89ca363c150967c72be96254ed3411e6eb89039fc0b0e0c5b732c71fd5668bec

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 07:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4745f63e3922683c2d1322df8f88b5a0N.exe
Size

91KB
MD5

4745f63e3922683c2d1322df8f88b5a0
SHA1

2df9a5b5bbc66e21b6368443f850f1a2addb4e5f
SHA256

89ca363c150967c72be96254ed3411e6eb89039fc0b0e0c5b732c71fd5668bec
SHA512

33057d7575182e297f5d1d6599c06da07ce524fe3ec431f0ca3320687d7a00901709450ed58c3186ca66123800000a05cdd6113bacc3213be10aad418759e494
SSDEEP

1536:pXLgRmWxOHnDLdTS2yLJUgnvjtux1dMbEGyRVfeDQtob1xS15UJy/vSGw:yRKm2+J1vjtux1dMbEGyBGMV/vSGw

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplobcpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaenbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmmeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onmfimga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmkmjjaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onkidm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npepkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akkffkhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnlme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onocomdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmipdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfaemp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjiipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnafno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nflkbanj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogekbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdjinjo.exe

Executes dropped EXE 64 IoCs

pid	Process
3952	Nnafno32.exe
2316	Nqpcjj32.exe
4200	Nflkbanj.exe
4624	Njhgbp32.exe
2744	Npepkf32.exe
4804	Nfohgqlg.exe
4428	Nmipdk32.exe
1040	Ncchae32.exe
3424	Nfaemp32.exe
2368	Nmkmjjaa.exe
2712	Nceefd32.exe
4680	Onkidm32.exe
3216	Oplfkeob.exe
704	Offnhpfo.exe
3660	Onmfimga.exe
3004	Ogekbb32.exe
3264	Onocomdo.exe
4904	Opqofe32.exe
2668	Ofkgcobj.exe
3124	Omdppiif.exe
4160	Oaplqh32.exe
3404	Ocohmc32.exe
1624	Ondljl32.exe
1036	Opeiadfg.exe
3864	Ocaebc32.exe
3256	Pnfiplog.exe
600	Ppgegd32.exe
768	Pfandnla.exe
3668	Pmlfqh32.exe
888	Ppjbmc32.exe
3948	Pfdjinjo.exe
2104	Pplobcpp.exe
3320	Pffgom32.exe
116	Pmpolgoi.exe
540	Pdjgha32.exe
744	Pfiddm32.exe
4628	Pnplfj32.exe
992	Panhbfep.exe
968	Qhhpop32.exe
4536	Qjfmkk32.exe
2748	Qobhkjdi.exe
3912	Qpcecb32.exe
2300	Qhjmdp32.exe
5008	Qjiipk32.exe
2756	Qacameaj.exe
3676	Ahmjjoig.exe
1128	Akkffkhk.exe
4468	Aaenbd32.exe
1464	Adcjop32.exe
4876	Afbgkl32.exe
2968	Aoioli32.exe
2760	Apjkcadp.exe
2372	Aokkahlo.exe
2268	Amnlme32.exe
4676	Apmhiq32.exe
4276	Aggpfkjj.exe
2524	Amqhbe32.exe
4792	Adkqoohc.exe
4844	Ahfmpnql.exe
2992	Aopemh32.exe
4516	Apaadpng.exe
3516	Bdmmeo32.exe
1416	Bkgeainn.exe
5132	Baannc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mnokgcbe.dll	Omdppiif.exe
File created	C:\Windows\SysWOW64\Lmnbjama.dll	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Aaenbd32.exe	Akkffkhk.exe
File created	C:\Windows\SysWOW64\Bghgmioe.dll	Cogddd32.exe
File created	C:\Windows\SysWOW64\Oaplqh32.exe	Omdppiif.exe
File opened for modification	C:\Windows\SysWOW64\Pdjgha32.exe	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Kjamidgd.dll	Afbgkl32.exe
File opened for modification	C:\Windows\SysWOW64\Baegibae.exe	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Hcjnlmph.dll	Dafppp32.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Figmglee.dll	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Pfdjinjo.exe	Ppjbmc32.exe
File created	C:\Windows\SysWOW64\Qjiipk32.exe	Qhjmdp32.exe
File opened for modification	C:\Windows\SysWOW64\Qacameaj.exe	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Kdebopdl.dll	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Cnaaib32.exe	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Jcleff32.dll	Nflkbanj.exe
File opened for modification	C:\Windows\SysWOW64\Pplobcpp.exe	Pfdjinjo.exe
File created	C:\Windows\SysWOW64\Ifaohg32.dll	Apaadpng.exe
File opened for modification	C:\Windows\SysWOW64\Bddcenpi.exe	Baegibae.exe
File created	C:\Windows\SysWOW64\Bgbpaipl.exe	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Ahfmpnql.exe	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Ocohmc32.exe	Oaplqh32.exe
File created	C:\Windows\SysWOW64\Eopjfnlo.dll	Pnfiplog.exe
File created	C:\Windows\SysWOW64\Pplobcpp.exe	Pfdjinjo.exe
File opened for modification	C:\Windows\SysWOW64\Ahmjjoig.exe	Qacameaj.exe
File opened for modification	C:\Windows\SysWOW64\Aokkahlo.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Fcokoohi.dll	Nqpcjj32.exe
File created	C:\Windows\SysWOW64\Ncchae32.exe	Nmipdk32.exe
File opened for modification	C:\Windows\SysWOW64\Ncchae32.exe	Nmipdk32.exe
File created	C:\Windows\SysWOW64\Bpfkpp32.exe	Bmhocd32.exe
File opened for modification	C:\Windows\SysWOW64\Ckebcg32.exe	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Cgqlcg32.exe	Cdbpgl32.exe
File opened for modification	C:\Windows\SysWOW64\Cogddd32.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Njhgbp32.exe	Nflkbanj.exe
File created	C:\Windows\SysWOW64\Fgjimp32.dll	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Kioghlbd.dll	Qacameaj.exe
File created	C:\Windows\SysWOW64\Dbfpagon.dll	Akkffkhk.exe
File created	C:\Windows\SysWOW64\Ieoigp32.dll	Aggpfkjj.exe
File opened for modification	C:\Windows\SysWOW64\Apaadpng.exe	Aopemh32.exe
File created	C:\Windows\SysWOW64\Bdfpkm32.exe	Bpkdjofm.exe
File opened for modification	C:\Windows\SysWOW64\Dhbebj32.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Ekbmje32.dll	Apmhiq32.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Caojpaij.exe
File opened for modification	C:\Windows\SysWOW64\Qjiipk32.exe	Qhjmdp32.exe
File created	C:\Windows\SysWOW64\Apmhiq32.exe	Amnlme32.exe
File opened for modification	C:\Windows\SysWOW64\Amqhbe32.exe	Aggpfkjj.exe
File opened for modification	C:\Windows\SysWOW64\Ahfmpnql.exe	Adkqoohc.exe
File opened for modification	C:\Windows\SysWOW64\Ckgohf32.exe	Chiblk32.exe
File opened for modification	C:\Windows\SysWOW64\Akkffkhk.exe	Ahmjjoig.exe
File opened for modification	C:\Windows\SysWOW64\Afbgkl32.exe	Adcjop32.exe
File opened for modification	C:\Windows\SysWOW64\Apmhiq32.exe	Amnlme32.exe
File created	C:\Windows\SysWOW64\Nflnbh32.dll	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Caojpaij.exe	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Ckebcg32.exe	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Nbgqin32.dll	Nnafno32.exe
File created	C:\Windows\SysWOW64\Dgegjnih.dll	Opqofe32.exe
File created	C:\Windows\SysWOW64\Pfiddm32.exe	Pdjgha32.exe
File opened for modification	C:\Windows\SysWOW64\Boldhf32.exe	Bkphhgfc.exe
File opened for modification	C:\Windows\SysWOW64\Nfohgqlg.exe	Npepkf32.exe
File created	C:\Windows\SysWOW64\Nmipdk32.exe	Nfohgqlg.exe
File opened for modification	C:\Windows\SysWOW64\Offnhpfo.exe	Oplfkeob.exe
File opened for modification	C:\Windows\SysWOW64\Bmhocd32.exe	Bgnffj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5972	5840	WerFault.exe	190

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnafno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocohmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocaebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokkahlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiblk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqlcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akkffkhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apaadpng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncchae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfiplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoioli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baegibae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpiplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nflkbanj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahmjjoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdojjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgbpaipl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnlhncgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkphhgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlfqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjfmkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfkpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjknfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onkidm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onocomdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Offnhpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhhpop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aggpfkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahfmpnql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bddcenpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqpcjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onmfimga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panhbfep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnlme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmmeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhjmdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmipdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmkmjjaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nceefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opqofe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ondljl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppgegd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qobhkjdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmhiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boldhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbgkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckgohf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njhgbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omdppiif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfandnla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdjinjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcjop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pffgom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpolgoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpcecb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gikgni32.dll"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll"	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll"	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdjgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdqcn32.dll"	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjijid32.dll"	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll"	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oaplqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoigp32.dll"	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodbhp32.dll"	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfdjinjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopjfnlo.dll"	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll"	Caojpaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgijpe32.dll"	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncchae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajqda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nflkbanj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfoel32.dll"	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhlki32.dll"	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll"	Qjiipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll"	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceefd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onocomdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opqofe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgbpaipl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 3952	4964	4745f63e3922683c2d1322df8f88b5a0N.exe	91
PID 4964 wrote to memory of 3952	4964	4745f63e3922683c2d1322df8f88b5a0N.exe	91
PID 4964 wrote to memory of 3952	4964	4745f63e3922683c2d1322df8f88b5a0N.exe	91
PID 3952 wrote to memory of 2316	3952	Nnafno32.exe	92
PID 3952 wrote to memory of 2316	3952	Nnafno32.exe	92
PID 3952 wrote to memory of 2316	3952	Nnafno32.exe	92
PID 2316 wrote to memory of 4200	2316	Nqpcjj32.exe	93
PID 2316 wrote to memory of 4200	2316	Nqpcjj32.exe	93
PID 2316 wrote to memory of 4200	2316	Nqpcjj32.exe	93
PID 4200 wrote to memory of 4624	4200	Nflkbanj.exe	94
PID 4200 wrote to memory of 4624	4200	Nflkbanj.exe	94
PID 4200 wrote to memory of 4624	4200	Nflkbanj.exe	94
PID 4624 wrote to memory of 2744	4624	Njhgbp32.exe	95
PID 4624 wrote to memory of 2744	4624	Njhgbp32.exe	95
PID 4624 wrote to memory of 2744	4624	Njhgbp32.exe	95
PID 2744 wrote to memory of 4804	2744	Npepkf32.exe	96
PID 2744 wrote to memory of 4804	2744	Npepkf32.exe	96
PID 2744 wrote to memory of 4804	2744	Npepkf32.exe	96
PID 4804 wrote to memory of 4428	4804	Nfohgqlg.exe	97
PID 4804 wrote to memory of 4428	4804	Nfohgqlg.exe	97
PID 4804 wrote to memory of 4428	4804	Nfohgqlg.exe	97
PID 4428 wrote to memory of 1040	4428	Nmipdk32.exe	98
PID 4428 wrote to memory of 1040	4428	Nmipdk32.exe	98
PID 4428 wrote to memory of 1040	4428	Nmipdk32.exe	98
PID 1040 wrote to memory of 3424	1040	Ncchae32.exe	99
PID 1040 wrote to memory of 3424	1040	Ncchae32.exe	99
PID 1040 wrote to memory of 3424	1040	Ncchae32.exe	99
PID 3424 wrote to memory of 2368	3424	Nfaemp32.exe	101
PID 3424 wrote to memory of 2368	3424	Nfaemp32.exe	101
PID 3424 wrote to memory of 2368	3424	Nfaemp32.exe	101
PID 2368 wrote to memory of 2712	2368	Nmkmjjaa.exe	102
PID 2368 wrote to memory of 2712	2368	Nmkmjjaa.exe	102
PID 2368 wrote to memory of 2712	2368	Nmkmjjaa.exe	102
PID 2712 wrote to memory of 4680	2712	Nceefd32.exe	103
PID 2712 wrote to memory of 4680	2712	Nceefd32.exe	103
PID 2712 wrote to memory of 4680	2712	Nceefd32.exe	103
PID 4680 wrote to memory of 3216	4680	Onkidm32.exe	104
PID 4680 wrote to memory of 3216	4680	Onkidm32.exe	104
PID 4680 wrote to memory of 3216	4680	Onkidm32.exe	104
PID 3216 wrote to memory of 704	3216	Oplfkeob.exe	106
PID 3216 wrote to memory of 704	3216	Oplfkeob.exe	106
PID 3216 wrote to memory of 704	3216	Oplfkeob.exe	106
PID 704 wrote to memory of 3660	704	Offnhpfo.exe	107
PID 704 wrote to memory of 3660	704	Offnhpfo.exe	107
PID 704 wrote to memory of 3660	704	Offnhpfo.exe	107
PID 3660 wrote to memory of 3004	3660	Onmfimga.exe	108
PID 3660 wrote to memory of 3004	3660	Onmfimga.exe	108
PID 3660 wrote to memory of 3004	3660	Onmfimga.exe	108
PID 3004 wrote to memory of 3264	3004	Ogekbb32.exe	109
PID 3004 wrote to memory of 3264	3004	Ogekbb32.exe	109
PID 3004 wrote to memory of 3264	3004	Ogekbb32.exe	109
PID 3264 wrote to memory of 4904	3264	Onocomdo.exe	110
PID 3264 wrote to memory of 4904	3264	Onocomdo.exe	110
PID 3264 wrote to memory of 4904	3264	Onocomdo.exe	110
PID 4904 wrote to memory of 2668	4904	Opqofe32.exe	111
PID 4904 wrote to memory of 2668	4904	Opqofe32.exe	111
PID 4904 wrote to memory of 2668	4904	Opqofe32.exe	111
PID 2668 wrote to memory of 3124	2668	Ofkgcobj.exe	113
PID 2668 wrote to memory of 3124	2668	Ofkgcobj.exe	113
PID 2668 wrote to memory of 3124	2668	Ofkgcobj.exe	113
PID 3124 wrote to memory of 4160	3124	Omdppiif.exe	114
PID 3124 wrote to memory of 4160	3124	Omdppiif.exe	114
PID 3124 wrote to memory of 4160	3124	Omdppiif.exe	114
PID 4160 wrote to memory of 3404	4160	Oaplqh32.exe	115

C:\Users\Admin\AppData\Local\Temp\4745f63e3922683c2d1322df8f88b5a0N.exe
"C:\Users\Admin\AppData\Local\Temp\4745f63e3922683c2d1322df8f88b5a0N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\SysWOW64\Nnafno32.exe
  C:\Windows\system32\Nnafno32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Windows\SysWOW64\Nqpcjj32.exe
    C:\Windows\system32\Nqpcjj32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\Nflkbanj.exe
      C:\Windows\system32\Nflkbanj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4200
    - - C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
      - C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:600
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:888
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:744
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        64⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        76⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        82⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        95⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 408
        97⤵
        Program crash
        
        PID:5972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5840 -ip 5840
1⤵
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1316,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4460 /prefetch:8
1⤵
PID:5520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amqhbe32.exe

Filesize
91KB

MD5
ede483f6ed69b68dcacfc62c0374d206

SHA1
42e722b95f5df0f09f54814646e6cfaa8ed4f671

SHA256
45dab1cc95d4438396550cd5ace7c05f286a35a185b7bf82ccbaa97a0715e120

SHA512
36e0268bac33850533de79472ec3a6869e37cd8bf985b4c06f9805de1a5ec090d4a9ebfe2126c80804d5a06d791458d464fa5527db11c1b7e946918b9387f96e

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
91KB

MD5
b412d3f64dca7364562c185573629742

SHA1
32019ab5663bfd5643e168d457cc8449bd077d15

SHA256
9851320ec5492df6f705cc0a6ce31b67eb0792a81d474b4c0016f069f7d9458d

SHA512
49531f45bc2d5b8db7e74cfa8ff187707d3a55fff2a3d8190a12a863d1cc8b5a5f563673fb729599b9364a8525b5631377a1f3b49c2b2ee9a1cc1d20b32b3463

Download Submit
C:\Windows\SysWOW64\Ncchae32.exe

Filesize
91KB

MD5
943d00ffc29a60bbb78b3d94a929db07

SHA1
c155b2a9960dfe5ca4f9fea1f99da7f5dc1fb666

SHA256
d568ceb3d5c95a1e813af6f65e3ae17a588e9b1d1d07f9db583f0df96e1e2ce9

SHA512
94d233ff182ab936de4438bae736ba41ae9116d528de311b08a8c8d0cc869d9652f20e91482c42b7a6c3e526ccf48ef1eb9b27e7ffe25736786568ab47d4456c

Download Submit
C:\Windows\SysWOW64\Nceefd32.exe

Filesize
91KB

MD5
bae5c9d92e532f51293499cccfa6a2d0

SHA1
f42b7089a6dde53fdab46bd16313c6938e9ecae0

SHA256
b7bf9baac6c814024321f31e7caf573db75f7d2bd5f8dd397c08d368848b2f1f

SHA512
b378ccf3d13e3173229a1a6d60bd82e0a13d4c7f9f41bfe45926e91f832f9b192f95c56ecc90d5deaeab719cff8b2bd8366f6e5e9e5eb55452198a3d43795fb1

Download Submit
C:\Windows\SysWOW64\Nfaemp32.exe

Filesize
91KB

MD5
30fe7cb2190808ad1a5e7a9a36a5114a

SHA1
cfbc7cd2064aafafeb98e43f46cd5d3a1351405b

SHA256
d09376f4ae00f4c55d393e8f03acf62a966a58d4c6667b824d0bddea41f38b97

SHA512
1f005569c77c0bb2e6b8dcb1f34d9a12163c5161bd3ef01083f9ef4c1b8fb5d243fa21df0125ea053a4877ab494a1072ca605f60507154a80cffc54c7f2af50b

Download Submit
C:\Windows\SysWOW64\Nflkbanj.exe

Filesize
91KB

MD5
bf91f0cf4d5782d78cd7c529d59fbdca

SHA1
12ccdeeb884de53b276d75c2d2c88e8bacf1f5ed

SHA256
ca05d9470a49e41e2e17e071b2bf0f110e76a01a6d111e1cf855946d8e1936e9

SHA512
677d3fa4b760672a560615efebbc3dcd85c5655cbed81842d0ecfe30ee9e7cfe5009dcf4375638a3e05521ae94c1b241fc712b89e8b824c5662298071d180650

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
91KB

MD5
c8dbce7bb2a91fa307fd2aa4d89582f6

SHA1
49f4774989ec73c9a00f357bc09f120e2220130d

SHA256
46e4acc012d765021a5d8e84f5a169d93a46ca27f07157ce3e90e189858e11be

SHA512
ff67b3cd1ce51f33bf996c946eb7019db80d3e954805360c43ba2c4d970793948f15257febe6ca464c517275605e8fec0675c5f8d3eae59ca702feb10793abbb

Download Submit
C:\Windows\SysWOW64\Njhgbp32.exe

Filesize
91KB

MD5
297a4695251ca8f655e70201997cdf46

SHA1
3035368295e0c93dd08e8572a53bb791e2794e1e

SHA256
bf4d359f3e37d5f95514b8b407f3fd614f7725b32f07955b422bb6433c96fedd

SHA512
d8dfaf003c4af7cf6cc9cc59c23ba7a78396f552bad947d9e05d1c598d0029f39672e89c96043f1907d060c17c6e6fc6e70a094632d7f3eec31a89f61579c8b6

Download Submit
C:\Windows\SysWOW64\Nmipdk32.exe

Filesize
91KB

MD5
cdeb33591d83683209910b554b9759fd

SHA1
fb63b265ffac9d605ca59e46a6ab546148c074a6

SHA256
ee4bf7a7021523835569203e7a42ee01ee02bf4b63e897506c18cd335fddac18

SHA512
4efda2f06375215a503769d54ba89f6cd379c3dbf4e5dd70f625c539270acc96a084f188b70607eceb84bd1dcda866fd22d708adaa28553d26d7aabef6fcb978

Download Submit
C:\Windows\SysWOW64\Nmkmjjaa.exe

Filesize
91KB

MD5
c667dcc2aa01866d3a79964d166cfa5d

SHA1
2382d20352dfc712306ba2fd25f943e2e49e8f0a

SHA256
e9a223d87c330c26e04ceee1774f3fe017abaf98556301501df5afd8d9e43821

SHA512
dc41579d02ff297b3c054ce8a8db494479aeaf85ba7f342cdc98081c6bec999027fa0b2b21392ba6fdbb496a449d176494c5a667ce4b1a5a8bc067d3da0dd2d8

Download Submit
C:\Windows\SysWOW64\Nnafno32.exe

Filesize
91KB

MD5
b64c5420b292b60df97f87c06153453b

SHA1
b622a7aa0a7df936d63080e1486cdcb3c1064a73

SHA256
1dc65ad09de5e41680b71952163860df1ab982379198e55f8213ad6fb90a8cea

SHA512
0c3287b3c4b38302106dbee4d19cec166197a7e473c3f06bd63274807ce17d993bb4f5c170f6b1e918f78e16223e16dc49f793084f812cb2b2793a4dc9d975b6

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
91KB

MD5
15ec52b9aecd2d4e48dab5aeeb26f815

SHA1
0104dd46c12f4007968fce40b2bd132dfdc02c31

SHA256
7e8deabce877dbd458cba7daf4a42f0e0c30e7dbda211c976cd4f9b79c6574c6

SHA512
32f7c1a6f90670f9e2641bea85cfd9450d7e8fcad25d113761db65992dfac15b74d37087530b8b768c8fb9009e34ca04324d05fc17ad807cc994fa869589c03b

Download Submit
C:\Windows\SysWOW64\Nqpcjj32.exe

Filesize
91KB

MD5
74a4d132fc74362952e5f796864be5d3

SHA1
d1b9c17eadf16983876c3222103e6f7a79d2c896

SHA256
4daf6fdb3e537db7c51b8aab410037c08df201c5620acc6b87e1bc663722999d

SHA512
603f39dc020cdfe50a8fe1aa4005967075f5abbfbd506e53f3bce9c7d612bf562d2d7a0d482d62dc33a86f1f21200d4f16738f0710c99c1af3f4e881155dd97a

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
91KB

MD5
1ee0a61b94900b505ee7503a51f04f22

SHA1
5cfe1148e92f4024f663fbd56f26cd93da591fc0

SHA256
6ec175edca14a99d0e1ca8c4bbff1e05f28783cd863eff3002e3be58d1059007

SHA512
15655485297dd3f9f0daa615180e6f2b22271fca3da1a04eb1162791d743723706b1aff6631e3a6c0549c0a58e58416b42313018c2821a898d58fbbcae60af10

Download Submit
C:\Windows\SysWOW64\Ocaebc32.exe

Filesize
91KB

MD5
41df0dad79a3a1f415114f1c6f5a4161

SHA1
3df94cf1f9c253470e98e46f567d7cd60e5045e8

SHA256
69f9a1d81779e4a5c15905de0d059e721570728522fef8d234cf7b7a4bd47903

SHA512
0b427543e29a17b4ab1b215d67f12d9bf1f96cfc444f671655c9cf37fb1963c27ebf27db7e3b49d533c1973c8b610afb29b1c62adfc1e2b548178bbfa6ce5ea1

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe

Filesize
91KB

MD5
fb3a4ef736f9de600cda67bfeb8f3d15

SHA1
f25dd88be0af31a8e8f0dc90652dd8e50159beb1

SHA256
5163787f17232aa0ef68ba8a95da34b5b81cb4e729235b2fc1efe86030493d8d

SHA512
7832ae16c11dd5dfb7240bf9fb99f8ee97ddf5b9822e5440510b23be036b8199b4784bf6172de2a277bf07604509194504f285540f94c1c01af2d4733e84ab1a

Download Submit
C:\Windows\SysWOW64\Offnhpfo.exe

Filesize
91KB

MD5
e401ab96005d90ea2be260e9140f4c6a

SHA1
9cf9186c394d6200685551d937f95711079338c0

SHA256
2db527a20aba8d49da528e0c591bc724d32fe7f7b8031294da77ce7c947fd24f

SHA512
673df4df2ac16634db30cdc51c03f1fa50a9f8b3ea466cb327381a2e8e7744dcccdda51441c8edbfee1306abb39bbb84ed9fe5c83fd268d7a7a542bda2a6d0d8

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
91KB

MD5
51316cd10b4a19e460e81faf6ebcb6da

SHA1
c05cead1bb402b93efd2ab97c08bd9b396e63ee4

SHA256
19c9a131323fda8c609b6979eaa0aec8303ff6c426bbffc04928584e85840bfc

SHA512
8a3811dc9d526b5f52fa8de8963dbf3d21ae05419eb676a36dbae72cf5ad1b8052bba06bf28006cc63137478d5fc8cc4be7df9d16414cd1b85d08e44be338961

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
91KB

MD5
66d00b93cfcd9fbaf023d199e936d0d1

SHA1
a1a31e66403d1dcf610a1af4a0be71f925b26d3f

SHA256
cedae7d18d81b43dc7dc1d53398b6527cc5121efe24f2a56a6b6febf3f01d910

SHA512
40c4d2df446b80bbbadabfc474c6f5b6d878dfcf82117c863c469493ab8c9149c066ff489b8eaa756a315c6cd89a32f707849771bd1ddbfe56e3db0814e57345

Download Submit
C:\Windows\SysWOW64\Omdppiif.exe

Filesize
91KB

MD5
f9986e154f47122a32cbe8bb377770a7

SHA1
dd9c48f70c9997e14eb3e1265a8235f894d79749

SHA256
4334a01e04a72dbbb3236b60bf8f03d8f729939e8c763f81134852ca04370098

SHA512
bc65369d10f9d4226e24713355171ab1b1c1d046083f110216c392074b62ab6ba90499d0b5f777f27a80dbf6e199166cb9b3bd315ac859bb7e7e4e779f54e7f4

Download Submit
C:\Windows\SysWOW64\Ondljl32.exe

Filesize
91KB

MD5
a9a88343cb6d8fa13f3d6b757bb68c2b

SHA1
5da5f7cd6cb3461da10c83571883cbcc92308820

SHA256
bafbf3274174244334f917e957431b6b935f5bd7719526fb09f0f13944d26fb0

SHA512
168bc237fd389bcf55cb3a9c262f0cb7ba2513235b1769d93d9634374bcebc915e35ab944a0bf0d2b746799e9bb2b796b217b23eb750862af2bf04a64d9b65fa

Download Submit
C:\Windows\SysWOW64\Onkidm32.exe

Filesize
91KB

MD5
d5cb71a0d732a5140350c31e3fad66a0

SHA1
18c227cb19fb4bb9f967895226b0abdc6f44a3bb

SHA256
52a5fb2ba6455529a49d1ee491dfaa00dfeb4e1e4267f47bc31f29973049bb95

SHA512
d804f2ecca28c8b0a856bd9c2bef2d7f1707406c5f580287e8fbca6c8a0d53447adf05063bb03e1a21979c9db6ba9087dcb4e08699c8ad9e0c33388d04f4f64d

Download Submit
C:\Windows\SysWOW64\Onmfimga.exe

Filesize
91KB

MD5
8704c0f71c3d81c5e9135f12eb5c718f

SHA1
172fadf1de809e4bc7591048efb75629ad968df7

SHA256
fe4f2b739bf0e008c322edcddf7fa6a83196a163b2994a23d2ec3e92451753fa

SHA512
68d8e18a858c3c1197d3e766d75412424ddc53058912756b6e195a0b22a9b31e182330161ded6caa24dc97f9c37694c9a2b91c5699a0acf9acc8d221b951387d

Download Submit
C:\Windows\SysWOW64\Onocomdo.exe

Filesize
91KB

MD5
75d485fae9041d5abaaff6f3fe889b48

SHA1
1974589e2d8babc9a8e1ad12f0033521d8f445cf

SHA256
f67f33415e454138deb614648bc0e58dc868de897d662802f825c0bd3a9ac958

SHA512
80b62c3832bd7d85d02c1a82da355be7006c66338f9d0a225f91f759e4517e0d56e714ddd14043282d17dcfcd2683e61186f6c983b0b2d440e7859ad57f493e6

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
91KB

MD5
15f46527ca5a03a9628ce9445120706f

SHA1
41f8bf6ecc78fb820ce62de102b96f51d57200ad

SHA256
7e34d242a6d404179ab58d01912a212aad08f3d7e72191ca32c5f04287fd2bd9

SHA512
5065213d24223fa858b72890a20ad1340526d7aca97deb78069f90f4cefe905fed7349fe08b773d108890bb878fa98ab373ef50cc5f1dd99b3463ff81eada24e

Download Submit
C:\Windows\SysWOW64\Oplfkeob.exe

Filesize
91KB

MD5
2700b935c4256f63cfe105b3b6ce4b96

SHA1
fb178c07fc9d84c2cdea8336daa1d74dd754d144

SHA256
7792b3cc686c961d50334ac01de943081d28d9c594f9172b9b23db1ffc5caf29

SHA512
8f69f3eba3bd65e8963b94a4e8543e3fda33c3caeed349f5407f1c936ffb60ae7fc55c971981a7c9a53d65e08a6ff32840e6677c0d922e498e2a509f511166cf

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
91KB

MD5
98fdff7d6aab2e6c818ac87d69d38d75

SHA1
000e231554d9cbae1828c942f7483a0485e7bebc

SHA256
cd82592f46ea9d632441485794aa1223ee83af394016c3e7927fc9a9af427fa9

SHA512
968dc9fdef31f665ea512bb2ae1a2a51f264c99025f4585e4d4abe4dd379b673e1892b44d7fe7a6d101a9777326be9321c09f3bcdcdd0e4388c868b78b056344

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
91KB

MD5
d9410a9fc9698c99e3fa418cc4a3b1c8

SHA1
1012017bdb5e38ae72181bfdbfd905d71755e5ef

SHA256
361fd3bf75ba299eadb1c513c7fc7761b6b40c249eaffd4310b3d5a38ccbfe64

SHA512
dcff2c3fcdb9bd7b4948b98feee7d039fe554c8deb4abcefb7c69d3688996816d201dedf21f3e39efcf59c0090ac6b161fc453cd75f4d864e4722c7ab1e99a8c

Download Submit
C:\Windows\SysWOW64\Pfdjinjo.exe

Filesize
91KB

MD5
66ee01e3b585bba59e62bc1f3d148fde

SHA1
2aea96fb91f1ecb80f4378518c476fe403bba9e7

SHA256
adbdb656ac8d1de0bd5417fb4e5cc721f3cbd5286e41235d325dcca7cb6b57c9

SHA512
63442de784aca0892c3497e3869092f0bc5fa32179b36242a8af671ce77eefa4547fb140507cc89f1ef028aaf0d72ada4bab073a11cb5327c19b1f4aaf5c1987

Download Submit
C:\Windows\SysWOW64\Pmlfqh32.exe

Filesize
91KB

MD5
7cfa6ce0c5e3e8fdd8b890e33471f8eb

SHA1
ec900c2d85bfc1bafb8a290fbd7193fb1f372bf9

SHA256
7cbc35abe709f370dc136bdea43cfe185f465815f176538e15e26e629d9fa262

SHA512
89287096cf9572b19727b9f94d22fe2602a350845138f8858267ce1341f8a44c2948dda294e0931257e4a8baf9734cb062a480bbcded06d0aadf1bd642b01fa0

Download Submit
C:\Windows\SysWOW64\Pmpolgoi.exe

Filesize
91KB

MD5
b02015ad46467ede9ef5901810f0e6b3

SHA1
e1ad4ff89dc6762858632a6c262c30cac856c4ba

SHA256
f4c76e303f59b2d84a8b5314a33b01f4747e0d2fa4ad4fefeb49f7f35c7e0c3b

SHA512
61c43451ca75f57b2fd25cd1189dbf880bfc371c33dee7976324f62b269c7a318744527aadda1f0b9f88c61af40d6036a63735b22a33066242ddd4716f374704

Download Submit
C:\Windows\SysWOW64\Pnfiplog.exe

Filesize
91KB

MD5
e4c7afa0142bae698d08701f71330511

SHA1
41f439971255738bad286831b0071a68378979a5

SHA256
ebdbf7846b16285f6063ee0289a07a026ca771a7c404f42ad665b9a3369ebc3a

SHA512
5eca29a219f986bf6f66edd36d5070daea03c6eea7832a8286e8d9e09e4e316cc54815ebf08895e1a759e561f3590268bd794dea4a6be10658b31c7e1f2088a8

Download Submit
C:\Windows\SysWOW64\Ppgegd32.exe

Filesize
91KB

MD5
bbd7239989d81ab1347b849e4178250d

SHA1
09058f74385c7dfe2f36279a68bf2cdaa3445ca2

SHA256
74db51207f88d75157d0ff42db03afdd29b17913d7dd469a8a4430658d0ff414

SHA512
353d5b122460d4e234895c0bbb6b9dd4baca4f9e5e6e39ae889d957108ed007e7539367c6bdac4a8290462ed25745b04ba9b9fdc2bfbba19ec697e68b5a9dab1

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
91KB

MD5
521af9358f1215272b544ca5d237d980

SHA1
bbce74bbc1188d25b8f97cbe9526bf345f03e866

SHA256
564ac471ae6f6e5345a50e6753bae400a27dde9fe6c501d87c38dfa5629346cf

SHA512
73b2b74c300fb7cd13c36b920986f8896e497cc6238afc38fc3fb14d6135f9b8deb2d8ff6eab99a0b9aea29e96a21ebbda467191e59b3e800b663072b016cc36

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
91KB

MD5
038358acb79096470bf8fcf2f0363036

SHA1
c8d17198eb2b9d13b254674263c7a1dc6c771a00

SHA256
cdbcdb3691afa4a24afa5e7ffc30dbcfb957b70ddcca8cb89e96a6253d3eecc1

SHA512
c68de69077083b3f1c8f7e8db53c041dee27eab49bc13e7d58a9dfbf67ce248c018528bc1667a3ffb1f3394d43f287085b000da1bd28b72ad3f5244158a584c8

Download Submit
memory/116-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/600-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/704-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/888-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/968-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/992-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1416-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1464-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-768-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2368-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2712-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2744-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2744-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2756-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3004-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3216-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3256-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3264-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3404-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3424-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3516-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3668-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3676-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3864-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3912-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3948-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3952-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3952-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4160-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4200-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4200-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4276-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4276-723-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4468-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4624-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4624-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4628-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4680-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4964-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4964-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5132-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5172-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5212-705-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5212-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5260-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5300-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5340-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5388-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5428-494-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5468-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5512-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5552-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5592-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5592-688-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5632-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5672-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5712-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5752-542-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5792-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5852-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5912-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5960-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6004-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6044-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6092-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads