199722daa34106114d9468650e81835194fe170e29b3c1b3b5a94358452ffa2c

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd8739986a1471052a1340a41e91a030N.exe
Size

95KB
MD5

fd8739986a1471052a1340a41e91a030
SHA1

896f6b15a716b1ccdb67c20aa604537ba4825d31
SHA256

199722daa34106114d9468650e81835194fe170e29b3c1b3b5a94358452ffa2c
SHA512

566039ed2af1149b30d8c8324aa7e33dcbbc7939baebcb9ec2f9294e962c88e8f7871a8b3ed906287d45bcdc776d25ff5f1b05d9b638e8dfb71f13a2b583a318
SSDEEP

1536:mkFWmcaTKWLgm24Spqu4PcPSrTzmx2KV/RQr2RVRoRch1dROrwpOudRirVtFsrTO:3Fzcae74zuY5TzmxveCTWM1dQrTOwZtB

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njbgmjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oonlfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocgkan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpapnfhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcoljagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcfbkpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjcikejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kifojnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhanngbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofckhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kapfiqoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llnnmhfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lafmjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oblhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljdkll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nciopppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Khbiello.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjnnbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Objkmkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfbkpab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmaciefp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kheekkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kedlip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlhqcgnk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbnlaldg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obnehj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnamjhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfagighf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jimldogg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljdai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofckhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njedbjej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opbean32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjjmg32.exe

Executes dropped EXE 64 IoCs

pid	Process
220	Johggfha.exe
4612	Jafdcbge.exe
2236	Jimldogg.exe
3916	Jhplpl32.exe
4872	Kedlip32.exe
4876	Khbiello.exe
3668	Kakmna32.exe
3468	Kheekkjl.exe
4372	Kcjjhdjb.exe
660	Kidben32.exe
2356	Kpnjah32.exe
1720	Kapfiqoj.exe
3852	Kifojnol.exe
5108	Kcoccc32.exe
2052	Kiikpnmj.exe
1920	Kpccmhdg.exe
4436	Lljdai32.exe
2864	Lafmjp32.exe
2344	Lhqefjpo.exe
3640	Llnnmhfe.exe
3444	Lpjjmg32.exe
4676	Ljbnfleo.exe
4468	Lancko32.exe
3100	Ljdkll32.exe
320	Lcmodajm.exe
3868	Mfkkqmiq.exe
4336	Mpapnfhg.exe
3532	Mcoljagj.exe
3804	Mfnhfm32.exe
4644	Mlhqcgnk.exe
4880	Mofmobmo.exe
3264	Mcaipa32.exe
3816	Mfpell32.exe
2408	Mhoahh32.exe
4924	Mljmhflh.exe
1648	Mohidbkl.exe
3188	Mbgeqmjp.exe
2056	Mjnnbk32.exe
2028	Mhanngbl.exe
1264	Mlljnf32.exe
3396	Mqhfoebo.exe
3956	Mcfbkpab.exe
2416	Mbibfm32.exe
4760	Mjpjgj32.exe
3428	Mlofcf32.exe
1832	Mqjbddpl.exe
4972	Nciopppp.exe
3460	Nblolm32.exe
2840	Njbgmjgl.exe
3140	Nmaciefp.exe
2568	Nqmojd32.exe
116	Nckkfp32.exe
1836	Nbnlaldg.exe
2488	Njedbjej.exe
1772	Nhhdnf32.exe
1180	Nmcpoedn.exe
5008	Noblkqca.exe
4628	Ncmhko32.exe
4428	Nbphglbe.exe
4800	Njgqhicg.exe
1740	Nqaiecjd.exe
2156	Nbbeml32.exe
3972	Nfnamjhk.exe
5088	Nimmifgo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Omopjcjp.exe	Ojqcnhkl.exe
File opened for modification	C:\Windows\SysWOW64\Kidben32.exe	Kcjjhdjb.exe
File created	C:\Windows\SysWOW64\Leboon32.dll	Kpnjah32.exe
File opened for modification	C:\Windows\SysWOW64\Mhoahh32.exe	Mfpell32.exe
File opened for modification	C:\Windows\SysWOW64\Mljmhflh.exe	Mhoahh32.exe
File created	C:\Windows\SysWOW64\Mjpjgj32.exe	Mbibfm32.exe
File created	C:\Windows\SysWOW64\Khnhommq.dll	Jhplpl32.exe
File created	C:\Windows\SysWOW64\Hpfohk32.dll	Nimmifgo.exe
File opened for modification	C:\Windows\SysWOW64\Ocdnln32.exe	Njljch32.exe
File created	C:\Windows\SysWOW64\Mljmhflh.exe	Mhoahh32.exe
File created	C:\Windows\SysWOW64\Njbgmjgl.exe	Nblolm32.exe
File created	C:\Windows\SysWOW64\Nqmojd32.exe	Nmaciefp.exe
File created	C:\Windows\SysWOW64\Njljch32.exe	Nbebbk32.exe
File created	C:\Windows\SysWOW64\Objkmkjj.exe	Ocgkan32.exe
File created	C:\Windows\SysWOW64\Onnnbnbp.dll	Pafkgphl.exe
File created	C:\Windows\SysWOW64\Ajhapb32.dll	Nmaciefp.exe
File created	C:\Windows\SysWOW64\Nbnlaldg.exe	Nckkfp32.exe
File created	C:\Windows\SysWOW64\Cnaqob32.dll	Njedbjej.exe
File opened for modification	C:\Windows\SysWOW64\Nbphglbe.exe	Ncmhko32.exe
File created	C:\Windows\SysWOW64\Dndfnlpc.dll	Ofgdcipq.exe
File created	C:\Windows\SysWOW64\Njedbjej.exe	Nbnlaldg.exe
File created	C:\Windows\SysWOW64\Pblajhje.exe	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Amhmnagf.dll	Johggfha.exe
File created	C:\Windows\SysWOW64\Kiikpnmj.exe	Kcoccc32.exe
File created	C:\Windows\SysWOW64\Ljbnfleo.exe	Lpjjmg32.exe
File created	C:\Windows\SysWOW64\Mbgeqmjp.exe	Mohidbkl.exe
File created	C:\Windows\SysWOW64\Mjnnbk32.exe	Mbgeqmjp.exe
File created	C:\Windows\SysWOW64\Ommceclc.exe	Ojnfihmo.exe
File created	C:\Windows\SysWOW64\Ichelm32.dll	Kifojnol.exe
File created	C:\Windows\SysWOW64\Fnebjidl.dll	Lljdai32.exe
File created	C:\Windows\SysWOW64\Alapqh32.dll	Nblolm32.exe
File created	C:\Windows\SysWOW64\Bkfmmb32.dll	Nqmojd32.exe
File created	C:\Windows\SysWOW64\Fanmld32.dll	Noblkqca.exe
File opened for modification	C:\Windows\SysWOW64\Pafkgphl.exe	Piocecgj.exe
File created	C:\Windows\SysWOW64\Lljdai32.exe	Kpccmhdg.exe
File created	C:\Windows\SysWOW64\Khlaie32.dll	Mofmobmo.exe
File opened for modification	C:\Windows\SysWOW64\Mlofcf32.exe	Mjpjgj32.exe
File opened for modification	C:\Windows\SysWOW64\Nfnamjhk.exe	Nbbeml32.exe
File opened for modification	C:\Windows\SysWOW64\Opbean32.exe	Oihmedma.exe
File created	C:\Windows\SysWOW64\Hiciojhd.dll	Kidben32.exe
File created	C:\Windows\SysWOW64\Noblkqca.exe	Nmcpoedn.exe
File opened for modification	C:\Windows\SysWOW64\Ncbafoge.exe	Nqcejcha.exe
File opened for modification	C:\Windows\SysWOW64\Pcbkml32.exe	Ppgomnai.exe
File created	C:\Windows\SysWOW64\Piocecgj.exe	Pfagighf.exe
File created	C:\Windows\SysWOW64\Mnjenfjo.dll	Ojqcnhkl.exe
File created	C:\Windows\SysWOW64\Oihmedma.exe	Obnehj32.exe
File created	C:\Windows\SysWOW64\Chjjqebm.dll	Pcegclgp.exe
File opened for modification	C:\Windows\SysWOW64\Jhplpl32.exe	Jimldogg.exe
File created	C:\Windows\SysWOW64\Llnnmhfe.exe	Lhqefjpo.exe
File created	C:\Windows\SysWOW64\Mhanngbl.exe	Mjnnbk32.exe
File created	C:\Windows\SysWOW64\Pciqnk32.exe	Pakdbp32.exe
File opened for modification	C:\Windows\SysWOW64\Oonlfo32.exe	Omopjcjp.exe
File opened for modification	C:\Windows\SysWOW64\Mcaipa32.exe	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Mqjbddpl.exe	Mlofcf32.exe
File created	C:\Windows\SysWOW64\Nqobhgmh.dll	Mqjbddpl.exe
File created	C:\Windows\SysWOW64\Debcil32.dll	Nckkfp32.exe
File created	C:\Windows\SysWOW64\Nimmifgo.exe	Nfnamjhk.exe
File created	C:\Windows\SysWOW64\Gpdbcaok.dll	Kakmna32.exe
File opened for modification	C:\Windows\SysWOW64\Pcegclgp.exe	Pafkgphl.exe
File created	C:\Windows\SysWOW64\Piapkbeg.exe	Pfccogfc.exe
File opened for modification	C:\Windows\SysWOW64\Lafmjp32.exe	Lljdai32.exe
File opened for modification	C:\Windows\SysWOW64\Mhanngbl.exe	Mjnnbk32.exe
File opened for modification	C:\Windows\SysWOW64\Ojnfihmo.exe	Ofckhj32.exe
File opened for modification	C:\Windows\SysWOW64\Ommceclc.exe	Ojnfihmo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5736	5612	WerFault.exe	195

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbebbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njljch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojhiogdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcikejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kheekkjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjnnbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpapnfhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbgeqmjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojqcnhkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmphaaln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mljmhflh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mohidbkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piapkbeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd8739986a1471052a1340a41e91a030N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlljnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockdmmoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opbean32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpccmhdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgkan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhanngbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njedbjej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omopjcjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khbiello.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfnamjhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njgqhicg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbeml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfpell32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhhdnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhoahh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofckhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ommceclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kakmna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lancko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqmojd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pakdbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcjjhdjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlofcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obqanjdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paihlpfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimldogg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbafoge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofmobmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcaipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kapfiqoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpjjmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Objkmkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnehj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nimmifgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oonlfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oblhcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lafmjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmaciefp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omfekbdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqjbddpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nblolm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhqcgnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pciqnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omalpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcegclgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfccogfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedlip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbnlaldg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckkfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbjddh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Khbiello.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kiikpnmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcfbkpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjoiip32.dll"	Mcfbkpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damlpgkc.dll"	Njbgmjgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcegclgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jafdcbge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpnmig32.dll"	Jafdcbge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kidben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagioah.dll"	Nbnlaldg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbjddh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jimldogg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjnnbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpenhh32.dll"	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknofqcc.dll"	Piocecgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhqefjpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljdkll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfnamjhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdockf32.dll"	Njljch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jimldogg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pninea32.dll"	Mhanngbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqaiecjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jafdcbge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mfkkqmiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcfbkpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofgdcipq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpjjmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflknog.dll"	Mfkkqmiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldeljei.dll"	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmojd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nblolm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaidib32.dll"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Pjcikejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mfkkqmiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plpodked.dll"	Mqhfoebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debcil32.dll"	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjphcf32.dll"	Ojnfihmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faoiogei.dll"	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjcikejg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oihmedma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kheekkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghklqmm.dll"	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqpnq32.dll"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oonlfo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 220	1524	fd8739986a1471052a1340a41e91a030N.exe	90
PID 1524 wrote to memory of 220	1524	fd8739986a1471052a1340a41e91a030N.exe	90
PID 1524 wrote to memory of 220	1524	fd8739986a1471052a1340a41e91a030N.exe	90
PID 220 wrote to memory of 4612	220	Johggfha.exe	91
PID 220 wrote to memory of 4612	220	Johggfha.exe	91
PID 220 wrote to memory of 4612	220	Johggfha.exe	91
PID 4612 wrote to memory of 2236	4612	Jafdcbge.exe	92
PID 4612 wrote to memory of 2236	4612	Jafdcbge.exe	92
PID 4612 wrote to memory of 2236	4612	Jafdcbge.exe	92
PID 2236 wrote to memory of 3916	2236	Jimldogg.exe	93
PID 2236 wrote to memory of 3916	2236	Jimldogg.exe	93
PID 2236 wrote to memory of 3916	2236	Jimldogg.exe	93
PID 3916 wrote to memory of 4872	3916	Jhplpl32.exe	94
PID 3916 wrote to memory of 4872	3916	Jhplpl32.exe	94
PID 3916 wrote to memory of 4872	3916	Jhplpl32.exe	94
PID 4872 wrote to memory of 4876	4872	Kedlip32.exe	95
PID 4872 wrote to memory of 4876	4872	Kedlip32.exe	95
PID 4872 wrote to memory of 4876	4872	Kedlip32.exe	95
PID 4876 wrote to memory of 3668	4876	Khbiello.exe	97
PID 4876 wrote to memory of 3668	4876	Khbiello.exe	97
PID 4876 wrote to memory of 3668	4876	Khbiello.exe	97
PID 3668 wrote to memory of 3468	3668	Kakmna32.exe	98
PID 3668 wrote to memory of 3468	3668	Kakmna32.exe	98
PID 3668 wrote to memory of 3468	3668	Kakmna32.exe	98
PID 3468 wrote to memory of 4372	3468	Kheekkjl.exe	99
PID 3468 wrote to memory of 4372	3468	Kheekkjl.exe	99
PID 3468 wrote to memory of 4372	3468	Kheekkjl.exe	99
PID 4372 wrote to memory of 660	4372	Kcjjhdjb.exe	100
PID 4372 wrote to memory of 660	4372	Kcjjhdjb.exe	100
PID 4372 wrote to memory of 660	4372	Kcjjhdjb.exe	100
PID 660 wrote to memory of 2356	660	Kidben32.exe	101
PID 660 wrote to memory of 2356	660	Kidben32.exe	101
PID 660 wrote to memory of 2356	660	Kidben32.exe	101
PID 2356 wrote to memory of 1720	2356	Kpnjah32.exe	103
PID 2356 wrote to memory of 1720	2356	Kpnjah32.exe	103
PID 2356 wrote to memory of 1720	2356	Kpnjah32.exe	103
PID 1720 wrote to memory of 3852	1720	Kapfiqoj.exe	104
PID 1720 wrote to memory of 3852	1720	Kapfiqoj.exe	104
PID 1720 wrote to memory of 3852	1720	Kapfiqoj.exe	104
PID 3852 wrote to memory of 5108	3852	Kifojnol.exe	105
PID 3852 wrote to memory of 5108	3852	Kifojnol.exe	105
PID 3852 wrote to memory of 5108	3852	Kifojnol.exe	105
PID 5108 wrote to memory of 2052	5108	Kcoccc32.exe	106
PID 5108 wrote to memory of 2052	5108	Kcoccc32.exe	106
PID 5108 wrote to memory of 2052	5108	Kcoccc32.exe	106
PID 2052 wrote to memory of 1920	2052	Kiikpnmj.exe	107
PID 2052 wrote to memory of 1920	2052	Kiikpnmj.exe	107
PID 2052 wrote to memory of 1920	2052	Kiikpnmj.exe	107
PID 1920 wrote to memory of 4436	1920	Kpccmhdg.exe	108
PID 1920 wrote to memory of 4436	1920	Kpccmhdg.exe	108
PID 1920 wrote to memory of 4436	1920	Kpccmhdg.exe	108
PID 4436 wrote to memory of 2864	4436	Lljdai32.exe	110
PID 4436 wrote to memory of 2864	4436	Lljdai32.exe	110
PID 4436 wrote to memory of 2864	4436	Lljdai32.exe	110
PID 2864 wrote to memory of 2344	2864	Lafmjp32.exe	111
PID 2864 wrote to memory of 2344	2864	Lafmjp32.exe	111
PID 2864 wrote to memory of 2344	2864	Lafmjp32.exe	111
PID 2344 wrote to memory of 3640	2344	Lhqefjpo.exe	112
PID 2344 wrote to memory of 3640	2344	Lhqefjpo.exe	112
PID 2344 wrote to memory of 3640	2344	Lhqefjpo.exe	112
PID 3640 wrote to memory of 3444	3640	Llnnmhfe.exe	113
PID 3640 wrote to memory of 3444	3640	Llnnmhfe.exe	113
PID 3640 wrote to memory of 3444	3640	Llnnmhfe.exe	113
PID 3444 wrote to memory of 4676	3444	Lpjjmg32.exe	114

C:\Users\Admin\AppData\Local\Temp\fd8739986a1471052a1340a41e91a030N.exe
"C:\Users\Admin\AppData\Local\Temp\fd8739986a1471052a1340a41e91a030N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\Johggfha.exe
  C:\Windows\system32\Johggfha.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\Jafdcbge.exe
    C:\Windows\system32\Jafdcbge.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\SysWOW64\Jimldogg.exe
      C:\Windows\system32\Jimldogg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:320
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3532
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3844
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        70⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        89⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        90⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        93⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:6112
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        104⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 420
        105⤵
        Program crash
        
        PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5612 -ip 5612
1⤵
PID:5696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4348,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8
1⤵
PID:5924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jafdcbge.exe

Filesize
95KB

MD5
795ffd37d9c6651ec9dcb904054afd41

SHA1
d2e0496545eb97035091c40698cd909f247a9418

SHA256
b4e50a2e35a0743d55229d50dcab73a0ffccc8cdcbad4295320cc1a76f89dcf5

SHA512
dedca8e40116ee9019cf7a0784fe9d65f5f3519c2d3ee2f94ac8586f1c8b97815059488501a5fe6a499258d551583d0d77267444e054e72be5868e4eb957b0f4

Download Submit
C:\Windows\SysWOW64\Jhplpl32.exe

Filesize
95KB

MD5
a1d4b57fbee0903951642c8194c5af6b

SHA1
aa212abbc546e6b8a13cf203132a8a2638fb6611

SHA256
415c792c82869ae8a3ca882f6082988a1882f8e69c93a9e6ab8d1e39127b817f

SHA512
88319dca4c80e572d99b2a1a58b4381d1dfeff1af0b5d8fea32bb09d455394b862ae3e96a746161d72dca24f92508ed6867313e1029f96578a29df9dfaa46752

Download Submit
C:\Windows\SysWOW64\Jimldogg.exe

Filesize
95KB

MD5
e068e1984e8e73e120dc85d731bba92f

SHA1
4358f76f3aa7c559de2b33ca465568d0735e99a7

SHA256
22d5442f192c050b26bb7a47d7d6bd3908007a20a605814b7e3540d1eafa7011

SHA512
3d9cffb4a377288966a27f4e5c7a8bb5a20715fbe760cd80f0dae42113f5b0fed955b50026fa607076d94bb9759e2f2277bd33c48404baacbeac84ae05766bc1

Download Submit
C:\Windows\SysWOW64\Johggfha.exe

Filesize
95KB

MD5
a31b9d1e595f5a8c832d0278db39050b

SHA1
4be7dcaf911a183f2ba2fb0490c41e138b12f3e4

SHA256
f0ddb4c97dc8ddcd44780beca13c1dec613b994f308d21073a436228c3da6bff

SHA512
62aaa03d5cc42b02e812fefcc563edc64592b4c77cdbd1563498ae5b9d4375abca2dbcb46b5fd6a2dde7fd354f55ae74074dbd6c52e1814f4fa4bed4ebdaa711

Download Submit
C:\Windows\SysWOW64\Kakmna32.exe

Filesize
95KB

MD5
1de1932204bac4c8ccce600d22708b71

SHA1
a59987f5b8b13f47219977c0f8b5f58ac707c7b9

SHA256
da538438e7a8130f54717911c724e7189d95c20bbe172dea63ee7a0040ba4d95

SHA512
bcdd2e20dd6016955d6a7ab2b7972580c1ff18bf145aea0965740531556d6796e14f0d8b6a6b12116b7d6e7cae54a1fbcb29836a9d247f27842b9fffe2dab1cd

Download Submit
C:\Windows\SysWOW64\Kapfiqoj.exe

Filesize
95KB

MD5
f0dbc95837ce9a9ce057df6f5036b8cb

SHA1
3c8848be144dcb467a121cebd906b37b52b125a9

SHA256
47a2f8f902205c15c5f35b14836b4b964f80f3bfc89b2acaba04f5c14cf52312

SHA512
b191bfb1c74e69515894a9e58e8c96ff794ac0eedf2db241f7899c6a2f8a5f1545a136b62a6015e1419fc8090491cab8926e58a50aecd17e4cea0a48f43648af

Download Submit
C:\Windows\SysWOW64\Kcjjhdjb.exe

Filesize
95KB

MD5
fb57a134d31318c7de6ecea52dd8293a

SHA1
d60c97f8ba04f29e03f1fe8056c61267d1783cf6

SHA256
9c57da0fd2aacac401048e2edfcea59371780fc8043f03664271da6f89bff017

SHA512
9068a3e05db62300eed5c383e7a6ca4e0a43b3893a7244ad271a7d1a9e06cdc24c4931351588fb0ae78303777249c256800850a2b75bba4b6af170151f43fdde

Download Submit
C:\Windows\SysWOW64\Kcoccc32.exe

Filesize
95KB

MD5
1633b448c11f3d5d32099fce0e59cea9

SHA1
2a6e7eab537e05308db0d15947c78112277022f7

SHA256
8ad0a10a6caa58b34bdd38aaed6a374c5e422554f92892df2d2578b527bb4cc4

SHA512
2cc78e14c8ad57a2d88402289eb0623ab977edae11a7698d2b6070fd82b7e507b22f3c1a1d466b5b0302b702981a732975c4aac8cfdb38c2b647c6847c05d945

Download Submit
C:\Windows\SysWOW64\Kedlip32.exe

Filesize
95KB

MD5
161e4342544b56a9167c911409e76de7

SHA1
4e2592e1922b54b86c3f8fa1fa407e854b24d521

SHA256
e50cff568a70baa7e37498c0fbdc018b847107dc6a022ca4315955197eeffd43

SHA512
5d2660d6b5d049c142eab4defd50ef24f5bf711452a61676ceb0d531b0ee05c8697da3d6ba97459eb56a49d65f3d43090f9a8cd72b7d2918296c4220f560cd57

Download Submit
C:\Windows\SysWOW64\Khbiello.exe

Filesize
95KB

MD5
f895b02133b76d4805113f841653fa57

SHA1
8aa5f3d571fa3241c27900089196b13a98ec2a57

SHA256
073494155f7d6fb317f95da75da35363192bcc4b87b7803010d7bfcefa770081

SHA512
9868c8332b9834abc27398a5faac6573cd8ccc1cb9f798082c5d26b1d26231c0ebf5bc4d44f91e82932829453375e25ff4a49044d5d808593c535add82906ce3

Download Submit
C:\Windows\SysWOW64\Kheekkjl.exe

Filesize
95KB

MD5
02b58061c189de0ea09b51a57feb9c14

SHA1
ad30a59009ac0abd5fb09505a091b269c414c96e

SHA256
2af2d4669fee934158da319bd417abea6a4eb95bb647537b3ab5be9858afc89a

SHA512
f83e5f2f46d1869617c20a7732137db457adb8973c664ce511ae2a3b14525cc8a46234c6a1d753952716e876bd14ac11f05e46c144ea3e4072dadd84312a50fb

Download Submit
C:\Windows\SysWOW64\Khnhommq.dll

Filesize
7KB

MD5
ad317f5e4b7d774a125e01418e4531d6

SHA1
7f7c106b9e7d372ea7ed1f1d08513c8e1816ec0d

SHA256
7b76ad87cb79c68a5ef017d2d1b2739b2e3b36a18223445b898c468f95a92033

SHA512
2e792646d0f1cb5e5c3e76d303e759929a55c43ecc9bf878e7b3eb05061e9119f73406ca4bbb29f10685185ee0f939e3abe265a451a8ff15eee1ed7946fc7282

Download Submit
C:\Windows\SysWOW64\Kidben32.exe

Filesize
95KB

MD5
e6715d422dd8cf343d98eb77c8156e98

SHA1
99168ef2e06697465d8dfb2b2b1747285d98e4ec

SHA256
9d283e6be4a930da5f9e988a030ae46d310b9ec3683ff1746ecc1b422345deaa

SHA512
65e7d0ab85484f76fad41c19672bb62054974436352cf278d6e7919493570ae58b811dcb75483980606ea9001cb4364c0a9b8366646e3eb3adf44c41a8c7c83f

Download Submit
C:\Windows\SysWOW64\Kifojnol.exe

Filesize
95KB

MD5
514003416ee99bc651c54a22b4b584dc

SHA1
e247b690ffd39cf9317434f94296eb0eb16d2222

SHA256
4540d8928318cf41fbc0e0ebe791ee0834e079b148915f3a07792d82e74be9a2

SHA512
12872fce03254dfcf2d1bc8f56c2d952786bc53f63ef91044ed71c9ecb832268df4a8d003d57c217823bcfc7b683a3c3b58503056a8e0e3e3a9485a8fa2f33df

Download Submit
C:\Windows\SysWOW64\Kiikpnmj.exe

Filesize
95KB

MD5
7614a9003419bb6f276e798895b7365c

SHA1
0e6b03204fbaeb2d0d3e50b60eb6471d290b9009

SHA256
2ae2e548ea84393b9b8e5a41d270edef3ce3d1e5be269e25122086ee7589eef2

SHA512
13d01f4a2a57135b026d7daca95422f8fb734a02a358597b79e59d14941c1681a5b791190f7f97ac794744f13c87af1eeb4b53f66c79d535d843c8b64b3be930

Download Submit
C:\Windows\SysWOW64\Kpccmhdg.exe

Filesize
95KB

MD5
c2f85b205fc196cf7a25f639b6fa6e05

SHA1
809d794e2c3c197cc798feeac195218d241620d1

SHA256
a6d9455ac437d36a5c9d095ea2cb4fd3cbbdd3039f6cebb12a53c23d0ca92991

SHA512
be181b6acde6923ec004db07f45dc4068d0be7090c0c5bf343b685610b90f3feedb0eb79984cd4b4e145a89fa242017c9122ceb8e835a61feac9e553044d7ea2

Download Submit
C:\Windows\SysWOW64\Kpnjah32.exe

Filesize
95KB

MD5
216817952dca2fe6e4b76ae66b49ca2d

SHA1
69394144eda34832b6ffcf838daa481b5c6b3ef3

SHA256
013e8cec7e666b877ad9725ef5a51f5c44d377dad1919691b1c2636059a9a0d9

SHA512
b96e8c7c924c3d154fd760426330d993defecd495e604e012b2658ae44dd2cdf51f6df1d2301bbda72eb4996c972a734a4ca513478f23eb469fd3afc721e129a

Download Submit
C:\Windows\SysWOW64\Lafmjp32.exe

Filesize
95KB

MD5
33cb0a918ef043e335aa623f82f57c8f

SHA1
8404cdb997302d0c5afe4a83788582329a2b78c6

SHA256
b2c824c76137d66aa9b47c17784025c389bde3c69f61bb58a299623a5609fe61

SHA512
eadeb0e36b1c7ab0e4795f702fc1c630fff3578575560eb8ebcf66a20c006feade987239aa9c07d4a57198b6bed5e1bde90f395bb777acc76a22c4e12d2d7626

Download Submit
C:\Windows\SysWOW64\Lancko32.exe

Filesize
95KB

MD5
4519d3a709fe091c01611d4b1eaba6fa

SHA1
e823c3a3a3256e8840ed6190966932394f33c65f

SHA256
1c1f269d8cff874c47c6efca6c74561000324cafed2574db634f84b8fdd76d2e

SHA512
7e5c3c4fe29364ebe409b532cfe45f3cdab60fc0aa502f931ad4d619ff04b9ae90c8e185278da0ea20fd9ba75583a1d00b88bb0692bd9c3e653eedbd9a655eeb

Download Submit
C:\Windows\SysWOW64\Lcmodajm.exe

Filesize
95KB

MD5
20209bed37963d3b0d05043d43e229b2

SHA1
f93df2c6644eb1143f2fe281870b5eb9d34040c6

SHA256
44641f9e11086a05dbef77ce61940325c13e73d6e49d87eb6ad27f68e9f97d11

SHA512
4511649a2a173914053dbcfcc1211de2729371ac38d760b7cfdb8a1e1a657d789e6bde60892bd80a818c36c76f66e64837505aee90674a9b09b0e7f54affb0a5

Download Submit
C:\Windows\SysWOW64\Lhqefjpo.exe

Filesize
95KB

MD5
2ff47241f60e1182f2c168e9b2437e15

SHA1
c3575e9e69c1216d32f761229887e565c7ef8de7

SHA256
41399536f74699b2ed35e0153665c6c6685882ed19f4f6f448a163559d620c90

SHA512
6323bbb8446655ee3378bc7b57b3aa71ccf5c0e4170d227052b3938ac89d309f3f92bb9491002549b197b7501fa55d8990f34fb93d83949dc4e23aff161c00a9

Download Submit
C:\Windows\SysWOW64\Ljbnfleo.exe

Filesize
95KB

MD5
84c69980f933b78e0064c6124bfc1b73

SHA1
b64c391e088e5349a095ddb6b39079f72a3dc2ea

SHA256
83258bef5569bb299c6becedb5581be051fee559615189e702f99148bc0ec01e

SHA512
b4213bd68f8c0252b707209fd8287b6a09c8ab0235da8576b27b670c1bd3e47a003843b6bd4338624830b77544be2f502f2135b9f8f22954c9702de1795fd84c

Download Submit
C:\Windows\SysWOW64\Ljdkll32.exe

Filesize
95KB

MD5
1a1ffcdbb45ce41ea292bc5c9dd9fee6

SHA1
9e76c25faf2f40a5dd1d6c08fa227ba7771a90d6

SHA256
4378d72cabf018ffca756c0d9483b06bc0839f187cafcb4dc4bf02c5f9908d9a

SHA512
8e825bad21040803587da8a529bf9573acca550e250275c9577885fb6e31cd8262a501a30aaa0a1fff74e14c175f60b767fb1ed1eb3031643d615193f8fc6dea

Download Submit
C:\Windows\SysWOW64\Lljdai32.exe

Filesize
95KB

MD5
cbb5f3a9c75587183f82fb36d1cb3b91

SHA1
119a2c81fde47c0f121118e1e850c497a25066f6

SHA256
9062df73f067d34c89fc47525d55f8b9e1a9b598620841ae71f29287c7991155

SHA512
ec7a5c4ec663756c4f6962629a2343714bf62703b230163a445477a1b93bdee22ab2cda82741002381994b52ba507dcacee49425cca3aa2c8d1a9bd200b58d38

Download Submit
C:\Windows\SysWOW64\Llnnmhfe.exe

Filesize
95KB

MD5
6be456aeae915db742bd0606607eff59

SHA1
a3b1a6f57da926c11342251d4d82037d359c4b4e

SHA256
998c0e08ea41ab2b7ac410a5e6310813c1306f48d9a7b95ddc4bef0bcd82970a

SHA512
c88002035b8589efb21ec822ccbf034509492051ee5bd373e49ddcf4b75def0a19b71750bf0c2e42628fd6b0e7ad37b068da1bfb345d0447c2ead36a3ad3ba33

Download Submit
C:\Windows\SysWOW64\Lpjjmg32.exe

Filesize
95KB

MD5
383ab3c0d3ff3c76f70ca8b83a079796

SHA1
bf72235670d0980f53d143ec18e90782403e9423

SHA256
a7d0942757b87aad8f4565f869a75f2bac15bb63dc8969a8bca4d9e298e35f53

SHA512
81a7e6639611dda84619133c3e2b1c82d13e000235d0edaeed64ef7ad2f8837595d37a34b8ffab2068eaf0ff921c89062a054b158325020d184d2da622cabfeb

Download Submit
C:\Windows\SysWOW64\Mcaipa32.exe

Filesize
95KB

MD5
73f2465462ee8bf93b814bcc847b1718

SHA1
4f0aba3d4f352bc07b3155f85a926d243580feb8

SHA256
f1d3b9690a861a5deacf6ea9daaba319216925388817e9e1b53a962ffb40b5c7

SHA512
23e9493a069a394a86b346295de6d1bd2eb83649e419ff29980e61ebb7504a53ccc8369e50e42fcdadd1ecdb0c94a3040501c989ab9c0398fb21f824de0aff3e

Download Submit
C:\Windows\SysWOW64\Mcoljagj.exe

Filesize
95KB

MD5
051f956cf0bbcfa3d9deb1b79aa6e124

SHA1
d4fb341e59a1f5b34c4ebe3504230b0f4940f4bd

SHA256
df0d426dcc2cb7f0920d76a89e6e0846bcaca1e8977fd626bc41c4931aa285ad

SHA512
53405e10e841fa3835389296a041b40c07958fad8097792e137fa81833f48a74526b1e4cebe5e0f3380feb4141a7f8ff1293a7522ad13e2378a5d75a31e0b33c

Download Submit
C:\Windows\SysWOW64\Mfkkqmiq.exe

Filesize
95KB

MD5
dab04c5147b3c5d813d7afab973a65c4

SHA1
773fe454b65206bbe9b3e860a30f690714536dc5

SHA256
68361c6a7531ea6c9abb04bdaf867e36ca47c5b65d7a116adbd85a046da52373

SHA512
e42965262eed12cf252ab8f2fc057482ef4d938061b0e6709d62adb2489efca95efd6ef5f340841ae7c9ff4087db1f07d199db0cbe89cac6b3207ffb33a9edd8

Download Submit
C:\Windows\SysWOW64\Mfnhfm32.exe

Filesize
95KB

MD5
b6fdf845bb7b3250ffd8ca691c323cf5

SHA1
449f13f82db2395203b43e99aa8b498e8b357baf

SHA256
3453155882662c34f2a773b28c74d18b064ffc2b273417fc5a7f28ca35b73cc8

SHA512
d8c103c2b3d9ae45ac5c8dfe3267e74225ba794e39d3728ccb160d7014d74718f49e1c6979bcbc2e03cb2c3e19f5a48036947243dee7e421d5498af67bde713f

Download Submit
C:\Windows\SysWOW64\Mlhqcgnk.exe

Filesize
95KB

MD5
3f6f5a62ba9515a890cf3c05c27d7e65

SHA1
003ce7b709cb6714da3de60153378a2e12f17a7d

SHA256
1b455bf5676c048185565093d2d371539399c35af93c0c6a3e69c3c56a0d2605

SHA512
ce5e4ec4ad8b1b6fcfc2e5f938ea7f4cccf5906818395295c8c740ead2cd5582809a297209a291ee07b8e235086442f44e41e9c29e08e2040aa02a4fe67b6929

Download Submit
C:\Windows\SysWOW64\Mofmobmo.exe

Filesize
95KB

MD5
79e267e5fa11ac5ff7e6837a12ff2d9a

SHA1
b2b8c6abe9e04a75ee4082a61edf8974737b7e0f

SHA256
eeced7353ddb35c6495b2d8c28d49525fefb117da24722796c4f0755e7041e24

SHA512
6371d1ca47a6c43a1a2576885fa7d9e78d5022c667af2c1f7c15e125bee7c068071a3806a37216f845ccfc8d6fa18f9f5b131e34cf681ffeb58140cada2accc3

Download Submit
C:\Windows\SysWOW64\Mpapnfhg.exe

Filesize
95KB

MD5
d71ccbe56bbd59129422cbd3fc9fc92b

SHA1
cfb0ff81cf777bfa128da09bcdbb90863222d083

SHA256
b9f204b615a3f85a1fc77d3f60e6d140e1ae7328098d53503e8d4e62a8202260

SHA512
3e5a5faa241366d2668c3d22d267e4f6ede36736d836614a19483e2373ee954019a45fc10597142595cf3e75e545787414fd9408d7e935031f45731b8e656551

Download Submit
C:\Windows\SysWOW64\Oihmedma.exe

Filesize
95KB

MD5
0e96830b123cac7c60d7cc7dddb0fdb7

SHA1
d77d645f81830a4fb19993d3ca029486b2c4842c

SHA256
7ee6a32a8507504300a87220a02a2d4b517c4e6edf369e232e97f1ddcf7c5cf9

SHA512
0aa3bf27649332a2e8f203cb9df53a5f766c2666de23c5ce877be61c7e224b4c27be800be69d040f2d2e85ff9c0725833620cc1bd86599170af48b61905a8b83

Download Submit
memory/116-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/220-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/220-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/320-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/660-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/660-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1180-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1264-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1296-495-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1740-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-465-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2356-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2356-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2416-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2488-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2864-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3140-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3188-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3396-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3428-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3444-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3444-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3468-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3468-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3532-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3532-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3676-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3700-507-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3748-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3804-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3804-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3844-483-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3852-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3852-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3868-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3956-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3972-471-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4372-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4372-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4436-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4436-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4612-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4612-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4628-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4644-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4760-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4872-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4872-44-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4972-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-477-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads