 3452	2656	Nnlhfn32.exe	94
PID 2656 wrote to memory of 3452	2656	Nnlhfn32.exe	94
PID 3452 wrote to memory of 924	3452	Ndfqbhia.exe	95
PID 3452 wrote to memory of 924	3452	Ndfqbhia.exe	95
PID 3452 wrote to memory of 924	3452	Ndfqbhia.exe	95
PID 924 wrote to memory of 3468	924	Ngdmod32.exe	96
PID 924 wrote to memory of 3468	924	Ngdmod32.exe	96
PID 924 wrote to memory of 3468	924	Ngdmod32.exe	96
PID 3468 wrote to memory of 2712	3468	Njciko32.exe	97
PID 3468 wrote to memory of 2712	3468	Njciko32.exe	97
PID 3468 wrote to memory of 2712	3468	Njciko32.exe	97
PID 2712 wrote to memory of 580	2712	Npmagine.exe	98
PID 2712 wrote to memory of 580	2712	Npmagine.exe	98
PID 2712 wrote to memory of 580	2712	Npmagine.exe	98
PID 580 wrote to memory of 208	580	Ndhmhh32.exe	99
PID 580 wrote to memory of 208	580	Ndhmhh32.exe	99
PID 580 wrote to memory of 208	580	Ndhmhh32.exe	99
PID 208 wrote to memory of 4864	208	Nfjjppmm.exe	100
PID 208 wrote to memory of 4864	208	Nfjjppmm.exe	100
PID 208 wrote to memory of 4864	208	Nfjjppmm.exe	100
PID 4864 wrote to memory of 656	4864	Nnqbanmo.exe	101
PID 4864 wrote to memory of 656	4864	Nnqbanmo.exe	101
PID 4864 wrote to memory of 656	4864	Nnqbanmo.exe	101
PID 656 wrote to memory of 4808	656	Oponmilc.exe	102
PID 656 wrote to memory of 4808	656	Oponmilc.exe	102
PID 656 wrote to memory of 4808	656	Oponmilc.exe	102
PID 4808 wrote to memory of 736	4808	Ocnjidkf.exe	104
PID 4808 wrote to memory of 736	4808	Ocnjidkf.exe	104
PID 4808 wrote to memory of 736	4808	Ocnjidkf.exe	104
PID 736 wrote to memory of 4516	736	Oflgep32.exe	105
PID 736 wrote to memory of 4516	736	Oflgep32.exe	105
PID 736 wrote to memory of 4516	736	Oflgep32.exe	105
PID 4516 wrote to memory of 880	4516	Opakbi32.exe	106

C:\Users\Admin\AppData\Local\Temp\d9603fb0e2f055aea77838746633b2b386f1accbba5bf7bf70adbd194146c75c.exe
"C:\Users\Admin\AppData\Local\Temp\d9603fb0e2f055aea77838746633b2b386f1accbba5bf7bf70adbd194146c75c.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\Npcoakfp.exe
  C:\Windows\system32\Npcoakfp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\SysWOW64\Ngmgne32.exe
    C:\Windows\system32\Ngmgne32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\SysWOW64\Nilcjp32.exe
      C:\Windows\system32\Nilcjp32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4004
    - - C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1320
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        26⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        32⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        44⤵
        Executes dropped EXE
        
        PID:336
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:568
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        56⤵
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3400
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2164
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        67⤵
        
        PID:976
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        72⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2624
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        75⤵
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        83⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        91⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        92⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        99⤵
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        100⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        101⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:784
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        108⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        111⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        113⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        119⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        124⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        133⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6160
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        136⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6248 -s 404
        137⤵
        Program crash
        
        PID:6360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6248 -ip 6248
1⤵
PID:6320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ampkof32.exe

Filesize
64KB

MD5
bd49b2970b7b5cd948a8fd2315676661

SHA1
810044f8c6df3aba6b93e72a815db0a30115484b

SHA256
db1e23e7bf6d6542fbf58c6a58bb0fc248e32d59fd26fe693a7eb77e92e37bb9

SHA512
04132c54e1403f6bd43bb15fc19c0221e01fcdfd1940c92fc2f4bca16a332c894ee0d664578ba682b566fa1073e9f85840da642960f9ee1b6f7bd4bb34b505e8

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
64KB

MD5
fc621fd454be19de9e529be0ef466760

SHA1
ddd8627b6b74573053e0e67f8189d7c4aef8f6cf

SHA256
2e4256b33b20b411e3a4b994c08147a90e21fee5cf5d647c15a08326f856f4eb

SHA512
dba70c844f09fb61a36702b3f66a063e727ea0d7ce38dc1d6e7a7b0488f78341a430f8cda3f2d08d6d60767e6f26d7512edfa97ee738f235c029a0c4dc5f5f61

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
64KB

MD5
f730f2d2ebe8cefa40350e6130f02d41

SHA1
046129d7422d2954361621969aae6029f01ceb2c

SHA256
6e457e7c456f899523afd84276d1d8bbc0672c6cdae5c2d90b2d60f3b6355130

SHA512
e501b834e1ed2953dd8ed329ff29243023e31af6709411ac0c06cafb69f41802c4aa99a57061eb8620efc12780da691f107eeb379a938c770a1690cf6116f040

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
64KB

MD5
dfd2953a154ee7da8e69171ba7757dd7

SHA1
b55bd9e61abeed8fb53a14afef5e2236fffacdd7

SHA256
17baa4c6a994e9cec44e421b3ba39aa7ac6e5c4bd72932676a1151e3fe5dae99

SHA512
44a8c252e5f050f927d51056a3c71b65fc4e71d3916616cf4565ab525df8940ca3597c4de1a3802634adf545762ac217aa5535e256ad16b69cf86ea77aef054a

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
64KB

MD5
4dccbbd9f07b3218d74fb8f57c9f418d

SHA1
3610c28eeba5703058836cec819ba72d1e88eeae

SHA256
4c6f91a02dd8d4dfa70ca8394b4aee13fd1ef873cdfad9c5912fe1cd68910e9d

SHA512
781dfcef2ff36f16e1003ebd213833ad4316bb992cbd23b4ff441b2c62775dbf7e1796a1ad3f51e86989b64779f412412a2d99dd129382c1a095782e13c11e47

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
64KB

MD5
9c438ac5a2e3b3f6effceacd10c7ea5e

SHA1
a803bfdb5126b727d08c6558bed715ee1860b4bb

SHA256
30d2c2cc0161afa3c495875175724928baf6d67dcfdc1fcde0ebf8a7379f30a5

SHA512
9bcb1778c793f7e22c09d15ee54b308c49fbfa02f49f38a74aa2f914956e4ced8d7dd9738b901f84ae658b528f830926a5356965a06fca6ddfee9caaabd254fd

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
64KB

MD5
c48eb960999814f1792465e16e3e858d

SHA1
106c2dbf47754e618f0c6f89220d8fd94b700b2d

SHA256
ed4b83dd2c56bd2036a438de07222ee0fe95735d56cd4056e856fc14eaf16a5d

SHA512
6bc4798a7ca1a8750248497e88b7dae33f7e64fe32964b6fcaace5b3f3db4183e49dd6cc0401beef42b9a6d94681de39de8330cbcc4858b2352db3917d2c26f0

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
64KB

MD5
7616dc3fefba3915830b98210b456b82

SHA1
8a951a94f0f50b2dd53450b135feb569c15e429e

SHA256
f3ae9acf680c8c1280fd0c552d493877ae5cd3b079b4e5bce9e09393d09181c8

SHA512
76f22172f5cf3dfed90ede11b2d28c01b3298067f5c3555f127829dcae50c24e937aef1d3e9ec28aee3234c6369d8cda762200a2c816a335771df8e42e39c226

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
64KB

MD5
d0d7c70c6f7da7f020924708fe0909ad

SHA1
ea43b457dc707c1dfb6a2966c694cb332a57e9fe

SHA256
0eb8d502205828224a7b73dea531d224fd5536a6379e8530566405e2dab07f4a

SHA512
27561bf25f0598de6e21ab154200cc3adc7b36ebbdf0367c2ceb1554e47a829e580e51479cba2588104cc7631a1ff16f5bf82454feb0887dc339dffda9b8e311

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
64KB

MD5
b050cdbf1cbe15e2c8a41541bfeb0cc7

SHA1
958d4039c8237fdc0de85a9e80650f4492719037

SHA256
f9f220e943d51731238b5bd4c09bb79b3405fadb5704b34ecccd4a221057a84f

SHA512
65efa3162a2b78666cb761a3a85daacd1fcebccfd36a0c455797aa828d1bc6ec911a8f519a5b198decc1821e420be4797d638a5f7789efe2f0669ef2f5091d43

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
64KB

MD5
b881b77b3072c846138732e8c854d686

SHA1
19886e0d44dc1bf9c5fe39dcba31e599d646fe15

SHA256
2e52d28be4b4f8dca0ef8657d7fc7aeb361a32d8af230b0e8dfbd2e1633ab01f

SHA512
b4d23a0d481eccc8e1ef2d6fbf72fa2135e903519f8c47b2452610bc747ecd23ad9ca3e5bd00629e4d668eaea96602137bfc65b7f073c9bcfae4b692890123ce

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
64KB

MD5
681c6b92cad41e01fbce19141144e55b

SHA1
1667be4c942c9863064205a71180bb88542fbd21

SHA256
de1b9a068b6e772aa811428b98708cdd1f174475eea3db4d72aee93461399ecd

SHA512
41334e26e55a4f270f75c66f60070bdd8ac32f8ad158f01c4853778e0bcfd0e4b6ffa7b5a462f8921141f856d6606ad6116307902d37164a4527b4005129a1a6

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
64KB

MD5
792df4253cffefc1a14bca407b0bd67e

SHA1
8e70b82465d1e76009cc9af31318bda39692f9f6

SHA256
0c4f6f62f843c3a8b25caf7e8b4104b10ac588e7e31baeeae9ed42fbcb70f903

SHA512
b95fbfdfa362468fba4fe08d3c385d14c999c68b22d2f760d5db30c31e93876f05de9d859899d96c7247196fac73a8123d7fb8ac0db05f5c8c2a7de33e90dc1d

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
64KB

MD5
b441a2b563ca550e2b9d1e2567575655

SHA1
ace1bd676cac5b0e7c1af37dc6f13ca356b5b0fe

SHA256
ac3aaadd4e7047048b185f92d8245f005ab0f8a09f5f4c3763d54fd33eade874

SHA512
6311e0221b3644816cf7938fc9308f471286db0ad006133f8e771f1544d1dad3d2cb2f6303061d6f897fc886af2430e8713d96a4bdc8c216572e7eee9f9059c3

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
64KB

MD5
4d36beaac8872f509730534152a8d2f4

SHA1
cc8682e5fbcb6280b14bafccb5ecafd57021ee58

SHA256
deb0af7061331ae890e5297a5816e03a4cb5f5c9f30588b0905c5936c372f195

SHA512
8fd9d726fe6587d858a0966fe16b34b108131b9fcdea18f68600e7f46b146e711cb4343b382505ee519ff870422c12fa894fa4c1c8128a13ceca40abc5d8168f

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
64KB

MD5
57057ae579f3ae4b4f796ee9c4aeca7d

SHA1
d99646f7593199168817ec3b7a8dc73fa7e233ca

SHA256
826841971875b1451b820805da7307130ea7f1afd91c7b973bf1bcf75b667a12

SHA512
af3e516d24c82c48f27422f184136356f4371e01181873a168afffb93ee934ce252a67cb3d3fbefebf741db66a16b3477cfd70e202771f6abbbe44b14e6decd4

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
64KB

MD5
6b2f346937bc91dc27eb1e9a614dd825

SHA1
edec27bee41bd5bbeb82abf14d09db001421f9ee

SHA256
e8e0c1a502a5a8b81d7b7e5462c930d497b5c5faad3f7158b0f39f625ebd8a94

SHA512
719bc4a0139bd91ed835bd1fffa6384f9c717badc40fe387fafaff29d5e5b2fbab47ad3292ceb4412e248d071761e57070357e0560e584e732348809d3cc18d5

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
64KB

MD5
17b98d3645d0a54b9567ea631a65bf7e

SHA1
544517eb979e79ad86f794fb8b082e7d4d5db0b8

SHA256
8246ce0a57f417ad805423f8a9acec2f0c0d76934bf5b1ea42f5133762988402

SHA512
aeb58fa6dde5e41daf9fb6b6f26ab3c237b0390aad7ab91ed307e20dd4c24ad3e7c2ba6e5ac85098bd26ee9367664634893b460b557fd7b6172ff7524640cbd1

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
64KB

MD5
e47054b8ae51154e1c5814465d8a511b

SHA1
b6c1ed2a63a73eaa9223c55a617f4704b7053445

SHA256
7e51d91d65803aa554829bc27362861e31d955ce4bc1d12528cddd10a1d116d4

SHA512
67fe94fd28cfa35d37382bf3e328f1ff5d85cec2e6808ab0cbc8f3385da660d5099415ba30bb48d36aa29a3a9aa6db428a167579bd91a7038a1fa1cbc9f49376

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
64KB

MD5
adcae409b5f3e0a577212fbc94718fc1

SHA1
7c5eddbcd075224269f4a79c4cd4097d8cd42c27

SHA256
946a588166b30bdc78e02465a3937da637539c384ccc637b115c792319f0016f

SHA512
6e60c01cc98810bb95722d88e828969ec8e4d1686ff1125df5e97db455ce75f62bdb9f9a98ed01c39e2e476ca27007480cb360f7857f332739b52c43deaf0799

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
64KB

MD5
6e3ee11d7f5cc57665cb6b4e527dd4d1

SHA1
e8ddb24fd5c84ed4e81d16a7bdb2f268a5948e38

SHA256
8d499f16e6e9fade1a2b0bfad2c40e44c673d5ac3c6a0e6376bacd0c186c4423

SHA512
d80306d31b87b16e156d676a3ebecc27c4e9a4664c0d5e3c8ff4e2a7494f95987c8b40651d1665a7e7b5cbfca42e6b3e78d99b466053089ad8db772bc7b62268

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
64KB

MD5
cd5106b89aa10d2d2cc988df7f63495a

SHA1
05a4fcef56a1c00480a8a903212eb66b4af077b5

SHA256
e4ca685ecff7ae2f31a8852965b303e14f891d7dff49512ee0fb5567ca85ed90

SHA512
a4cc2263a0292295deaaf28ce698ed6b1322c4f64ac0dedfbae4645d17b5878d240250332ad67ac0e3d14e6b627c959888f4f82800fd4a4cd9eb9c7b7feedd9b

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
64KB

MD5
8116083030fcfd8850ff3553da85d533

SHA1
2a63ac8b50217ab619af67244e1fd11d09c64e82

SHA256
f42deec7e7e72d533ab7ab943055e3070e06fa73fbfb6041835cb7eb5562b5fa

SHA512
602732952f03aa4883f4a873c7f6816f2364bec7678b23e9aea00646503867e0a4155d3ae4fb918cfcddcf047d6f898b2faa15f90ea58ffba2eefefe73e899c5

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
64KB

MD5
86d7aa2230207f624b4bcab3897d6227

SHA1
558a933efccfab3856746fe2c103c6cc6d2b7d31

SHA256
fff4c82f060a9331cc9065b2b44f029c2f878844228269306646222ced51352c

SHA512
d4c96e98a58cd2f61674c5cc3673e370e612b7763d7af1b16091e206f72afdb9ba8458974759d508c01e7c383fe3a012ceee3743b730f215c86e04d82f66ebc8

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
64KB

MD5
019449f13d242f74bdf2a37a77e320e6

SHA1
77210ec0580208b8cafa55ae9edd313adf0c2be2

SHA256
1b7023f73ade141cec01e39c52edaa53b2647387ec00d1652a059a1c06fec420

SHA512
fe6a6ddf471596bbe7d7e0a106975f8fb312409d8995e0ac17e49b116f7ba84565b3d357d2b78e2364ee08e7d5100ed3345e1483b81c53c95e855613a8817b4c

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
64KB

MD5
328132d4b31560ff5312178cef03cc96

SHA1
b9a9ad80798d7476da2eb37864d17c8a92bff4a2

SHA256
76577c2760d2c5e0e8ecbea80bb0af78b3703f510ffcb3b6ac6e1c84e407409e

SHA512
41c505205fa0db2a445e04b17b71b976a38dd85a70e9dc0e1ae771d43b82d67e24a01c03c557a3d86658b36b9329f0084912f69a6196104f362d6a8f8da19754

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
64KB

MD5
e28419cd97cbe2b62139952f3f132b6f

SHA1
c6d65257f73368abe01f64f37ac1fe3ea0689189

SHA256
8fdd687dd13c60477c884a896e35126630517108cc12a2c162f33345abf0aa03

SHA512
f463ae5cb8fa5ec2b89513e67b39e930aa8e2b66178cdfe75cd3844d8620c5f2d7f3f35b62dc89c6c8be13a80a0f52456191339d6d999f2d2b2ea609fae0a6ec

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
64KB

MD5
cadd08d556c7002e28c389cf831c3124

SHA1
eb4ae3a8d69fc1c264117528a82ef3fa7d2ff569

SHA256
52602e5c471ef7f0f489ca9cf57e4133c729851df91bf9c57612e2683df5dcc7

SHA512
4ab685839cda8617cb89cd42663df217df40570c0bca36d4c92f509586dc677f6db1fa5567cb6345f510741e6a8c073cf3fb09775f719d44813100f26300da38

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
64KB

MD5
73072422c46767821079d758e35df353

SHA1
6fdf2bbd310cbf3034ad9d07793bfe15cedd95a0

SHA256
9a16249246a540d0ccc2130bff72fc4087f197341296ac57d4f9ce37f0d04618

SHA512
83d29edc7bfd7d9ddb8ce9664ecb0e5973bbf81f4e1c61b9d396966b838da5a385307aecea19758360424269e29444f9de6d9e4c025bd67a63c47f3f796e52a6

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
64KB

MD5
7636f30777d89368cbe0ab43de51d874

SHA1
588bd8d8a03e52b8111d119eed05f485ceaad123

SHA256
8ebfd2d662484f43d9d75cc3cce5041c271750cb473821cdb6b548957e55e2ce

SHA512
9e320b6d5071ec3ef0f6e088a524b21b06a8842e8903488951b49e9e0a54708b8159cc36dc4d5bd399552f3f2b2d11ee582ce56be7fe046f54028479741a68ae

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
64KB

MD5
5021927386008f5fbfc7aa8617bbfae8

SHA1
60d3a8b80b57331ff3e9c8e6168e5890e2cd4619

SHA256
3de1f19ba515b8fa8ddefb1072b8e8c2dbee596c9c412b8f19dc76f73a712bbe

SHA512
cca5c5a22e6afc315557bf77770eb3be98aa5b3647cd2419cac85c4a61dd5b0b4aa85fa824cbd6fcc50ddb0d761459891328cf435deecc9a3f425d1a66c3b9c8

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
64KB

MD5
fb9197bb76cd958f7491124142b6b561

SHA1
07a1f830da7223f3219df2ec5119d974073f5b28

SHA256
3e3d6c1b3ca75c1bfe4df93336335dcb9ee5765c0cbee9b1d0ef92644cf6a972

SHA512
55778c9630fae66b87514969c1ef802bfeaccfcfa0a8966acebe2e84a2abcf371ee7fd0ca297bddd1aa16a30a475efca974563044dbfb80b8cd01e390e197587

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
64KB

MD5
1677d89e099ad2fba37c8f35684955d6

SHA1
b7513b93ad98e50edcf4d7c9cb7a94f8dba3637a

SHA256
2624ad7a1d67b28b571a4b16440f4c6ffca152524ea28e7f84aced50bbcaa109

SHA512
441e2c7647367b2d2594b3a381afa74a6cfec7665d6433fc7831acb0d7f90a37bdf4eb8d0535cf76d23fcf48a283c603ebdbad6cc34fdf2482aa525ce5d8b812

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
64KB

MD5
30af29f4eb49544de174206fdf9292a5

SHA1
895d878095b79a204c620967610fa17f7f686904

SHA256
645d924c74823c030e14325ea5e0370572330ac99ae216fdcb7c5d8b17abc78f

SHA512
d8ff02da055d51a590cf068b45580c4a2faabf62ccc9a74390270ef2daed05456e7470b69840fcd785872376e7ffb8481f93aa1b7040cd46e3e6c672918eb6cf

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
64KB

MD5
f8b7bc94318318f0a1bc6acfdcff917f

SHA1
c68392f0c05e8bffc11dfc8c4cb4c4e7ac78e27c

SHA256
5e7b4217d68cbd5517b7badd8af8de0953464031a41baebe9913d6721821ad1e

SHA512
b1003dae8569501914ba309d0369530e3cb17cc98231cec79d43c8802fc7bc4f9e4721bb2b5694a2fa2306dec1cc5ec74a82a9003442e87e9d7c29b00e8b86f9

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
64KB

MD5
03c6a1d043dd35d455b0264abc259a22

SHA1
61d190998fe5004017e467f8326e846c31c4165f

SHA256
1a9d77e7074f2579ace88a301d5009bbbd3b119176528e82e345dd89be65402f

SHA512
0117e8700a954d2dd8e320c5171d4fa3bde7998527b1dd4a8c999a3a03b2bbc1e9de08ac6d9c62d0b5e1638dc2c2c31117efc7dd5f4ac18f142f8a8cc49f3542

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
64KB

MD5
15028ff34fa79ba9d821e3ff2068defb

SHA1
3b6726bc7b3c8bccd0ab80bcc4346f94015d937b

SHA256
f873b7da4b4696e5a68861bb9d6772d275f93b670662e8b30279a4bb2ca900df

SHA512
1a7046548605177791d3501f2d1e7389a3550fb95f2d6f5796a4a4dfa439363a381c44c5fcda94efd7fcce1c9756b1bc0d322170e6181c195861ee4aa177931b

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
64KB

MD5
4791779c61c51a0353e0e79ec0679af4

SHA1
f97dd9f46d13b002214350d0922823020d84a56f

SHA256
052738350060768b0ac1a7f453214771778e558f3b7afe8fafaa4f34413b185c

SHA512
68665c2e21f30c1b8a8bbceb2e86df1560acfc87de95eb7115018fb4d2a501a0966654804970e9650d90ed4412375d53ba0e51ce3eec943515c8179ed5c5562c

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
64KB

MD5
8a6c826aef00916bbefbb1e99119dec1

SHA1
e4b95f1bffec1882362394c3a98851ed5ad49797

SHA256
889f9235e6fbe1b6c8c55e6fcbda7d3134224f947ef8c603d63c1ec69b05cdc5

SHA512
ec4e1956aa3092c1555998e0ad8c4f0de15d762f83345b9bcb18d35c6c949e125781a4844790027c4317d4b4255d8d65af8c6b030eb6107f3bf91f0cf378a105

Download Submit
memory/208-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/224-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/336-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/564-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/564-1049-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/568-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/580-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2468-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-1030-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5124-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5168-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5268-1022-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads