2165aad4ad1eb2547d2b7243ee475be89452c69c711d7a3ad73290232dac0c8b

Analysis

max time kernel
103s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36ea0045dffeadfa7d83eba7cbb605a0N.exe
Size

890KB
MD5

36ea0045dffeadfa7d83eba7cbb605a0
SHA1

a03c3eb54ff23292a7ccb312f13d8db2d2682a94
SHA256

2165aad4ad1eb2547d2b7243ee475be89452c69c711d7a3ad73290232dac0c8b
SHA512

5d125aabc53a9c001ec78540463cd8e2cb9467551cfe8553ad9a0a53a72a52d7e0db901184780844178041455c503669b6eba4e86d82df6da1929c5c99c0aaf7
SSDEEP

6144:WBD7xPQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5frdQt383PQ///NR5fKr2n0X:gk/Ng1/Nmr/Ng1/Nblt01PBNkEG

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llemdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhlejnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnldp32.exe

Executes dropped EXE 64 IoCs

pid	Process
1676	Jfhlejnh.exe
4304	Kfjhkjle.exe
732	Kiidgeki.exe
2208	Klgqcqkl.exe
4080	Kebbafoj.exe
1856	Kdcbom32.exe
1876	Kfankifm.exe
2144	Kmncnb32.exe
2548	Lmppcbjd.exe
4652	Lekehdgp.exe
4952	Llemdo32.exe
780	Ldleel32.exe
2592	Lfkaag32.exe
964	Liimncmf.exe
2984	Mdckfk32.exe
2148	Mdehlk32.exe
2488	Mmnldp32.exe
2800	Miemjaci.exe
4636	Mcmabg32.exe
4624	Mpablkhc.exe
4156	Mnebeogl.exe
376	Ngmgne32.exe
2152	Ncdgcf32.exe
3916	Njnpppkn.exe
4504	Neeqea32.exe
2528	Nloiakho.exe
3932	Nfgmjqop.exe
3064	Nggjdc32.exe
4768	Ojgbfocc.exe
4272	Ofnckp32.exe
4640	Odocigqg.exe
2184	Onhhamgg.exe
4276	Ofcmfodb.exe
2432	Oddmdf32.exe
2452	Pnlaml32.exe
1116	Pgefeajb.exe
2620	Pmannhhj.exe
4676	Pmdkch32.exe
3968	Pgioqq32.exe
4228	Pmfhig32.exe
2364	Pgllfp32.exe
1628	Pgnilpah.exe
2296	Qnhahj32.exe
4208	Qdbiedpa.exe
1564	Qjoankoi.exe
4804	Qqijje32.exe
5072	Qffbbldm.exe
1944	Adgbpc32.exe
4852	Ajckij32.exe
2500	Aeiofcji.exe
1744	Amddjegd.exe
3900	Afmhck32.exe
2012	Andqdh32.exe
1204	Aeniabfd.exe
752	Ajkaii32.exe
864	Accfbokl.exe
2660	Bfabnjjp.exe
4144	Bmkjkd32.exe
1112	Bebblb32.exe
2464	Bganhm32.exe
4592	Bjokdipf.exe
1232	Beeoaapl.exe
884	Bffkij32.exe
4880	Bnmcjg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Icpnnd32.dll	Klgqcqkl.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Kebbafoj.exe	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Imllie32.dll	Kdcbom32.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Lfkaag32.exe	Ldleel32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Klgqcqkl.exe	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Gebgohck.dll	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Mcmabg32.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Neeqea32.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Llemdo32.exe	Lekehdgp.exe
File opened for modification	C:\Windows\SysWOW64\Liimncmf.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Kiidgeki.exe	Kfjhkjle.exe
File created	C:\Windows\SysWOW64\Ejnjpohk.dll	Kebbafoj.exe
File opened for modification	C:\Windows\SysWOW64\Kfankifm.exe	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Kmncnb32.exe	Kfankifm.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4132	4772	WerFault.exe	179

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36ea0045dffeadfa7d83eba7cbb605a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfjhkjle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhlejnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebbafoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhjmp32.dll"	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	36ea0045dffeadfa7d83eba7cbb605a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhlejnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 1676	208	36ea0045dffeadfa7d83eba7cbb605a0N.exe	83
PID 208 wrote to memory of 1676	208	36ea0045dffeadfa7d83eba7cbb605a0N.exe	83
PID 208 wrote to memory of 1676	208	36ea0045dffeadfa7d83eba7cbb605a0N.exe	83
PID 1676 wrote to memory of 4304	1676	Jfhlejnh.exe	84
PID 1676 wrote to memory of 4304	1676	Jfhlejnh.exe	84
PID 1676 wrote to memory of 4304	1676	Jfhlejnh.exe	84
PID 4304 wrote to memory of 732	4304	Kfjhkjle.exe	85
PID 4304 wrote to memory of 732	4304	Kfjhkjle.exe	85
PID 4304 wrote to memory of 732	4304	Kfjhkjle.exe	85
PID 732 wrote to memory of 2208	732	Kiidgeki.exe	86
PID 732 wrote to memory of 2208	732	Kiidgeki.exe	86
PID 732 wrote to memory of 2208	732	Kiidgeki.exe	86
PID 2208 wrote to memory of 4080	2208	Klgqcqkl.exe	87
PID 2208 wrote to memory of 4080	2208	Klgqcqkl.exe	87
PID 2208 wrote to memory of 4080	2208	Klgqcqkl.exe	87
PID 4080 wrote to memory of 1856	4080	Kebbafoj.exe	88
PID 4080 wrote to memory of 1856	4080	Kebbafoj.exe	88
PID 4080 wrote to memory of 1856	4080	Kebbafoj.exe	88
PID 1856 wrote to memory of 1876	1856	Kdcbom32.exe	89
PID 1856 wrote to memory of 1876	1856	Kdcbom32.exe	89
PID 1856 wrote to memory of 1876	1856	Kdcbom32.exe	89
PID 1876 wrote to memory of 2144	1876	Kfankifm.exe	91
PID 1876 wrote to memory of 2144	1876	Kfankifm.exe	91
PID 1876 wrote to memory of 2144	1876	Kfankifm.exe	91
PID 2144 wrote to memory of 2548	2144	Kmncnb32.exe	93
PID 2144 wrote to memory of 2548	2144	Kmncnb32.exe	93
PID 2144 wrote to memory of 2548	2144	Kmncnb32.exe	93
PID 2548 wrote to memory of 4652	2548	Lmppcbjd.exe	94
PID 2548 wrote to memory of 4652	2548	Lmppcbjd.exe	94
PID 2548 wrote to memory of 4652	2548	Lmppcbjd.exe	94
PID 4652 wrote to memory of 4952	4652	Lekehdgp.exe	96
PID 4652 wrote to memory of 4952	4652	Lekehdgp.exe	96
PID 4652 wrote to memory of 4952	4652	Lekehdgp.exe	96
PID 4952 wrote to memory of 780	4952	Llemdo32.exe	97
PID 4952 wrote to memory of 780	4952	Llemdo32.exe	97
PID 4952 wrote to memory of 780	4952	Llemdo32.exe	97
PID 780 wrote to memory of 2592	780	Ldleel32.exe	98
PID 780 wrote to memory of 2592	780	Ldleel32.exe	98
PID 780 wrote to memory of 2592	780	Ldleel32.exe	98
PID 2592 wrote to memory of 964	2592	Lfkaag32.exe	99
PID 2592 wrote to memory of 964	2592	Lfkaag32.exe	99
PID 2592 wrote to memory of 964	2592	Lfkaag32.exe	99
PID 964 wrote to memory of 2984	964	Liimncmf.exe	100
PID 964 wrote to memory of 2984	964	Liimncmf.exe	100
PID 964 wrote to memory of 2984	964	Liimncmf.exe	100
PID 2984 wrote to memory of 2148	2984	Mdckfk32.exe	101
PID 2984 wrote to memory of 2148	2984	Mdckfk32.exe	101
PID 2984 wrote to memory of 2148	2984	Mdckfk32.exe	101
PID 2148 wrote to memory of 2488	2148	Mdehlk32.exe	102
PID 2148 wrote to memory of 2488	2148	Mdehlk32.exe	102
PID 2148 wrote to memory of 2488	2148	Mdehlk32.exe	102
PID 2488 wrote to memory of 2800	2488	Mmnldp32.exe	103
PID 2488 wrote to memory of 2800	2488	Mmnldp32.exe	103
PID 2488 wrote to memory of 2800	2488	Mmnldp32.exe	103
PID 2800 wrote to memory of 4636	2800	Miemjaci.exe	104
PID 2800 wrote to memory of 4636	2800	Miemjaci.exe	104
PID 2800 wrote to memory of 4636	2800	Miemjaci.exe	104
PID 4636 wrote to memory of 4624	4636	Mcmabg32.exe	105
PID 4636 wrote to memory of 4624	4636	Mcmabg32.exe	105
PID 4636 wrote to memory of 4624	4636	Mcmabg32.exe	105
PID 4624 wrote to memory of 4156	4624	Mpablkhc.exe	106
PID 4624 wrote to memory of 4156	4624	Mpablkhc.exe	106
PID 4624 wrote to memory of 4156	4624	Mpablkhc.exe	106
PID 4156 wrote to memory of 376	4156	Mnebeogl.exe	107

C:\Users\Admin\AppData\Local\Temp\36ea0045dffeadfa7d83eba7cbb605a0N.exe
"C:\Users\Admin\AppData\Local\Temp\36ea0045dffeadfa7d83eba7cbb605a0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\SysWOW64\Jfhlejnh.exe
  C:\Windows\system32\Jfhlejnh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\Kfjhkjle.exe
    C:\Windows\system32\Kfjhkjle.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\SysWOW64\Kiidgeki.exe
      C:\Windows\system32\Kiidgeki.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:732
    - - C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2208
      - C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        40⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        67⤵
        
        PID:748
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        82⤵
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        90⤵
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:656
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 404
        96⤵
        Program crash
        
        PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4772 -ip 4772
1⤵
PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
890KB

MD5
2a1bbead4c23341a96ab8d2080481125

SHA1
91315d1d23dc40ef1902aae4f01db4e049fc0e94

SHA256
8ec8a921a1f42461636c4ba149fb33c6948ee81d011cd1192b5d1a9e88334253

SHA512
a3860af03488a6a68f13cbed5522c10a2292dd0e117267c117908a8e2c796385f1529e7535e3a9c70c17934997c79d60a59a50fc5901afc3cb099df121492495

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
890KB

MD5
b2ad750d7ea73c0ccd2b4035330a88b2

SHA1
159da7148c19d4f1ae61412bd093c5840c1bdc79

SHA256
a3edff11100b3edbbfa2afd298644a27bd4b3b0da529eec9a8111fded8389c57

SHA512
07d253997f684983813923d84979d8f6f983d1d8995c8fc65111ba87ec34673342880f2bbf01712751499c466100c3b614767d3feec30a78ac4a34d70f6904f2

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
890KB

MD5
497f6f5c5dfd14a46e20937bbaf2aa57

SHA1
83e65e9e0948261bda27ec14f055e29f92cdb177

SHA256
943f7873b48d00d7e973fec139b8de6f31bbd88346ae888323e7f7f8eae1e7e6

SHA512
161820b168ffa55d063ba0fbdc2076f70ae9ed3610683339a16ab56547b476a83eabc9392ffeb82ff1b20c62bc92552f99a32eb49814c6222bea7dce5a8632ac

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
890KB

MD5
4d87ed1f0a215c43850b1d501e8c9801

SHA1
d662a197a29b5c5be0db9ba96e9340a96815d0b5

SHA256
61480f30f831eab4e4b73936932395b4dd29c7e5c31ae1b335d57ee47f332f12

SHA512
9b36de3b485a62897d6e55c1883f240354d07e6e05e6cb7d50f872401b798930d34711bcdc0a430c01bf5d35994842a824c8e59c5b0f942134486411eb573e23

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
890KB

MD5
1ad93c8dadf07cde43ae0fe225c1242f

SHA1
f276a0a3b18f3372a4e97c7ca514b064108a2c62

SHA256
400216f43a9f30e2348d8e2792a5fa01c0eaf4ac3a210cb5ed7872389a0a5685

SHA512
0d288cd94796480211c764bdf39d8adb4d3a2e0899572db03ff46bd2bf4a634591e328a737c9f703cc45cdd0d6da28183b7ebf86655e4de873866c621a7bd493

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
890KB

MD5
29085ca496890e7cc68f0972e6429f9c

SHA1
7c6c08c12a7aca8d443b2b9b2ee834d129ac3999

SHA256
3f1f3e338280b8365a3fc2199a26e66f0a0097e299fd06ecc7e3be84fc2201a7

SHA512
7fdf90982484502f929d11dbe351490e30b1fac82535cd947ad707e8ce2edc1f538dc98aa415507603de256d569acdfe60a2ec668e3ea7f19ffecf06469d2b0f

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
890KB

MD5
d8b31b356d68402586ae61e8323f77c3

SHA1
faa8d09dcfed9958c6b9c19443f7d11d81cc9b08

SHA256
8cf713a92610bdb22ff13460b50598b7d7cbaa7ab13179ab8d3900dd87799a35

SHA512
323724a9720a419c404873207c20cb1a8986c7c54b1f590bd20c35f1109b50f7eeb3d4cee2120d94a0eb4c13750ccd7cfef3a0052f5d64eaae8d133c1820ac55

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
890KB

MD5
c7a4d352cc9f1ca3f5a00ccdef751da8

SHA1
628a8311022503edcd852055d15a9f8678270674

SHA256
d1ea390839c29060be5967541085bfd80d759ea345a04d151a0372846cc03786

SHA512
bc8b0ddf5fd896009862628b3f4131445d942cc65849cc86b0b5a8135512dd5e6e8f720f4f9f365272ef263f4dd8dc11dbaa1bf352214ea9bf29875bd36d6927

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
890KB

MD5
92f02137c8050122c6fcdf672ec445af

SHA1
f63ca79450a211ebe2e8711a7f36b34112e8854e

SHA256
bc8d06169c1431c23dbc4610fd3699e221dc8b49d681390b74ed15a89c74f0e1

SHA512
e40288ba6cad3e28c1a1a4dc806b6a939eb22166998ed2bb5b9d6e96806290482d09043d683d7d7ddd8844e2c9f953a96f294a3b9dacd1cca388085d03b6f5ee

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
890KB

MD5
33f6ed17a5fe66ec780cccd31d1f4ced

SHA1
a7815d9e5ddfabd1d080ce0a7fbb249ec2c04889

SHA256
4e76c11bc1c9529d04c70aaadb4db3e61a42ef4512a29c09d8709370ca0418ed

SHA512
3fbb8573c0741db8dcefdd59a3bbc4340a44c3cb2dac2b187a6db333680e4ad7278248e03f5b4df85165b751ed21f83255fffa6dc9794811a350d9467d7cea3e

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
890KB

MD5
b17a91986bd5a29d25ca70f2cecf19aa

SHA1
9661a91b90e610c7eb1a978407c0a47df5eaaff1

SHA256
353306aa76d0dc655623c9b6b810764bf2934e4ecd9eb8cee2fd26711cebfbd8

SHA512
14395c1371b1c0d1ad8f598f4349f45892e8aca4de1794fd0ee07482a0f8f7d42cc9cf6a4f26130d76285c8ece2e104e24d8770e5e5e6fb5be194e3f48a3d9d0

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
890KB

MD5
dea10648b9a06eb89a682c96b2342418

SHA1
0053fad32e629e79a540d8096398db92cd28b562

SHA256
ebe831bc561a9b05d2efffa1533db6a57fc46ee796c9463db26aee346bc7aa0b

SHA512
431788cbf92e82fc078f924a3897f7c96bc85fb90beea5965ea5b904076115c095e4fff2e0480c81fa611249b80050b95c1bc0f71ba257c0ae67b771cf36882f

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
890KB

MD5
97e5a9aca2fca7418c9b81266add9c1c

SHA1
3e504fc8d8315da3e22e8ba74a3e9e687f342ceb

SHA256
4497d2862e76562c79e2f1fa2cb49b21d772598d3a2d89337c55b41549fca728

SHA512
e6a97875f08ac820450760739f83bf078a186aef06557c5b84d06db8d556fc85e678f70197c901a3fa92ecbc051bf49ccb059f327961e3c0c6c585accb23bd7d

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
890KB

MD5
a1cb8ae6ce8d8cf2b0433210cbceb6de

SHA1
0fb13e823c897913a81cc365b29821888564f832

SHA256
6bdf6821999c06271053c5be24d74a0ec3bd9f37def03ec8c05b81a066a941d2

SHA512
cb07b8d0cbcf1c4565a53858b3413881b2ad25e4f4b7a0183c77456cf0f2a3b51bf311e7fa624262accfc3f849c46b49fecb301651e73fd0bbfafe63a02fa3a2

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
890KB

MD5
1aaa6a33def55b0a0794465ca0bf3abb

SHA1
41730b83f5b5e70d12b896691b126d029c592150

SHA256
a3920d7fe6b053f230cb5d1373c1bbe7d47ffa2e9cee7dfa9430ef7bb9346e58

SHA512
8da1bd89bded49651e21ba12844849467e1971e0a2aaadc908a4b2bdef8ea48a1ce45f5a434f292c78324901e48958b9b411bd33184ebeae9721db4bb58953b6

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
890KB

MD5
07bb6b5cfeee7526c2df8fc56feb1f6a

SHA1
c2dc8bbf892e8bf1d68cd52b93470000a5aacfc7

SHA256
4341eed20a53030d0296892e23c16e4d797d0ceb91f96938daf5d9484530dca5

SHA512
6ec5f1726eb7ebc6d6716b65e6bb872217c85a9430e75fe6acfb47b3ca78a278d95e2006846ab834b1ac439baaf0a6af161ed8f29ea5ac5d28be0616327ae0c9

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
890KB

MD5
5d9229fce17a75e2dafa89f29eedede8

SHA1
b6279918005c968ff79d102966d6b297b701e1f7

SHA256
a4ce05bc33a4c7e76663e8e5d0d423c773af6cee77ccf98a93cd4b190e0df28b

SHA512
e64a7fa2f1839a27be01e643b43e6ca434a9c1c1be4de30380ec08786467ed2711ab26b04b427c9e7fea98e1318c55493aa4d5bdcdc6c4dd7ba03d9b7f00e881

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
890KB

MD5
9f98ed62145ce1c0b7ad0d5d5cef803b

SHA1
43f721d5b15c6abbb2e7d296fa43060bafc52434

SHA256
9039741628c7a4e2081d444c102f7d72b2ef8004411e8b13bb88bd680371bff8

SHA512
b7af124bd572d6ceb627ea6afbf53de7111f7a3410a0b20cce6e33ff999de144e73531c365240d82bb4c6333b52b5ee76cb7886b821dc21c2400082cae073efb

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
890KB

MD5
d3edc909c939eaee60003fefb7dc84c7

SHA1
53d99b57df8660db33eb3629ebbf1544fbb3393e

SHA256
ace74c042756ac6529eb666f3c6f8e216833efa37357e6567922aa763fd78bbc

SHA512
abca4e0069e9a5da505c0528b1c4e1fba52d531b9d3ac288ef0d0a5cb08380f68fcc05a7ca6d8e607b6fa39713fe90591c737b20d041ade42476a3d7219d5e5a

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
890KB

MD5
35bc95440c454dd1ae09f3aa5cc0cdaa

SHA1
adc441057f5fef10c559fbb82ef2c9e22398dadc

SHA256
7f15240a86e191b5b7d0e7d0b10e79852c14d3a4d15be9a7ddc00ceb877fd7d1

SHA512
9e52ef450483ec8877882c121dcb42c3391e4ad7c0be274acf4fe5d9c23761c4e62bfcb3ce997c3d25d05744cce1547a86394fab5775b8283f90c7eecd1e7cef

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
890KB

MD5
db476342980f895788a54036003e4a02

SHA1
8dfd5cf0e4b5162a287c00788c4635856019491d

SHA256
610d6deeae3efe6a7946251f07c56fe43af36735755c200a6bd67f5bb5fe07bd

SHA512
4a40caaa731eb6914624df51a40e4fa6964ae8537ec9052368adcc393348f90ee7bd1040516519a19b619172a8dc54761ae619dfac3018ee1a1671d0276ff618

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
890KB

MD5
d6e6d9f705ade2a54c14ae1be704b162

SHA1
824eedd123dfe3a9e91ebbc4226c4da7e6c81281

SHA256
4387c9b0467c79f93a8b52ad3d6ed4d894d19f4aa6e018451426841248c2bdf9

SHA512
ae909280a9b89c643742ada10d7c052d73d8fc68ef6424281754bacad8fefea479e2f7c867fa437dd742cac0866e72d94069ce4ee89c1a69f204838339cec50c

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
890KB

MD5
7c7c3da02eb9b5e28573d38cef907ddc

SHA1
2fbda3614788a9e19d2d0a8f268a4680b4a03e11

SHA256
2f19f98191021fd6f0fa6b612432cd0e58a90ff4e2f1015a259a8e3936f76199

SHA512
94b69ff356dea9c1175ece2b0541233d357af43c7d464fe8a9945a2cc519ea54b1dc80f87158c5878265f50b5876e928303a5356c38066d7231bba4ff9b5c165

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
890KB

MD5
9a4d19491d3c0c9c0e9d8c7d312d2c4f

SHA1
5a28938117abfc995f4c057b78b630b188dc86bc

SHA256
85e1a4da53fea15348422c14b3296e0fe414268308b9224a0532364eb0550863

SHA512
7bee0a3cad1027dab85d42e484821dd46a3663268b6a48f972109c8b3d6b8501a6d5aaf8925585f65ed3c3909921167b647efcf03e398042903ac34edcd2f558

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
890KB

MD5
45ac4d92b6c938aca4f3ca608f37f3a2

SHA1
b1808bfce04f0fb9dd7049d79ee58397b88b6d59

SHA256
778c5856e1c44174a40946a5aa6941fde671126d4bb9ebe033f7a9fac1ccc09d

SHA512
7fa323f79708e1e6a72f1e982a7f26e505a06e270b06d7e7390d1b21853a9e969d8fb5efada2ef6d8f42e9c225c49abaf3ffd085ce595f7e826a9fdf811a11cb

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
890KB

MD5
6a51b71e28037939f601457d0f02548c

SHA1
04fc898f76ad73b9a53698a59ad7471f8774c985

SHA256
66c900036f967d5e9c2efe731e953583970b27fdda9b57a8d4fd076a99166546

SHA512
906e175fb2448b5b48d608d91587e4cf171adee1f282e7f841e8b3baf40ec0ca737ff2094ebb5d1f34174a9e01be6a32f5f91bd9a09d314ada4de627e5374c8d

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
890KB

MD5
7d18e22e57c638678192e12b6a69087b

SHA1
c305ac456c8643f11599ce239a7c878d7a3eedb9

SHA256
31ba55107599e9bfc2ce055c2297c498e2f3a11faa1f1edc2e98a6a4e312818f

SHA512
2477a0e35b2b4ff6704c64d74dfdc71c0b69aa34b741d0e9f01fc059006fce9933611708f0fb5966e76657893924a172a8150d22d0416d35d7e3847c353baa15

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
890KB

MD5
1debf96eb2410849a568d7d1f7bfe465

SHA1
7a762fd9d404e0efd6245bc6f7eba8c7c29b75b7

SHA256
3f45ce0375fe238b4b6b4b6ecd5c98c771aff3589a669f3229a354dcd367031f

SHA512
41718252efe9a1a1315c75120f8ffaab5c166d969c4b43bdc5f1adf46977a15c8c8e23c64611a6af966059410fd266f514bb976291c8d2c379f450bd9c4a5ecc

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
890KB

MD5
553f9da76d52992fe7296d887f846282

SHA1
f7e18b06e69ec828608e3ebc3397b2fe665221e2

SHA256
0d4279316a5c0ac9b76d43712de8455a7f4ce492f6ac807842431e36d42bc995

SHA512
567c624f35e2ffbd80d81409de2282d1c35b4b2c4bf2e93efaac00dd331a08c10720139491595ac74b4fef16a7e009929cc26b3da634834ed48f7fd1b58dd718

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
890KB

MD5
3a80ff813f4ec39edeb71217c0ecd70c

SHA1
25557a5acdc0e3e258cf48119895921e90cd210a

SHA256
197ec966926457bba891d2aafa14bb2dcbb02ce655a3ac82b36592f5975e3105

SHA512
f9e2a57a09dd97402b04f94011bb29461234a40dafac675c56a62701b4be87967b38f43cf3f4d1c31ecd9211bd62fc49b9a58893bc69e7825d664abedf39bb64

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
890KB

MD5
d2be10a934d7a726d5583f8f33ef5ed5

SHA1
766e653be9f090a9a0bc42984ad4429632063510

SHA256
b01afe328b597d03cddd04891d9852928ab002894017c97d66b65b8f67663216

SHA512
12d7fe3c52d3a708897a1a34b4acd63c1c2aba069343414ffce17ede9ee5a074a3599f8f6d09b8e66d2fffedb8eb1521c075676e399305c1bb09d5fbd1c085ea

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
890KB

MD5
84b4e0f2f9650c6d47872f39d6b06d82

SHA1
aaedd8220bd2bb8bcca74c9a72efcc1c3508a0b2

SHA256
076278744e9d4d0a076e13b4c61eb5ba46b9658e1fdeba9e92dbf292cf714c61

SHA512
25274af12616afb32e4bc4a6cc5fee25953e3c9334fb20eae673321f531f66dcdccd99e020389bf458cdf805c6c4bca9875234f9f25af038374212238362816e

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
890KB

MD5
e9cf1c7a31776f0fa835ecbf1ca67bcf

SHA1
3b5562d1808e5e22b0391c80adfb3016ab865670

SHA256
82dc08323e9a07c9c7f6c16f868961c0aef828329f3c204044c6a07b301f9a00

SHA512
ba6d401672c62a4f0f5862ee2b5fd50bc660d5b358dc2ce95db8fd81476c3a27ba537e53ceb2dd1a512aa53040769db780430afca5cadbeebbe15f04e577faf9

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
890KB

MD5
a68464dbaf7c5f1dc97fdd57be3baae7

SHA1
42f476090a291a64fe182c5893e5c72f0dc084c0

SHA256
b4a5f4f4b6e8b71d077f2ebeef1bcb0462bf621eec486a3a52df23ad633660f1

SHA512
2fe32fcdc7deaf371224d43936413c0e8f972d1126eef9e123764d29cf6f9c6ac1367473edd529b13078d284bfb6cc4940685a71d2645161721081bdcc2bc30a

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
890KB

MD5
953492093846d87b35e33e1a0e616c57

SHA1
096b43b6400e9305b30707a8e6f7e831b341db25

SHA256
a9202548cf24ed4affc3227c4ee62b4468b8ee99f18df516402bbbb98b50ffe4

SHA512
a78317a2dd778430f78df501f63fc948507537656541587bbd9f321217a3dbe867bdd676e9ff863ee940b9d84e4d33553a992d5efc7b951f74c09a2739db68a3

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
890KB

MD5
da4e3c101301af16cb07a8c8271eabac

SHA1
6c91887eba11354f58c4706afb582fe9b10850ce

SHA256
9fd39003360a88cf76fa7cbd5a17dccd7975bdcbbd489d0994b518c9bf7a9ecf

SHA512
bfb7ebf670a7300a040d2916a612753b3d75d9bbeddfb8bfe1e555bcb5c11b84ecd96780346f803df95265db9c23b9a5a36f74c9068c55960c6e44ae6c882a78

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
890KB

MD5
0747db0d22bc4ee801ac05c5608b0ba9

SHA1
4048d8914bfe09cbfde041166341e9bcc2701ec7

SHA256
7703a96ad9b09abca7f230a66b68930df8b6ec5da736eb9661e9e4301bc7db24

SHA512
087253d5a65412bd11c0ccc367a5e1d0bd2c6f8c91cfbbd76b4f12a1a21cf8fd0d21b245d129b7e434b61d0dcc01b5e2ede46dc6b917c16342b3514ed0fe330b

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
890KB

MD5
3e7975516ed4b1dfedde213553129ad9

SHA1
65cc15133ecb82d8ddde32fb744ed482e2f1edb9

SHA256
4b2757863131c002fcdd524b5917c6eef3eafb176ecd9a4097fa2ae4d9765747

SHA512
e2662c7419121b61611d429cdd125e56949dc50a6243b7c6e140cb7aaf8e70ed07994a3341d779b2013246bd0c9ed98753c55b96d94af5d054130ed6547aaebc

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
890KB

MD5
9dd0ff7bea071364930a56581649d098

SHA1
5b1b525f4c04c0a5f84019d9eb9933d86b0c395b

SHA256
46571aa404d89eb63b9013941a4d2e5f80400ca6aafcd7672b7ebe38cd5487a6

SHA512
adbab18a3b46633b38465f98d95f65315f68d7fc659bb25228568843e9ec03a5dadb7b2e7da0c97d5047c458e536e94fda362938b61afcfad1a659a97bf791a5

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
512KB

MD5
bf2077748e08292ce824a4aadb6e94b9

SHA1
abbc5b2214386296362897e6e6b23b8d3a4c18de

SHA256
ad97cdb5f0bc1bd5b17059da7418e5c8e1be67f3a7e11f170f5bf00e266cf3ce

SHA512
53f5019c4c55631e839cbf0b32eeb8d4909e6216f8dd150c49841b47d449dedd0857c5fe5ee1368ae916b207420bd59186e9525544f3337485bbaad5ea818f92

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
890KB

MD5
2cd3644b16f2b81b825547c2f3cb9d73

SHA1
6da7624bbc65ef5420de4c9a41b6edd944859883

SHA256
4f03d126656709f91d190c4ea86ae3536b8e131757151c1641bb3dc8df85bed1

SHA512
4bed1a21c2fe3dd24fdfcb1bdeaa9546b3af104776004e95e9941133d574547f372d89dbc0c2d10871f6a15bb8f1fa19bbc23eaa71561b1a1e698ee68c07ff9e

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
890KB

MD5
87d1a16b7976546eb505cb5d4555219f

SHA1
2c9458f5237a7542859e5cf30f1de4dafb56567d

SHA256
bc4edfd6ee7597dc5222bcf32d603d4869d4e800559797fe61c9b081cdeb810c

SHA512
9f52c40218e819a6c7371f694b151df0e559a6676276d24ebc7f9b517d72260ef542029a789de96bed883d10121ace15e37ce306315414f6b7a957fd4642156d

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
890KB

MD5
7ff939d103f2c8535da5cdbea82204ca

SHA1
04d2deb045f145be18916c727235e5471a721fe2

SHA256
cf350c3cf888fdcaf034bcae94d8df31756402a4dceb4b6afd907ea1c8dadbe4

SHA512
bb0b016c6b64e360716b4cecb8dfc075ad3f3706450659fb9ef63df231226db7cc46e050bfa164ba032b0b2d131fa63cfec75e0798006e47c8743e55ec81f469

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
890KB

MD5
afcd7e51cc63740c383825d1254105d1

SHA1
6fadb8210c1493fbab1951ab03b2016b87960861

SHA256
340b13319fa1a49811dbef37f97ffd9f9f265c0fa679c91d82fc240b3801fbea

SHA512
86f82f0cbdf3b742d27f03b54daa73d1d52beb92001365cc1109ca83b6d1e05d48149caaf9ad0c134030b98785c30d23418727e1f2002f8c973baac89b4f493d

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
890KB

MD5
c94e107e5742f189cdb630d8274343aa

SHA1
fb604298c3c75a913058d7002046fe7983fd5568

SHA256
67020e6d242baf08ae4d7a2a137ea3aaeeeb944f1aa0ff16ac196bc018ff8f83

SHA512
8d4ae37fdaa6046558b9b9a7c232fd1fb9e3d643218a5ed9f02a80451e9d39eb8791f9bca1a43c4af3d69fd892421f604a1bf8332c7cc34ef3faf15624215ca7

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
890KB

MD5
0b90c1fa67e580a5e3734417dff957d3

SHA1
92c2ef250d0e303e8ebaee6aa64687801969d274

SHA256
a45c0a171933f7f1bf44e02d71ea7f803597a42481404b43224352e76ef66049

SHA512
a06898d7a03991a108aa8b13c394e4a71d0a73656dc5db9b39fde5d89e83ba20ac518a80fc9b4b11325a6aadfbe11f68a81241fdca14f889f96afc5ac6de1b1b

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
890KB

MD5
7ace7516b4b9ec778ed9b2b5298f2943

SHA1
f90741625504b4aa276a61efad3e2807c90c4dd0

SHA256
019faf747e420b737497541e26b5c893b4fb72b5f8e5e0ebec46b7f8280de8de

SHA512
7d723ff3ff6141fdeac469614f2e4d7dc770a4260ee65ad00db1da6b9652d59880c86b0fa8df7f0c77cfe1d0a83f81eb34866a2629d2359bdf5314aaf8d00c43

Download Submit
memory/208-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/208-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/208-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/376-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/732-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/732-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/780-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/964-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1112-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1116-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1232-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-528-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-680-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3848-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4208-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4624-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4640-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads