ac55200940f3bfea02072450a30a12ba29bd79d8b262391c7b32e972b33ae097

Analysis

max time kernel
103s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
Size

302KB
MD5

d91bbba1b93d9fc794c3dfe4bed4cb80
SHA1

73717e427cd340887f1166cf7cb53c6ca581552a
SHA256

ac55200940f3bfea02072450a30a12ba29bd79d8b262391c7b32e972b33ae097
SHA512

635705d0d79f09e2e32902e612531fcf8f6e3d985ff850a69663921b4f8bf13625992587ea1c9c149df97a65d7c38af10425ea64297f6d9de8ebd4eb358ab86a
SSDEEP

6144:h/+sZhnoHswL7GNlighD4lTjZXvEQo9dfEORRAgnIlY1:x+Uhibv8lXhuT9XvEhdfEmwlY1

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe

Executes dropped EXE 64 IoCs

pid	Process
3480	Ngbpidjh.exe
3124	Nnlhfn32.exe
3232	Njciko32.exe
4924	Nlaegk32.exe
1260	Nckndeni.exe
5012	Olcbmj32.exe
4716	Odkjng32.exe
3956	Oflgep32.exe
3384	Odmgcgbi.exe
3992	Ofnckp32.exe
5024	Oneklm32.exe
1988	Ognpebpj.exe
4760	Ojllan32.exe
3228	Oqfdnhfk.exe
1492	Ocdqjceo.exe
4304	Ojoign32.exe
4280	Oddmdf32.exe
4380	Pmoahijl.exe
4696	Pdfjifjo.exe
4840	Pmannhhj.exe
1384	Pggbkagp.exe
4980	Pjeoglgc.exe
3148	Pcncpbmd.exe
4572	Pgioqq32.exe
4540	Pncgmkmj.exe
3660	Pqbdjfln.exe
4372	Pcppfaka.exe
4856	Pmidog32.exe
2792	Pdpmpdbd.exe
3588	Pfaigm32.exe
2524	Qmkadgpo.exe
2408	Qgqeappe.exe
1368	Qjoankoi.exe
692	Qnjnnj32.exe
3380	Qqijje32.exe
3200	Qcgffqei.exe
336	Ajanck32.exe
4196	Ampkof32.exe
2184	Aqkgpedc.exe
1276	Ageolo32.exe
4852	Anogiicl.exe
1396	Aqncedbp.exe
716	Aclpap32.exe
3500	Ajfhnjhq.exe
3152	Amddjegd.exe
2148	Aeklkchg.exe
4556	Ajhddjfn.exe
1264	Andqdh32.exe
3448	Aeniabfd.exe
2680	Aglemn32.exe
4812	Ajkaii32.exe
4824	Aminee32.exe
4892	Accfbokl.exe
2740	Bnhjohkb.exe
4684	Bagflcje.exe
1952	Bganhm32.exe
4384	Bjokdipf.exe
1668	Baicac32.exe
1348	Bffkij32.exe
2120	Bnmcjg32.exe
4848	Beglgani.exe
3192	Bgehcmmm.exe
2032	Bjddphlq.exe
5112	Bmbplc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5608	2564	WerFault.exe	193

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnmcjg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 3480	1168	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe	84
PID 1168 wrote to memory of 3480	1168	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe	84
PID 1168 wrote to memory of 3480	1168	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe	84
PID 3480 wrote to memory of 3124	3480	Ngbpidjh.exe	85
PID 3480 wrote to memory of 3124	3480	Ngbpidjh.exe	85
PID 3480 wrote to memory of 3124	3480	Ngbpidjh.exe	85
PID 3124 wrote to memory of 3232	3124	Nnlhfn32.exe	86
PID 3124 wrote to memory of 3232	3124	Nnlhfn32.exe	86
PID 3124 wrote to memory of 3232	3124	Nnlhfn32.exe	86
PID 3232 wrote to memory of 4924	3232	Njciko32.exe	88
PID 3232 wrote to memory of 4924	3232	Njciko32.exe	88
PID 3232 wrote to memory of 4924	3232	Njciko32.exe	88
PID 4924 wrote to memory of 1260	4924	Nlaegk32.exe	89
PID 4924 wrote to memory of 1260	4924	Nlaegk32.exe	89
PID 4924 wrote to memory of 1260	4924	Nlaegk32.exe	89
PID 1260 wrote to memory of 5012	1260	Nckndeni.exe	90
PID 1260 wrote to memory of 5012	1260	Nckndeni.exe	90
PID 1260 wrote to memory of 5012	1260	Nckndeni.exe	90
PID 5012 wrote to memory of 4716	5012	Olcbmj32.exe	91
PID 5012 wrote to memory of 4716	5012	Olcbmj32.exe	91
PID 5012 wrote to memory of 4716	5012	Olcbmj32.exe	91
PID 4716 wrote to memory of 3956	4716	Odkjng32.exe	92
PID 4716 wrote to memory of 3956	4716	Odkjng32.exe	92
PID 4716 wrote to memory of 3956	4716	Odkjng32.exe	92
PID 3956 wrote to memory of 3384	3956	Oflgep32.exe	93
PID 3956 wrote to memory of 3384	3956	Oflgep32.exe	93
PID 3956 wrote to memory of 3384	3956	Oflgep32.exe	93
PID 3384 wrote to memory of 3992	3384	Odmgcgbi.exe	95
PID 3384 wrote to memory of 3992	3384	Odmgcgbi.exe	95
PID 3384 wrote to memory of 3992	3384	Odmgcgbi.exe	95
PID 3992 wrote to memory of 5024	3992	Ofnckp32.exe	96
PID 3992 wrote to memory of 5024	3992	Ofnckp32.exe	96
PID 3992 wrote to memory of 5024	3992	Ofnckp32.exe	96
PID 5024 wrote to memory of 1988	5024	Oneklm32.exe	97
PID 5024 wrote to memory of 1988	5024	Oneklm32.exe	97
PID 5024 wrote to memory of 1988	5024	Oneklm32.exe	97
PID 1988 wrote to memory of 4760	1988	Ognpebpj.exe	98
PID 1988 wrote to memory of 4760	1988	Ognpebpj.exe	98
PID 1988 wrote to memory of 4760	1988	Ognpebpj.exe	98
PID 4760 wrote to memory of 3228	4760	Ojllan32.exe	99
PID 4760 wrote to memory of 3228	4760	Ojllan32.exe	99
PID 4760 wrote to memory of 3228	4760	Ojllan32.exe	99
PID 3228 wrote to memory of 1492	3228	Oqfdnhfk.exe	100
PID 3228 wrote to memory of 1492	3228	Oqfdnhfk.exe	100
PID 3228 wrote to memory of 1492	3228	Oqfdnhfk.exe	100
PID 1492 wrote to memory of 4304	1492	Ocdqjceo.exe	101
PID 1492 wrote to memory of 4304	1492	Ocdqjceo.exe	101
PID 1492 wrote to memory of 4304	1492	Ocdqjceo.exe	101
PID 4304 wrote to memory of 4280	4304	Ojoign32.exe	102
PID 4304 wrote to memory of 4280	4304	Ojoign32.exe	102
PID 4304 wrote to memory of 4280	4304	Ojoign32.exe	102
PID 4280 wrote to memory of 4380	4280	Oddmdf32.exe	103
PID 4280 wrote to memory of 4380	4280	Oddmdf32.exe	103
PID 4280 wrote to memory of 4380	4280	Oddmdf32.exe	103
PID 4380 wrote to memory of 4696	4380	Pmoahijl.exe	104
PID 4380 wrote to memory of 4696	4380	Pmoahijl.exe	104
PID 4380 wrote to memory of 4696	4380	Pmoahijl.exe	104
PID 4696 wrote to memory of 4840	4696	Pdfjifjo.exe	106
PID 4696 wrote to memory of 4840	4696	Pdfjifjo.exe	106
PID 4696 wrote to memory of 4840	4696	Pdfjifjo.exe	106
PID 4840 wrote to memory of 1384	4840	Pmannhhj.exe	107
PID 4840 wrote to memory of 1384	4840	Pmannhhj.exe	107
PID 4840 wrote to memory of 1384	4840	Pmannhhj.exe	107
PID 1384 wrote to memory of 4980	1384	Pggbkagp.exe	108

C:\Users\Admin\AppData\Local\Temp\d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
"C:\Users\Admin\AppData\Local\Temp\d91bbba1b93d9fc794c3dfe4bed4cb80N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\SysWOW64\Ngbpidjh.exe
  C:\Windows\system32\Ngbpidjh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\SysWOW64\Nnlhfn32.exe
    C:\Windows\system32\Nnlhfn32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\SysWOW64\Njciko32.exe
      C:\Windows\system32\Njciko32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3232
    - - C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        25⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        36⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:336
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2908
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:712
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5168
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        93⤵
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        95⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        98⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        104⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 420
        105⤵
        Program crash
        
        PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2564 -ip 2564
1⤵
PID:5508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
302KB

MD5
cf9eddf01484ad308d70588ab2f77573

SHA1
a6f07e5ebecc09dc2f3b2b0f0bf71e265f2ecc20

SHA256
362d946eb7bfca232ea77b32b458a8516c497c58fdfc90131325a390f4f2ebbf

SHA512
16dae0c3b0d91d28cb00b0c8662739b5bbd692503de47dfc25f6435e90e9c11b7a4aa2bc4cb61cb24d051bc303fd47810200caa55f1ca121117bb43e12746965

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
302KB

MD5
f67f0b1baebe5e88bfdaecc0067c6fab

SHA1
e3f042acc2b1455b1a1358de1a86ca2f188f387c

SHA256
0d2656374686e7c4d4e99ac9d90958aac9b73a62d5a1fd446fe7f4b0066d8776

SHA512
536edc5b41c7799485b6d6bc36423ceb8bbea5c536a4659b5ee893432fdfc7a00492a596a7eb4962558d1a8e0b0d623e46f48e0f07ae018c4cffa6ddfc3ec323

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
302KB

MD5
3c0daaa67b1b49771b668e2025bca80a

SHA1
7ba503d05cbd7b9629f8ca02a69b86817cf7e4ae

SHA256
1b2211ce05bfa645ed7612f3a510bafa05eba9d467070e1992d35281731523aa

SHA512
90c9484578124d65afce3d89500f3d1248eb0b96f2b5ba19a5a336fd54c2a4110d7520a962badb9458a186e80000805ac5541df7e8496f41754d4b76009ef289

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
302KB

MD5
509c9f1324ef7990c2fc3efe47ac7af0

SHA1
88d10296c80d4533de7e8995f6704ccf797f2694

SHA256
e7a811c83ba7f23ad3442e909298218702020f1ce1fd436c3ffe1dd1a38b9df7

SHA512
a9d728ba47fb54aa245d52794ac2c70822d2ffb695c5e5f81ab8a6c81aece2c7041f537732798abf4185772c3bf5d2aa0d2474b7095faa54b598be880ba3ee35

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
302KB

MD5
834d8ab8e03aaa594869de9bff63e0bd

SHA1
cc0ecc2258dbc1b77446402c4ea6385826f50f5d

SHA256
8a3cc3010da403f8da0628f32607a74fa70183e48e9eb81b73a6e83281c5ac3a

SHA512
d18a4d5a3a0d69c6f9d1f2ca342c57e1d0f2ec4349b18289c7caad107f7823ea2b66a250bc2239d62881afff3c5fc70cf0afaa9b24719f32ceace1e17e385d1c

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
302KB

MD5
6a29b1fcd90cb3d7d37f58057ccc7d18

SHA1
9445dde572737fca7dae0992a12543b32d329fb7

SHA256
79657aa1a1efe0ab45d616e563a997b92f146eee343db87c12b1a3a7bec63cc6

SHA512
70c9dc258f38ccb06752a66b9f7f239c0297aa0380e3678627518e42a294237a68908e73a40ce626e5231bc10a55207f311a252e22841f2988ccf90f4a98da64

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
302KB

MD5
37d65b0988ea424464f4bd3d6513540c

SHA1
cb0ddec3dc481043681f18613dfdf16220fd3ff8

SHA256
8525a6ea8c8044a6a8ba86e6e2d5ee417131c9576f9b790ba3dfcecde789e70a

SHA512
34a514364afa5dec20fdd3d17fba422ea80c6e182ab6fad074167ef06448ec79484a4a1bee2699fa7494812e045999a26305991575c4fa36a19c4202bbbbaf71

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
302KB

MD5
0e9289eba10243ac14d7885ec0d91729

SHA1
1e4e3d48680cc41dfa03d9f1dcb26d479e396c12

SHA256
20e30b276de6def2ddee6678927e73068dc640aa12f87b61b024cf33ebb0ea32

SHA512
833a200395e5e01f0187abd0ba4acab2376da02c35b83883acc96ec9eac7df95b6f8b5b4b720e2633aca33775c3d58f3338e3fb9aa14af6840201877317d3840

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
302KB

MD5
be0986be169bc0c2bec313a8ca292d3d

SHA1
a3151cf4e79394b6664745563861e67c42409966

SHA256
60febc8b8d1f44b9c0b3a4fad27ecbe5c93e2e27a1d8ee45ed31df585c323481

SHA512
19426945d732987b724fd312fd4c0b80627a68053ce0b50812ab5547fad94a1e2221eb395abe9e69a9fbd60017fce856ee354f8a2b9847ff2f47c00e683bac04

Download Submit
C:\Windows\SysWOW64\Lgepdkpo.dll

Filesize
7KB

MD5
927bdd8fa5d441ef25a25eb4a2dd0dfc

SHA1
669b5759baaf6273130e31c5b152b5e3840fc95e

SHA256
ecc0c227f0648190c365837b6985127b0b0efe0c7efde7f18a38a4e285fe9046

SHA512
df81fed8dc2e64250b385d4706d6eae09565e49cfd08a518d01a0b6aa589ec2636c66566a87a86b4996af7a00c3b6ef13c33fe93dfb53ba0e7208fd55aa732e9

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
302KB

MD5
b73352ab6dddebb455fd4b9f86c04a90

SHA1
5653e3770eb08c403f3dab38ec48744e3f907efb

SHA256
739967f0fd76608dbd5f4fdd0207fb41c91b707bfdce1ec0dbde376c686cc5e8

SHA512
3f2437ab7ab83ad05bd1a873787bd0474e24abfe5bd071c70382695c553023d9e3cd2faa9d4a0c20e5f23a2c4446885b59e3cafbc1c4f3a25754b188dc0a9c4b

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
302KB

MD5
069c76f6e255f30a27788cf22cfbfb13

SHA1
a2953d450a2fa4f2c563eaae39c7247f62030fa8

SHA256
942dfa81383500db2ab02be7dcb1306d647ea1b5d515d6e44c94b10e23c712b1

SHA512
b4f48b88f2c5cac1f79b6ef9558bc9fa77cde28dd40f752e44274780e9a9be378df138e244c86f8488dc8588c269e34c3bb8d313577c7b30bf34432a890db659

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
302KB

MD5
a5633752e15759fa3729cf4dcf37bce6

SHA1
bc8f7e5629b1db547b359b53e84a51664b3f1e21

SHA256
d9d66d70e62fedb350f4599673f6a0e0afb455ec4480d812e483390677417ed3

SHA512
7989caa88372f0863dc8dd7caaa03266827aea64c215883bcf57720f4d404a555af9b61a805b93313b52636dc9e92fe5d524d882cb805357155215d5dfe3e409

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
302KB

MD5
a698fb9f50a403fb3823af149fc8d166

SHA1
44efe60c1dad2e58ebc644d0f11ee1bd7135e901

SHA256
43ecb8731b0ed29be422f429a04c3f80dda2b5cc62f7588338d7d2fd1bfbfe07

SHA512
1c5ae73b627df681547e4b0bdf4106cb0d52312ec35b8da54eeefad9e11ddd9a33fee7fcc1907ac58b01f4a576edc470d1e024ba00871fc854e42ea57e430d04

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
302KB

MD5
8575fe3043143362fcc575cb78ec3c86

SHA1
9da5575f5f59a9f178d67b52b3a73c84241a2922

SHA256
3b08b8b4abbd4394fc4f56198b642ebf18d35ce993c1b20bd0b19cf4d32343aa

SHA512
882c09a633b1a93d7c1d5de2705b421925f64f4c8f0681d5d190b9099bbad072e1ad6fa78d964eb6d2a0f8733ae3d4868bb369b879bba311933eb9c0dc4d0dd9

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
302KB

MD5
9e2f6223d49f0440d06d24e1cc1a06d7

SHA1
bff5c7b9a163e393b09278edb32d8a7652ee0a0b

SHA256
8de8948bd7329cbf1f2d5f1a45380cf618137a64cfb52015bd04e7feabc2cdf2

SHA512
dd00da56bf154a4c9b188cf426add0be1d7336098dcf50111e95e21cc42153db34334ed6681f6df3f8102fb6b0d50b8d121aad7551ce3f7f69d623bb2dd0b069

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
302KB

MD5
87fcd48321b5b6ddd3e170a821fdbc74

SHA1
192c983f899509848e28dde572675c5723aefce6

SHA256
4ada696f56bfb41283f5bca8a67f804c06175fd7036c6476a98545505c9817e1

SHA512
bc6c30c219ebdd7601898ed462ae704bbb28475d8b48d5bb4d758e111443437e44b9fc5ec7dd68b43a5e20334bd57342706862614c2a41fa04b1d9061d94f66f

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
302KB

MD5
534b69e1e9e0d60facdb61a6e3f006d0

SHA1
19b2b894b1be7d86bea79e1758cb13c7d50db777

SHA256
211de47721471ee756e6c33451c3be1575dc4e81de1036251cb90797c3ec2a86

SHA512
fe9f704e702b2ff2e9863f185a057e0d81d5bd5cab55b8afc61d746ecae59443f6e0bce801c0bf766e71308bf924c861799b8ac330e6d9870e187d81f16a7950

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
302KB

MD5
a3838269148edef5cfadc7b381aeb88c

SHA1
fd5fffa95e6dbc63073081201187c01e25302f09

SHA256
5399fd2532ca62fd34658c9eaa793d3321ed3b8319b13132daf346c8fc4553fc

SHA512
416c492e9407891885b0202701995401ffbebc3b4cab3660c36f3d0d0cb32c89c401b6c0f09dc18dd8eea95587c351ac3674cdf388608c389f1079b7f9935280

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
302KB

MD5
56162665e305ce43f858235bbeeca711

SHA1
4a46b24e551a6813867cdc951a4330274fa66b3f

SHA256
8f52475279fc57338409e9b7605172ef42086594edac614f01a3620938687868

SHA512
4fd85c05058392d048840584aea4db6fa2846d90af6c28313b9155b63c023a3a042b44db4d651da22e0456395d4c4ab55a8ba2a32f8eef104b85ffedf315670f

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
302KB

MD5
2989d757395b3c6e209c1015f2cef9a2

SHA1
b93b7ec5b21d1c24fbee9c6f1bd90866f5833b67

SHA256
a9283a02e0f068ee08460d2e8962329c72b74f6570fefff20166bf3f60fa7532

SHA512
d3cba28902512fd6d7c6afd59cf59d46cc7ee30deea90ee721c193de5fb5e282b7488cde3989dc962651cc18c280c7f26a04d07ababac39044f54285c352c92a

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
302KB

MD5
c002e686a658b2a8a797ebd521437f12

SHA1
445f61297d77816f933dbe424758b2f786804686

SHA256
8859ebf14ab92b75ca8419216408a2e735f831d9a8158bf51afa8ff8f94f52a1

SHA512
ab58570ea6a7367eeae2bacdbc9306ad9ade82552c560176ced6bce54f543ec505dcde40a7727d38b5f18cc8969540d9708b57f71c762a6ef57764a78d1baf2b

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
302KB

MD5
5859edd52fbb99a81fced0210e76cf65

SHA1
47aaddbdf2b82f113252f6712c79df512dc0f1ce

SHA256
bf2cb10a2c9b8046306431bc9316c7fb6aa773807312edd06490e0b2090f9fad

SHA512
40f58ee10f1e7bbb2316ab426265d84a8c9d81012d1b84fc3452dff69eba8a3b802b30a1e5750db0a9e94438666298513446c698369462b1a9c987d68217dbee

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
302KB

MD5
271f93fe4ccff06d8acf874f50c3093e

SHA1
e133ea837c6bd040dc980b7d07624ad40246f23b

SHA256
ad53bd0482ba6f3b4a0dc3ce08a89738e28b124f22947db079096feafacc94d1

SHA512
07e39aa4398c832d0e487c318505a49854725df044831d3ee6b6a4d2fff073d218ad814616ee5ed2e3ff1fe3ccfb15143f46a04d649d42ce00f9548850e61a85

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
302KB

MD5
1e44ef59485420126c01d5cacf64e07a

SHA1
d5ecd87d4fc477fe3bf5d0e211b56a5c4f8f012c

SHA256
d941ca64259759609d8c06b25068fd23faf23962eaddb17e7955f9fff5124834

SHA512
43231cc4f897cfa86b5aca4c89fa282ecc776aa0478ca8c6dea4a9d557cee274448677c8bda7db62835d6686c6041531cdd87056ddf50ddbd18cdc51eaec766b

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
302KB

MD5
6d4902dfac289aaf0cb596bb332cfcf4

SHA1
06422af1b10642d559bd41c3ce024bc9eac960c5

SHA256
955067d8551454cc931de5283558170696131698f4efd135babe12063d4d8632

SHA512
ecdd93f4b815a7cc236a14d83432b7b341eb206e740d26e3f40e9ce2d83937692ae88e2192a6e35036341272d21b6e56eb8beecaefb98d464ef2e184a729e0c9

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
302KB

MD5
5dce1eb4a7442e9087f9f9e8f5312715

SHA1
977195e5c128a0e641f27f5f16af7e8c5b03469a

SHA256
2f1f14e6e458f880083daf768b25a8f37503ed157a74e3428334d4e67bf62283

SHA512
6001b45c4522e72cf0cbe6622edc55fc5f8dca467bc817e849824348f5cdda631e7213eaad70717512b67f06f4c31f8137558e05b32df373c353709d18c6716c

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
302KB

MD5
cd2a38966d93ff59165d27ed2968396e

SHA1
350b06537d3196987e74c20f16013c56a5e0d41c

SHA256
e602a531ac54983e3b1736d859efa42d4f53425be5a3ace2e8d7e79e881cdc94

SHA512
1242cd487d112e8bd802d6facf70d6bb85fec90a496b938ef43076e442163dd30b6666bd9a83e1c9e2de4df52a084e02b96c060bb0d0ecd54a8e16fff3d393de

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
302KB

MD5
ed2b3a4d1cd64ee4776295436551323c

SHA1
227120a078a402882a21b058b2f26f91716002fc

SHA256
27cc70467e3c15bf07c92bbfc89485085753625318988946ab5249fd09efcdcb

SHA512
fafd756d2b16361cc55f94e1a09d2d20570a97ef995bd66e85a717a18e22382aabe3bdac598b04f00e4a966eda96413b20a142b835e91aa1c29ed26cd35fbc0a

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
302KB

MD5
5d6f933c918f1ad5fdb1bfd00cd5cefd

SHA1
8138949e7561b4465e3821a6785a8bbc6b69ceb3

SHA256
2d0196273ecd0027a5dd9ed827d9e9d3fd82c25c85ac78ee470e0554479211c2

SHA512
71600d644a3f9adbfb8d360cbce17652dd4a2985968cd1dc23d6bd24c7fc4f1778897b55ace0761884770561a9b3b416f339260609af57955356836d85f2b086

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
302KB

MD5
9d6dfef75831b74505dee6e6c5484324

SHA1
1d13ab4ead134b90013b94559a9925e196cda284

SHA256
f45233061624f45c9baa76889e53d2cc6fbf8bf01aeefa58772965e135227e60

SHA512
d9a0e9b1d589a7fb75e0a7640354b0b94e35f817a46a31a6df46b45b0001523dd5a6714e5f795e1beeeee45f09da57724cfc55d0d386e5abdf6ab51934107a01

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
302KB

MD5
f79a0abb978aa69eb7666746c7a8f38c

SHA1
2d91c7065bbd6d0f1b0e848c0587619610dc73f5

SHA256
2ef8c133ee0c7043f234eec4579f581f28a17b2a0e22f6ff7eecd46c5af9ad1a

SHA512
0d540fdb9f409e60d51ff8427628b69e16ec35277765f8b38607a6fa155d703f9cead3400c4275d37892197fdac9201539eceb9877f4c5f47e7707696cb466ed

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
302KB

MD5
a079665ca8448402114685187492d72d

SHA1
79fc6bbdf2f40b39581cfdc5c01f1f6d179c35f1

SHA256
09e617e7b85befc5f735e503cc0cefff4fd5cdfcd44cc55add4cb2f6637359b0

SHA512
1e30df387076e09d2342b29fff6fb9d42914d511e4843ab0363f1f67cb0b2488c99fc553bc99cc76dc58eb9a44aa3fdecfe99083da76e1b37c23caf1c27513b8

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
302KB

MD5
6bdda8511d5ff8c5582cbaff93c2d0c6

SHA1
1af80d70a6e2dbcbed83a1105563ab93e3e6b31d

SHA256
45b012e1f4eb4b06e85832657fcba0c6f9df74a8e22da001ae143b56e896948f

SHA512
01b739c23afc09b1c786e2568466e37907311cd02083f819b8e7bd8b639e8383a18a61f8835d013cda4e1450de9c72ec1a6d3b07d9f176edf112128315964eb6

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
302KB

MD5
c797ca53bc31efcd9cfd61beda43f55b

SHA1
bd738342c8153ad545cc174cf3c67afc297f9b88

SHA256
7116c1af6835bbbd0babd7adb4184d031b7ef95c6cda56d98407be78c1e54414

SHA512
8a10c1f91802a48a8b49a2c4cc3967e97cc6bdc6bb77dc196de8c2236c4372e0471c0c4e20593693bc871a9b6b11ab17efb7a44858826cef5395569222cbf110

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
302KB

MD5
359f90265f5f729c16bb19689186d88f

SHA1
1fad5ec768a779a536b6a7a7592ebd71f33d4ac3

SHA256
6b3552ef16ee8fc09991c35d17a70318f9d9e2b77430fd525adf306e77816fa4

SHA512
deef441009ce711520efeccbd3d62d41595a03feb9cbfe733e6cfb8fc40ea0d478f2f60267a0e248cf4b83b0cab00dfbbe0a8afc7f8d28924164739382b410f0

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
302KB

MD5
308f18005ccdb95b3a0948c0098830c8

SHA1
6d7f066e623d83336d9b9af732bd5cc59f0d6a44

SHA256
9f0d8a00eeb7c1e6330e32e9cfd3550a055fcad052b2c239469e0333ce7853b3

SHA512
f6efb40c54266c7b8d0e083acc2667e7b8e7d5aa6377644705300317d4afa85bf9734a2d45859c93d8c014ddf98165059c5e00a05fb1feb0cfc62b2a2fc4fe9b

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
302KB

MD5
efb7cd75da6e80f8db76233e487022c4

SHA1
41153b6b3bd88bb05ca044888f50294473a7e893

SHA256
cf949b0877f29fa839497146e03a967a5fa86f9085ade4737bc0a3e1bdd56774

SHA512
07a68b7500516f70f9ab3b657b29ec618070627a058a63908e31b0c7b128703a3928c07b069e92e5f91c0aedb4dc890f26982133a212f0ec4247a328a11696a8

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
302KB

MD5
115ebefa71e7c9ee0283327ab5c2d575

SHA1
027a352d99e897447b7dadf757eeedf7541fe4d1

SHA256
639c496360d74533519d6e6bf0c56c3cd48e05c91656ed3a7e26fc1e75da8941

SHA512
6a7fef66c4f070216bd6461ebe3e2341d8f7047a078e65794b8f303175e06a08dc0ec9b455c00a4ed963aa75378dedbfded1621acc9e1768073fe35b3621cfd8

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
302KB

MD5
29e30a752a56dce6bbe517e36dafd91e

SHA1
4c8e0de91fc9c8a3dc594e8ed9fa151055b22985

SHA256
1059d33224b87ab807c78edf8cf9144972a340eba0f333e9c7def42643fa52c5

SHA512
78e0d34ccf362c57d1a25913aa21164c2f44c403de7066cc75b47c05af89b0dbd5151d122444f3f18baeda998351407821a61845040ea4d9df18f38197721d2d

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
302KB

MD5
45c1b9c5938bc0f8a0fa1e74ffacccaa

SHA1
aabe95eb3ec00c14960d17e819e5dded842e1133

SHA256
94472a85ec2298f6ff85bd3d407f7347a9d3707114f51aa5e0e97cac1e5fcca2

SHA512
74859dc8e6c230fc11b3d7871cbc74ab0e21767f7a6cd6af2ccef46f9d099aa3f78b600f49bd81562ea5a72c284c9117d88babf9a4f3fd7b7ada08a988fd4371

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
302KB

MD5
dd51a4a7f0f16027f6cc7d92320094cf

SHA1
02012ec7056dd8fba5dea65e635f316e84af834b

SHA256
e568a1b4dd3a0b8cd37efe32fc0ed248b23fc3c6b6449a9b8ae5c1159f22a07e

SHA512
fc748b5bc5d733804de1bfe60ccb234a6bab74ea383e1b48f6874fe833ba42da9f41bd51521f6f8ec92952e8633908406ebda430a1dfaeff3166a0f991a80b65

Download Submit
memory/336-286-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/636-538-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/692-268-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/712-502-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/716-322-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1156-508-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1168-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1168-544-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1260-40-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1260-579-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1264-352-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1272-484-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1276-304-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1348-418-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1368-262-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1384-167-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1396-316-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1492-119-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1668-412-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1856-472-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1952-400-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1988-96-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2032-442-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2120-424-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2148-340-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2184-298-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2336-526-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2408-255-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2524-248-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2592-490-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2680-364-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2740-388-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2792-232-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2908-482-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3124-16-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3124-558-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3148-184-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3152-334-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3192-436-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3200-280-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3228-112-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3232-565-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3232-24-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3380-274-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3384-72-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3448-358-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3480-8-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3480-551-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3500-328-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3588-240-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3660-207-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3784-460-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3956-64-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3992-80-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4008-454-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4196-292-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4280-135-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4296-514-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4304-127-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4372-215-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4380-144-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4384-406-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4540-200-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4556-346-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4572-192-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4600-496-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4684-394-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4696-151-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4716-593-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4716-55-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4732-532-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4760-103-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4784-466-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4812-370-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4824-376-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4832-520-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4840-159-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4848-430-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4852-310-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4856-223-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4892-382-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4924-572-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4924-32-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4980-175-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5012-47-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5012-586-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5024-88-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5112-448-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5132-550-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5168-552-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5220-559-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5264-566-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5308-573-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5376-580-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5428-587-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5488-594-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads