176e8521db899f650daf90ce426976b2855b3bdc8200512554d952e592721bb3

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

816875bae966fd606a43121034ed5a30N.exe
Size

128KB
MD5

816875bae966fd606a43121034ed5a30
SHA1

4b7419e1f69d285940f64a29bd18a9fc0bb59a8c
SHA256

176e8521db899f650daf90ce426976b2855b3bdc8200512554d952e592721bb3
SHA512

19ca8906740029506707ab9fa9df8e108a8306fe167bba8b718f2572c709427ce3d6e88215ef4cd72163fd086c1e1885124a4d086a416c8368a1cb1a195480fc
SSDEEP

3072:BhHfz/eluvi38vf2uT8KhLsXvmW2wS7IrHrYj:bHfbeluFvf2dhfmHwMOHm

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjaabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cggimh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moipoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngjkfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nagiji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	816875bae966fd606a43121034ed5a30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnlkfal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ompfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojhpimhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dafppp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nadleilm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omdppiif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcgiefen.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adfgdpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjodla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ombcji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmkdcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhmnn32.exe

Executes dropped EXE 64 IoCs

pid	Process
4568	Mgnlkfal.exe
4876	Mmkdcm32.exe
4632	Moipoh32.exe
5020	Mjodla32.exe
4824	Mnjqmpgg.exe
1700	Mcgiefen.exe
5420	Mjaabq32.exe
4764	Mqkiok32.exe
5204	Mgeakekd.exe
2096	Nnojho32.exe
3808	Nqmfdj32.exe
2184	Nggnadib.exe
3148	Nnafno32.exe
396	Nmdgikhi.exe
4288	Ngjkfd32.exe
5032	Nncccnol.exe
556	Nqbpojnp.exe
5188	Nglhld32.exe
3224	Nnfpinmi.exe
1528	Nadleilm.exe
2280	Ngndaccj.exe
1220	Nnhmnn32.exe
3692	Nagiji32.exe
4712	Ngqagcag.exe
5500	Ojomcopk.exe
5692	Oaifpi32.exe
6084	Ocgbld32.exe
4012	Ojajin32.exe
1456	Ompfej32.exe
5248	Ogekbb32.exe
1432	Ojdgnn32.exe
5560	Ombcji32.exe
1472	Oclkgccf.exe
3608	Ojfcdnjc.exe
2272	Omdppiif.exe
2056	Oaplqh32.exe
220	Ogjdmbil.exe
3604	Ojhpimhp.exe
2572	Ondljl32.exe
5292	Oabhfg32.exe
2252	Ocaebc32.exe
5752	Ohlqcagj.exe
1988	Pjkmomfn.exe
4312	Pmiikh32.exe
1900	Ppgegd32.exe
4228	Phonha32.exe
5216	Pnifekmd.exe
5440	Ppjbmc32.exe
4844	Phajna32.exe
2928	Pjpfjl32.exe
6104	Pmnbfhal.exe
4304	Pplobcpp.exe
4952	Phcgcqab.exe
5300	Pnmopk32.exe
5308	Palklf32.exe
4780	Pnplfj32.exe
3340	Panhbfep.exe
1308	Pdmdnadc.exe
1888	Qobhkjdi.exe
5728	Qaqegecm.exe
5064	Qhjmdp32.exe
5460	Qjiipk32.exe
1844	Qacameaj.exe
5760	Qdaniq32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nkgdfb32.dll	Ojhpimhp.exe
File created	C:\Windows\SysWOW64\Jlobem32.dll	Cdimqm32.exe
File opened for modification	C:\Windows\SysWOW64\Cdpcal32.exe	Cnfkdb32.exe
File opened for modification	C:\Windows\SysWOW64\Dahmfpap.exe	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Nmiadaea.dll	Nncccnol.exe
File created	C:\Windows\SysWOW64\Bgagea32.dll	Nnfpinmi.exe
File opened for modification	C:\Windows\SysWOW64\Ojomcopk.exe	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Bbikhdcm.dll	Ppgegd32.exe
File created	C:\Windows\SysWOW64\Pmnbfhal.exe	Pjpfjl32.exe
File created	C:\Windows\SysWOW64\Amlogfel.exe	Aknbkjfh.exe
File created	C:\Windows\SysWOW64\Bknlbhhe.exe	Bphgeo32.exe
File created	C:\Windows\SysWOW64\Oblknjim.dll	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Mjaabq32.exe	Mcgiefen.exe
File created	C:\Windows\SysWOW64\Dgfnagdi.dll	Nnhmnn32.exe
File created	C:\Windows\SysWOW64\Eihcbonm.dll	Pjkmomfn.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Aamebb32.dll	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Dojqjdbl.exe	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Bkgeainn.exe	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Bkamodje.dll	Bklomh32.exe
File opened for modification	C:\Windows\SysWOW64\Cggimh32.exe	Cdimqm32.exe
File opened for modification	C:\Windows\SysWOW64\Pnmopk32.exe	Phcgcqab.exe
File opened for modification	C:\Windows\SysWOW64\Adfgdpmi.exe	Amlogfel.exe
File created	C:\Windows\SysWOW64\Qgnnai32.dll	Moipoh32.exe
File created	C:\Windows\SysWOW64\Ngjkfd32.exe	Nmdgikhi.exe
File created	C:\Windows\SysWOW64\Jponoqjl.dll	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Cdpcal32.exe	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Mjodla32.exe	Moipoh32.exe
File opened for modification	C:\Windows\SysWOW64\Aogbfi32.exe	Afpjel32.exe
File opened for modification	C:\Windows\SysWOW64\Aggpfkjj.exe	Adhdjpjf.exe
File created	C:\Windows\SysWOW64\Aaoaic32.exe	Aopemh32.exe
File created	C:\Windows\SysWOW64\Plikcm32.dll	Baannc32.exe
File opened for modification	C:\Windows\SysWOW64\Mjaabq32.exe	Mcgiefen.exe
File opened for modification	C:\Windows\SysWOW64\Qjiipk32.exe	Qhjmdp32.exe
File created	C:\Windows\SysWOW64\Aajhndkb.exe	Aokkahlo.exe
File opened for modification	C:\Windows\SysWOW64\Ocaebc32.exe	Oabhfg32.exe
File opened for modification	C:\Windows\SysWOW64\Pnplfj32.exe	Phfcipoo.exe
File opened for modification	C:\Windows\SysWOW64\Qhjmdp32.exe	Qaqegecm.exe
File opened for modification	C:\Windows\SysWOW64\Nqmfdj32.exe	Nnojho32.exe
File created	C:\Windows\SysWOW64\Dgfpihkg.dll	Oaplqh32.exe
File created	C:\Windows\SysWOW64\Ojhpimhp.exe	Ogjdmbil.exe
File created	C:\Windows\SysWOW64\Bphgeo32.exe	Baegibae.exe
File created	C:\Windows\SysWOW64\Nggnadib.exe	Nqmfdj32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhmnn32.exe	Ngndaccj.exe
File opened for modification	C:\Windows\SysWOW64\Ojfcdnjc.exe	Oclkgccf.exe
File opened for modification	C:\Windows\SysWOW64\Ngjkfd32.exe	Nmdgikhi.exe
File opened for modification	C:\Windows\SysWOW64\Ngndaccj.exe	Nadleilm.exe
File opened for modification	C:\Windows\SysWOW64\Ogjdmbil.exe	Oaplqh32.exe
File created	C:\Windows\SysWOW64\Bdlgcp32.dll	Ohlqcagj.exe
File created	C:\Windows\SysWOW64\Eehmok32.dll	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Mcgiefen.exe	Mnjqmpgg.exe
File opened for modification	C:\Windows\SysWOW64\Mqkiok32.exe	Mjaabq32.exe
File created	C:\Windows\SysWOW64\Nmdgikhi.exe	Nnafno32.exe
File created	C:\Windows\SysWOW64\Cklhcfle.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Qkicbhla.dll	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Chnlgjlb.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Ocgbld32.exe	Oaifpi32.exe
File created	C:\Windows\SysWOW64\Pnplfj32.exe	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Mkfefigf.dll	Qobhkjdi.exe
File created	C:\Windows\SysWOW64\Eopjfnlo.dll	Pmiikh32.exe
File created	C:\Windows\SysWOW64\Ogakfe32.dll	Phcgcqab.exe
File created	C:\Windows\SysWOW64\Qjiipk32.exe	Qhjmdp32.exe
File opened for modification	C:\Windows\SysWOW64\Mgeakekd.exe	Mqkiok32.exe
File opened for modification	C:\Windows\SysWOW64\Oabhfg32.exe	Ondljl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4720	1196	WerFault.exe	209

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppjbmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhjmdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbgkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apaadpng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojqjdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnifekmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnjqmpgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdaniq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moipoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcgiefen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqmfdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojajin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfkpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnlhncgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjodla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adfgdpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahmfpap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnafno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpfjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjiipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aknbkjfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nglhld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adhdjpjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdimqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpkmal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ompfej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkgeainn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjkmomfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfkdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojdgnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnfpinmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaplqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phajna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggimh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmkdcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnhmnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcgcqab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Palklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahfmpnql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chnlgjlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgeakekd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oclkgccf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplobcpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokkahlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajhndkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogekbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmnbfhal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocaebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmiikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panhbfep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aogbfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aonhghjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baannc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdojjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oabhfg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgnnai32.dll"	Moipoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagea32.dll"	Nnfpinmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oclkgccf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baegibae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjhbli.dll"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmdgikhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ombcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cggimh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjaabq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojhpimhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcccepbd.dll"	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll"	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhmnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nagiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpkdp32.dll"	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eihcbonm.dll"	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baannc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfnagdi.dll"	Nnhmnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpenegb.dll"	Phajna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabfbmnl.dll"	Mjodla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhmnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oaifpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnffoibg.dll"	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nadleilm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnjqmpgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgeakekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbgla32.dll"	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	816875bae966fd606a43121034ed5a30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleqaiga.dll"	Mgeakekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihiic32.dll"	Nqmfdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jponoqjl.dll"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmkdcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjodla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngndaccj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojdgnn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6000 wrote to memory of 4568	6000	816875bae966fd606a43121034ed5a30N.exe	83
PID 6000 wrote to memory of 4568	6000	816875bae966fd606a43121034ed5a30N.exe	83
PID 6000 wrote to memory of 4568	6000	816875bae966fd606a43121034ed5a30N.exe	83
PID 4568 wrote to memory of 4876	4568	Mgnlkfal.exe	84
PID 4568 wrote to memory of 4876	4568	Mgnlkfal.exe	84
PID 4568 wrote to memory of 4876	4568	Mgnlkfal.exe	84
PID 4876 wrote to memory of 4632	4876	Mmkdcm32.exe	85
PID 4876 wrote to memory of 4632	4876	Mmkdcm32.exe	85
PID 4876 wrote to memory of 4632	4876	Mmkdcm32.exe	85
PID 4632 wrote to memory of 5020	4632	Moipoh32.exe	86
PID 4632 wrote to memory of 5020	4632	Moipoh32.exe	86
PID 4632 wrote to memory of 5020	4632	Moipoh32.exe	86
PID 5020 wrote to memory of 4824	5020	Mjodla32.exe	87
PID 5020 wrote to memory of 4824	5020	Mjodla32.exe	87
PID 5020 wrote to memory of 4824	5020	Mjodla32.exe	87
PID 4824 wrote to memory of 1700	4824	Mnjqmpgg.exe	89
PID 4824 wrote to memory of 1700	4824	Mnjqmpgg.exe	89
PID 4824 wrote to memory of 1700	4824	Mnjqmpgg.exe	89
PID 1700 wrote to memory of 5420	1700	Mcgiefen.exe	90
PID 1700 wrote to memory of 5420	1700	Mcgiefen.exe	90
PID 1700 wrote to memory of 5420	1700	Mcgiefen.exe	90
PID 5420 wrote to memory of 4764	5420	Mjaabq32.exe	91
PID 5420 wrote to memory of 4764	5420	Mjaabq32.exe	91
PID 5420 wrote to memory of 4764	5420	Mjaabq32.exe	91
PID 4764 wrote to memory of 5204	4764	Mqkiok32.exe	93
PID 4764 wrote to memory of 5204	4764	Mqkiok32.exe	93
PID 4764 wrote to memory of 5204	4764	Mqkiok32.exe	93
PID 5204 wrote to memory of 2096	5204	Mgeakekd.exe	94
PID 5204 wrote to memory of 2096	5204	Mgeakekd.exe	94
PID 5204 wrote to memory of 2096	5204	Mgeakekd.exe	94
PID 2096 wrote to memory of 3808	2096	Nnojho32.exe	95
PID 2096 wrote to memory of 3808	2096	Nnojho32.exe	95
PID 2096 wrote to memory of 3808	2096	Nnojho32.exe	95
PID 3808 wrote to memory of 2184	3808	Nqmfdj32.exe	96
PID 3808 wrote to memory of 2184	3808	Nqmfdj32.exe	96
PID 3808 wrote to memory of 2184	3808	Nqmfdj32.exe	96
PID 2184 wrote to memory of 3148	2184	Nggnadib.exe	97
PID 2184 wrote to memory of 3148	2184	Nggnadib.exe	97
PID 2184 wrote to memory of 3148	2184	Nggnadib.exe	97
PID 3148 wrote to memory of 396	3148	Nnafno32.exe	99
PID 3148 wrote to memory of 396	3148	Nnafno32.exe	99
PID 3148 wrote to memory of 396	3148	Nnafno32.exe	99
PID 396 wrote to memory of 4288	396	Nmdgikhi.exe	100
PID 396 wrote to memory of 4288	396	Nmdgikhi.exe	100
PID 396 wrote to memory of 4288	396	Nmdgikhi.exe	100
PID 4288 wrote to memory of 5032	4288	Ngjkfd32.exe	101
PID 4288 wrote to memory of 5032	4288	Ngjkfd32.exe	101
PID 4288 wrote to memory of 5032	4288	Ngjkfd32.exe	101
PID 5032 wrote to memory of 556	5032	Nncccnol.exe	102
PID 5032 wrote to memory of 556	5032	Nncccnol.exe	102
PID 5032 wrote to memory of 556	5032	Nncccnol.exe	102
PID 556 wrote to memory of 5188	556	Nqbpojnp.exe	103
PID 556 wrote to memory of 5188	556	Nqbpojnp.exe	103
PID 556 wrote to memory of 5188	556	Nqbpojnp.exe	103
PID 5188 wrote to memory of 3224	5188	Nglhld32.exe	104
PID 5188 wrote to memory of 3224	5188	Nglhld32.exe	104
PID 5188 wrote to memory of 3224	5188	Nglhld32.exe	104
PID 3224 wrote to memory of 1528	3224	Nnfpinmi.exe	105
PID 3224 wrote to memory of 1528	3224	Nnfpinmi.exe	105
PID 3224 wrote to memory of 1528	3224	Nnfpinmi.exe	105
PID 1528 wrote to memory of 2280	1528	Nadleilm.exe	106
PID 1528 wrote to memory of 2280	1528	Nadleilm.exe	106
PID 1528 wrote to memory of 2280	1528	Nadleilm.exe	106
PID 2280 wrote to memory of 1220	2280	Ngndaccj.exe	107

C:\Users\Admin\AppData\Local\Temp\816875bae966fd606a43121034ed5a30N.exe
"C:\Users\Admin\AppData\Local\Temp\816875bae966fd606a43121034ed5a30N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6000
- C:\Windows\SysWOW64\Mgnlkfal.exe
  C:\Windows\system32\Mgnlkfal.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\Mmkdcm32.exe
    C:\Windows\system32\Mmkdcm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Windows\SysWOW64\Moipoh32.exe
      C:\Windows\system32\Moipoh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5420
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5204
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5188
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        26⤵
        Executes dropped EXE
        
        PID:5500
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        47⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        55⤵
        Executes dropped EXE
        
        PID:5300
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        57⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        60⤵
        Executes dropped EXE
        
        PID:1308
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        65⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1388
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        74⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        78⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2544
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        83⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        93⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        95⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1684
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        104⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        105⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        106⤵
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        108⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        112⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4160
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        114⤵
        
        PID:848
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        121⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 412
        122⤵
        Program crash
        
        PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1196 -ip 1196
1⤵
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdfpkm32.exe

Filesize
128KB

MD5
f9cd3a64a63942c400bb64bfa6d35f62

SHA1
52b0b045eaafe6191d622f4e0e764e338e810a91

SHA256
b2baa222f997cd6d4478b272f3c0ab97fe359ec1a78c51645b1c346485dfb479

SHA512
44de135c3b67c01ba27853e12b536469e90bc94ebe8f59e8e4c79e426833137c75985ee030342c670e482dbaf4fdf1fa5d90eded6a9faef994da019b6f61c734

Download Submit
C:\Windows\SysWOW64\Bphgeo32.exe

Filesize
128KB

MD5
6423c011e87a804ddc6398608ca9852c

SHA1
8a7af9c4e373150742e83628d344d292760de8d6

SHA256
d351903beb7c540e636aade36a0b32674d5b71c9ca74b50dd5180616ff106a72

SHA512
7824626a3ca5b79b132a0cffbc7bcdc1271fa705cb2d646e871fe297f0cf0a9e470511fba6a9bb232ddb54d3efff9468e0ae66c6aa6dd1ea85ebded78b25f7c3

Download Submit
C:\Windows\SysWOW64\Cglbhhga.exe

Filesize
128KB

MD5
f2a50100987a6833cc2bd671a17d18c7

SHA1
4c840b58db8f19faa801dea05f37cdfc5bb9a3fe

SHA256
006dda5387bd4c59df934fa118f510a748a4b13f9e94df405138938dc13bc7f0

SHA512
0d0250a68154ac7c1864509e792c0a123cab230618ba37e1a1a26799afc520145f3969ada06e2fa25318872d28efbaa4e838b1cc80b3f99b003c48e19046ec9e

Download Submit
C:\Windows\SysWOW64\Cnfkdb32.exe

Filesize
128KB

MD5
760ed0e910562fb14a5d0f8680d1c940

SHA1
be4fe20791c963f70a2bbded24fcda527fc9e823

SHA256
159328777d30e730d703fe8deb27132c548eca9c29e03a9013c54b5951f49a2c

SHA512
9c9d1f444c327fdbc434a65fa8b34074df852ddd7af0698511deef3fa7c43c3da748cbd52582fba11d726e5abc7ae1e8e53cae92517f56e3792312d4eba0aaf6

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
128KB

MD5
7f5c6e56e8a3b978415ee74b83a472c8

SHA1
d751ade3ca8d49b5f7107c5174d6dd3a31018d79

SHA256
ec3a282f4300db62211916a3e8d0594eff998e711fd7b9aa6d449098915fdb12

SHA512
4dee2a1c77c5afd86b0471cc28cb8ce72bcc3a89b526edbc47075dfc8929279241a9621222c523d5f7f702e6098667ace130d4bcc810ff515216e916554ca488

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
128KB

MD5
6d2366429ee6d75bf7b3ca24810c83b2

SHA1
217135c43c275b3b91d2ce85a1d8f3cdeb565637

SHA256
0a825662de63b29f5b5fc15c602315ff66f4c94cd4774e4ff2f0f4b0230f0289

SHA512
316a41a7982c15d06465ed96fe5ced166dc6fea3ccbb448b06defa0c5a144908dc786212909e5ceddb61622f731ac5e0c101487663503a58642b9d2e6e0a21cc

Download Submit
C:\Windows\SysWOW64\Gabfbmnl.dll

Filesize
7KB

MD5
dd97c902f217b2ac1b1d7bf836db76a8

SHA1
dad378fa77d318503710ab92549e84b696047e5e

SHA256
7156c209a0cb1831cc4a63c4c37ec53e144c364a629e6937c63ee314a95a894f

SHA512
0c2bee4fe44518d768d425fe0087d17e7aebec8a9e48ffc21be5baa77afc06e95644b1e1415ce06328b6557ef747658380064232d256a714bd8cc1dbf2279aff

Download Submit
C:\Windows\SysWOW64\Mcgiefen.exe

Filesize
128KB

MD5
0640c2bc5ef1fbd70c87a2149f0ecba4

SHA1
469b3a72b42a61682fe30d6cfd85476de5ce0a4a

SHA256
1364b021372d3b2b8340eeaf934e07d71d875ae8132e3e5c0191956f1ee255b7

SHA512
9a5001a0d058de8947dfa78a8d2e07fa5d0c73aec941462e24de4a43196eb3438ad168b9320020e91b06af85c0ac9b4e61e55ef99a1790aca08af1954f3f538f

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
128KB

MD5
9f09898f95f9d26391e18269bd21122e

SHA1
cd99c2b2565906e6793e67aebacb203301cd3370

SHA256
2a9fd1b599f848bb863c3b11b5d01697cfdaac2e3d53ac31cbb0b8dd950bedc0

SHA512
88c34cb6d7768b01f12dfcc4513603042a19bd155d80a517f2557c6798e19ff17e170451dd12029321183a75ceae346480bd5c26b5c7a8eddd4d3ae0a7d5d318

Download Submit
C:\Windows\SysWOW64\Mgnlkfal.exe

Filesize
128KB

MD5
fa5a0b2d5bf201602844270c21b8760c

SHA1
59bdfb273ec2517c80272e771ff67a0ebf306692

SHA256
efeec490837350447ccbd4bd206932323150fb3410e8cfc03dd62064fdae0fe1

SHA512
4a16ebb5f22dc7e7b654db80816369db598dd8b31d9e0a994ed8a0bc911b954cb486ab376023e52e5d76fd3cdde9f8ec950f9e3724f52f57019d83a6901de789

Download Submit
C:\Windows\SysWOW64\Mjaabq32.exe

Filesize
128KB

MD5
4e1f6d2e230e6f8b86be11167bd8da03

SHA1
102fbe9fff95b6f76e771b9c20a49f00d648bba3

SHA256
104f659ab71155d7939f2d9432aefce89c1d1e6d2dc41900cc039ec2e7c4d885

SHA512
8afa7465d2e80c4a496211668c08ead1b1eceda2f1641282d1c055d016e49828549538c933b8b2cafc51b83e670ec62a9884c791857d4825c778b777e5c6d8e7

Download Submit
C:\Windows\SysWOW64\Mjodla32.exe

Filesize
128KB

MD5
e7b9345beaa20c29a9f89f21e1257133

SHA1
c17f86bc4e621a5b15c5441a5538ed50989e4730

SHA256
2310d6ba2e82ffeae6ed64c9361c39f759ca4c17cf0a6f8985121eaeac8898bb

SHA512
a0bde3724935ab81a4b0f30dc880b61bc5b792f95b1405a01f64e76a96212b4cd34eeb907d4baeb93d23b8cc1dbe7f937f08bc54a8d4054a868ad61731b6bccb

Download Submit
C:\Windows\SysWOW64\Mmkdcm32.exe

Filesize
128KB

MD5
468ce61e0263b8a0e42fb626989970ab

SHA1
6203b609b0ddfa0081ae9ae50973c61d553fd2d6

SHA256
b5bb2644f76482e282dfae8c1bb60839cebec01d42772c4bd49c5a63b9e9ef4c

SHA512
b2973097b70128cba09fa4905cfb82dd408dda86fb5fd4c8260713f164f78a70ea78650beb5def0ab502796ec910e8c08b5a6b74010f1571b02d6de058c47721

Download Submit
C:\Windows\SysWOW64\Mnjqmpgg.exe

Filesize
128KB

MD5
95c2f020bbb72de0a7d54716fe1dd451

SHA1
664afdc3a28b8513fe8cbf65e7b1458161b778b9

SHA256
cccbfab022d026583020020a41160f10fbbb9059a2bde4cc84ec942cd651959d

SHA512
e4fe0146f7fa8002014c8ef1d5d7398b0ef22094998d48aee950106841340cb0a6031af38f6a09e7ff23765acadf481bbb87c1662d84de3c119d6051fa5d6305

Download Submit
C:\Windows\SysWOW64\Moipoh32.exe

Filesize
128KB

MD5
cf9dd873851a8a1a313c45be59bd38b4

SHA1
b4b7f4657f7d2fb7e18f298bcaa33df035f35768

SHA256
269954e1a66cdc0560486ddccf5c598867c8f9dbc7228a4f4efd89c65fed2e1e

SHA512
9333b091633e56544d5ef2c841a99df692cf43a07479c1d64573ca78bfece4b0a580f045351ace5426dd34122dea0ed776f1ab77b33ad8713e324dd3d532ecbc

Download Submit
C:\Windows\SysWOW64\Mqkiok32.exe

Filesize
128KB

MD5
fcf3bdc43565da1ac6770e4858b8ff43

SHA1
d27f83f6d48fce21eeda425695290705b35e4ccc

SHA256
37c71e02c78d53a9c3bce468eee2e892346b799ffabfb8403d9e8b0c55f6b4b0

SHA512
b3967671bfe21993decf13f983cba5f73ebdde90fbd746c0841340f1246f1204b986b655e5aac5cc568a17ff15357660ebfce8ef42a0d80ef1452d4cce81b1ca

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe

Filesize
128KB

MD5
77d0b5c19de58ad64bb9786b343dd9f8

SHA1
ab4467fe44203f16908f823b508b35e7505aca5c

SHA256
852b89fd665df1157045af12dc3fa319faa84ed738787e6ee364f3dcff93ad9f

SHA512
6367b946e1f226a925232b62ed127eadbb65a894803218831d8d7f2621c8733c0eb2f98ee4cd2bf95311ce0f05f74be2bcb3af4ec152b00ae67b91e2cbbd974f

Download Submit
C:\Windows\SysWOW64\Nagiji32.exe

Filesize
128KB

MD5
4d86e399b96d785c57635d86cef7d842

SHA1
a81271e4b836e9d47df07d728060094274a9a9ba

SHA256
c00edad425e5792183c1084e1baf8fdaf1682d9df9aca54b950286a15da00151

SHA512
8a5574d32830d458d726ceeda8fb214c96a341b6167ac259a8cb1644f1b1162c297c7b94e663ebe65f431b7b4fbf2fad58ba54d82011573ed2328567fe364c1c

Download Submit
C:\Windows\SysWOW64\Nggnadib.exe

Filesize
128KB

MD5
eb7b3d7a80edd0a5a4cbd1847fa69f1b

SHA1
281c95c2c5f391e44c70ab64cc9b70e378fe59ce

SHA256
0c2bfa9c8330aaf10b77454c9d2c5515f57759fcc603c0f4800a85c9990785ec

SHA512
bb7a26c802c61477cc531b523f3915c42baf1385930b2e791356afcdf1f993da87d1fdbfafb32045e7bc594900ae867a2e5fb7ace34e0e98688e911e0926106b

Download Submit
C:\Windows\SysWOW64\Ngjkfd32.exe

Filesize
128KB

MD5
604a97efedc445b34b2552e10f408a14

SHA1
158980166e7481f26e452e2de9b4156b762a7044

SHA256
1a0119fea52fe6cd10b89e28aecb5ee69ac6eca199fed44766d5f5f2a382e680

SHA512
a0c1a7f1e36db7af9c466093ecb24b6fe4ef15db15e24a042bf78c5485a1939f1e8cdf57b1f4181f57175825017ac45a00e6ba5058fbf4b6d31f80948bbddc05

Download Submit
C:\Windows\SysWOW64\Nglhld32.exe

Filesize
128KB

MD5
bbbe4961829cd907121e86ec2d04d6e3

SHA1
b29ba2b317f5c5a976b21eca1a44c7a59add2253

SHA256
b533af1a795a7f238ebad448530ea4609e9f96f9e19775915c81ac6299fba446

SHA512
64a413f8dd917482367bbe1855d6040255757dcd6c10f6a93400b43374a68559475e0840460713d6f867026b478d44975e8c06db7452d155ee6a47aa9e7c12a7

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
128KB

MD5
47ea0999d7afbf1cce19a5c6ca001e82

SHA1
42991822fd971251e272993e2d9d3af268a167a1

SHA256
229c81401db5ffd2d763eed2d99ebb2e5d882833ecfaada1a89492afd9091159

SHA512
4c82fc50edabdc33790220b8c435ce041dc71fc17b227c15b83dc47b0871473e1c899ad4d4d44844c9a35e3847afa87676acbe1f64d2028d59b7c2962b578c3e

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
128KB

MD5
8c30ac5746c53139e4df2684bbf0b4ca

SHA1
e6893cd23380c2f9331f91b83a24a1f61024adaf

SHA256
aef333f11d5235daf647dec01f16e0ad1f32c81f5b4020ef023fda7cbcd951e3

SHA512
e8b6e01a4589f9e0c8331e702649758dfc43894518d86c6100dac56a44c428766fd24a1d52a9e2d7af74789451c33354295d241b2127a2fa52e5114c464058f5

Download Submit
C:\Windows\SysWOW64\Nmdgikhi.exe

Filesize
128KB

MD5
e316ef2639c073f80360b3c6465559dd

SHA1
35aa402140058614aeeed2600153512dd1c6ce0b

SHA256
7a2b91e13675cdd0b0dd762fc86aa12aa2fe6aa042de24994788f48b7485ccdc

SHA512
38c9e3162797d425387802f304070c7ce5e188c66db52791681cd9949f5fa84a09548a7a46361b81fa4b9c9e602995a0b1eb3229a4cced35d07c41b6c08c53bb

Download Submit
C:\Windows\SysWOW64\Nnafno32.exe

Filesize
128KB

MD5
f0f42f8da061d085cdb3e44646e64c08

SHA1
8259d9c573bd4ea0fb3ac43d0836d4db71e1662f

SHA256
5551a9b38a1b8ddb46cb048d7922af07d35cc3af463e5943cc2a5598b4f3125c

SHA512
b785af40e3f142ac867be2dc1f1a4101414e68c5b65a7c75fca52d4a67664894c3452278e3301871991fee6ecf1983ed962d4b0d57841cf273447efa8985f10f

Download Submit
C:\Windows\SysWOW64\Nncccnol.exe

Filesize
128KB

MD5
44fd4d5a4dcb455a1d23c4f0175eee01

SHA1
4dd96f2ea9ed283c7e3551ece0fe3b8c7a9d40e2

SHA256
25a8c8900b5bc62e05208f78b9602d585a5f06d04af32cbec5452e05abfd5ccf

SHA512
410f766c6c8683566d86d7ae75bb919e0035800f465d794a4aa3c40bf3bc0ad9f877d47a4b7e86cb3ecf6979754cecfe0b0081586a5604d67f2f432fedd8f7c2

Download Submit
C:\Windows\SysWOW64\Nnfpinmi.exe

Filesize
128KB

MD5
b55c91c2f2bcafa1b9be154cc852db0e

SHA1
ab1336ccf65667931030ee864665888bac70133e

SHA256
f445dea8a5768f040a6f7e64009404bac471ac3c031a28d5858711e54d91ee86

SHA512
1b457b109d9febb0d74225dcbe274c7d49ed911dcd16a3bc3b19ee56e71c3ac3b5b9fe582a2cafddab367bdb4ec683af3443cbbd1e2a77514f0318016e4c7a34

Download Submit
C:\Windows\SysWOW64\Nnhmnn32.exe

Filesize
128KB

MD5
77d9187633fc48c5ba9795451918153b

SHA1
2329aa59294ca96a931295a61496cd2d578a8ff4

SHA256
41d6d6512015cd95c440ae2076579076d3b8eb6bc174b5b53349b474d0554d03

SHA512
860d1d5062945e6d41c9b27f5cb206116f3370bcd4af163c29b7ad2a9df09bac17e87093a9075cde23c62c3bea1bd33c9e57fa8adcf324afeed7bc4ec0d42c46

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
128KB

MD5
6ebde3e5b738616e2c3e9f6b99b3438c

SHA1
b42a3bdf48a03465a6aa46b510b7a7f9c9ce6db6

SHA256
b27a2c537f29ea2ed059ac27b272628d196703ef6a8495919b99bdc438d17208

SHA512
626ff361de4e42452afcdf3e4a698ea0ee0ff915922be169396798db9ea3eaa19ed9c56c0fe00ba435efec6240ed6286becc8e34475e31a32f8e1b95858440d8

Download Submit
C:\Windows\SysWOW64\Nqbpojnp.exe

Filesize
128KB

MD5
883481d528f826c87afa0740ff7dbaf2

SHA1
a2cdbfeecfcf7ba0c995f9a9f8928860b79bcc63

SHA256
ffa87eb3c7ea259efbad4c46fc29c7f650735d23aac02ea2f1da00c77ffd0775

SHA512
9462865bcc876ebaf3d13d2e4984ec4c44a16c21b7e3a0fa4c9f7342c3eeadb9151c367f43fb096bc156fb1d5465318eb3a5f5c9660fc9a598763d1a501e179e

Download Submit
C:\Windows\SysWOW64\Nqmfdj32.exe

Filesize
128KB

MD5
dc0fc999e77733fcdabda162f5611a0c

SHA1
9ea94854759642b73b3b6f25a2fc0e0c42853699

SHA256
fc55084eaeebc050980af0085863fc2525ad11f8b3c29ac7305d3545c3fea4c3

SHA512
878987cc7255c6065092a5b0064af558ea3de436556e3ae7a0c35c6fd3b47d6577e0584624a9d7ca3737585395e090cfc1a5e72626990258650bcee6d99bc303

Download Submit
C:\Windows\SysWOW64\Oaifpi32.exe

Filesize
128KB

MD5
657de3e7375a59be3bd4c00c8eced312

SHA1
870b15f7ecee13eeb74106fc267f0c6d4ca5bc3e

SHA256
c23757f891aea65d4b9838869ee68fffff05fbbf421ab84b59fa3cb5ba27294b

SHA512
fef61f8be5f4c7137fe08f036d3d268d71cd8dc2bcc36229afb03c721a2156c4e44b38d95a4a74358d4382ebfa183e58ebd851161f38c3ad95aa5d835c6f9f27

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
128KB

MD5
e9e5d25d0cb1008a08886e9c0d1b8662

SHA1
372f464c1e652eccf2179ce414b7271d68b3b9cc

SHA256
cb49d83178b2f9f840a41aa4af58c4addeddc4b68954cba9b7f0762fd3316a8d

SHA512
80247b657be02b1f1ad5ecb3b87704a29c1fd32b878873438c6c32f8fc8e55b0d3de14411a663dddfaf08719dfdfa23bf24ed234cabeab16d48a7eb2c6a18278

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
128KB

MD5
dfb187252ec3041d274b65a725cc640b

SHA1
80d637c37fe3cbe0553864da8c2202475fccc534

SHA256
1e4ed07f10787787b6ceaa7b71b00eed2a732d7cc2b3f4e5caaf056454a452f3

SHA512
96703ff9ade49204bf9ac96473528712930c38e14409d2a81f9eccaa92b73696d9d228332a77258b7163cc0161a7cbf508e73921333a9b6486843857d4757662

Download Submit
C:\Windows\SysWOW64\Ogjdmbil.exe

Filesize
128KB

MD5
173c20ffb5345072734852db9ba5a8b1

SHA1
93d5c236571c65d34c6f0a485f9d8736b36181db

SHA256
136e32a537eb2c8e2052b1986689340809d5b6b15e4d6d48f0c64182442220ec

SHA512
099c00794334f2f1b6e19c7751edb0ec5ace5cd449ebb3b3fb21f9c37e1fcf486d2d3b21606231f5dbda4555bcec82a0009a2667137aa969afedf8ffa6bbb8f7

Download Submit
C:\Windows\SysWOW64\Ojajin32.exe

Filesize
128KB

MD5
17b256828c8c5ad682626ee5c3eb4ea8

SHA1
a3232235fb00b29fa4350ce571d7f68ea16d18f3

SHA256
5ffbc3a946434d71132c4d0bbaca723a2fa7647b28aa5b87a9d9c6ac458f6f21

SHA512
aa0d361cee571e2ec6e172ab4dfc159dacb0a0c1f21861db94563e12cdf1cf2c6db2c6b01d9e323af9391c5007c73f45d9cccd557ae72f966402500864f7a590

Download Submit
C:\Windows\SysWOW64\Ojdgnn32.exe

Filesize
128KB

MD5
87232bb0c42e2893fa9a823fbbadde13

SHA1
3584cc4ede29baf4ae28db475e97208401e5dd96

SHA256
b34b49a7bdc8a5d4aa9d277b73586052ba547f1ff549658fac01deeca132f3d9

SHA512
d2abb5dbd198f9f1d2efaa14b3ea8dddef2f7735cbdff8299179625e50d76bbdac760f8cf25abafbee4175c096194ec7b46ef36df49f2be7d05a66dca6dc8ae6

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
128KB

MD5
1d59beb15a6b51e60339e14ef533d7ae

SHA1
f89a878a63202e7e6752924de6462b9fdc712be2

SHA256
2f484dce3d7fdb3ec02b6c36339a1c1bc6ad1fd192278be7665a9523a4fce872

SHA512
e783b6bbee5957e51ea977b1ef749b8df0c32e129ed3a7ccbfc91d19bf63ff5bbe6f3fd305e0d7e85da762f53c0d6a81fab6a19574212d83e10fd7543231f35a

Download Submit
C:\Windows\SysWOW64\Ombcji32.exe

Filesize
128KB

MD5
cdfa4a579281b5ec18d90c601f2f2f6d

SHA1
91978227eb65cbfe260263d40794cfcb2b5b3b3e

SHA256
dc131d12bcbfdd3b7f42eefe3b93dec70d5d796c6a86922f01ed9f3b6ce241a8

SHA512
3c6f2652ab6d59d86ffb45f267d9559d49844e3e78c0e2680816e4ee1912f5108b3ee7a9870e80ce2fc131f9ee9b73246f9c3468e1e97049a5777cbb9337e195

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe

Filesize
128KB

MD5
0758cdc64dbc2cba9ed8af5ccb37d270

SHA1
12ee31cc926bb9f859d4dd35eca7b3022967823a

SHA256
4fc70eae6b1509f22d492b4b55fd3c4da711ba4014a879d521028ee8adf0bcf7

SHA512
2e12d200b98e178549d1c0ba30ef243b87c53026ae41b973c25f358cbc23ff9fa96b857498594f73d64cf2357e388db8e4ad31a7f623e15c554901fc2d229d8c

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
128KB

MD5
7d01004b1908077526b1109e1e0c42c8

SHA1
479eacf32773b1e4224c01375d8731f01ec33657

SHA256
69c81b2f7f873c91b4c9f010ebbfabb1d6c65eb8a8d4dfcade543f987073338f

SHA512
612277c349ca62b83c9f0e4beeb6fe83f6535d26e963d66084fcc13ce41fe8c54825f872a2432009bd87ee7eb91048e5070f278558d6f4158ed049f26b2d0bf9

Download Submit
memory/220-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/556-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/560-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1016-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1220-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1308-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1432-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1456-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1472-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1528-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1592-568-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-547-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1700-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1700-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1764-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-575-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2096-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2184-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2272-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2572-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2928-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3148-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3180-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3224-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3608-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3692-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3732-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3808-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4568-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4568-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4712-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4716-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-557-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4952-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5032-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5100-586-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5188-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5204-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5216-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5248-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5292-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5300-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5308-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5372-561-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5420-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5420-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5440-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5460-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5500-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5524-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5560-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5652-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5692-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5728-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5752-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5760-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5860-589-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6000-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6000-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6020-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6060-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6084-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6088-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6104-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads