a90d9f173d767199cf25be6c6e3b0dc96a0012d8c54b7428413000b936fdd11d

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8eb79990b8bc8bc00a304416b3a3bb0N.exe
Size

192KB
MD5

b8eb79990b8bc8bc00a304416b3a3bb0
SHA1

b688ae3cd80b501ebd5878fb9ac83eafb075b300
SHA256

a90d9f173d767199cf25be6c6e3b0dc96a0012d8c54b7428413000b936fdd11d
SHA512

d25f13fe5593194de45b10143463ab0640a2a44f2edebe3f31dcdc17dbab17e8df8549bd0ce67fa13b43fb109b8f0788ccff8e21098c70fe297c75e29e8c34a1
SSDEEP

3072:0VonlHieZzrIUUN7SmCQdBUjdfl7ATOAakT3FQo7fnEBctcp/+wreVism:0VilHiCNUN7S+Wd6TbakT3FF7fPtcsw1

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmaciefp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodiqp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbojlfdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbagbebm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lohqnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofjqihnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnnljj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haodle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfenglqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Modpib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpqggh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Noppeaed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipgkjlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Joqafgni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klekfinp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkknmgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koajmepf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lancko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfkkqmiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipihpkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpochfji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfenglqf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipihpkkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joqafgni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibegfglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Johggfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhqefjpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjidgkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iacngdgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipdndloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqmhqapg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Padnaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oiagde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khlklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kabcopmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khgbqkhj.exe

Executes dropped EXE 64 IoCs

pid	Process
4816	Hajkqfoe.exe
5000	Hpkknmgd.exe
2224	Hnnljj32.exe
1708	Hpmhdmea.exe
808	Hnphoj32.exe
2872	Haodle32.exe
1408	Hppeim32.exe
1424	Hnbeeiji.exe
2888	Haaaaeim.exe
3808	Iacngdgj.exe
2388	Ipdndloi.exe
1180	Ieagmcmq.exe
4384	Ihpcinld.exe
472	Ipgkjlmg.exe
820	Ibegfglj.exe
3596	Ipihpkkd.exe
3608	Ihdldn32.exe
644	Ipkdek32.exe
4564	Jidinqpb.exe
4452	Jpnakk32.exe
4076	Joqafgni.exe
3112	Jhifomdj.exe
4416	Jbojlfdp.exe
1004	Jhkbdmbg.exe
4820	Jbagbebm.exe
2280	Jhnojl32.exe
4764	Johggfha.exe
2824	Jimldogg.exe
1156	Jojdlfeo.exe
1296	Kedlip32.exe
5036	Kpiqfima.exe
1232	Kibeoo32.exe
1596	Kcjjhdjb.exe
4728	Khgbqkhj.exe
1624	Koajmepf.exe
3328	Kekbjo32.exe
3076	Klekfinp.exe
416	Kpqggh32.exe
2288	Kabcopmg.exe
4444	Khlklj32.exe
5104	Kcapicdj.exe
980	Lljdai32.exe
2916	Lohqnd32.exe
1692	Lafmjp32.exe
4112	Lhqefjpo.exe
3868	Laiipofp.exe
3664	Lomjicei.exe
692	Lakfeodm.exe
3708	Ljbnfleo.exe
2484	Lplfcf32.exe
4944	Lancko32.exe
4896	Lhgkgijg.exe
3100	Lpochfji.exe
3636	Lcmodajm.exe
848	Mfkkqmiq.exe
4884	Mhjhmhhd.exe
1968	Modpib32.exe
732	Mfnhfm32.exe
4448	Mjidgkog.exe
4720	Mofmobmo.exe
2300	Mljmhflh.exe
2452	Mfbaalbi.exe
2400	Mlljnf32.exe
3880	Mfenglqf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oiagde32.exe	Ofckhj32.exe
File opened for modification	C:\Windows\SysWOW64\Ihpcinld.exe	Ieagmcmq.exe
File opened for modification	C:\Windows\SysWOW64\Jimldogg.exe	Johggfha.exe
File created	C:\Windows\SysWOW64\Idknpoad.dll	Ihpcinld.exe
File created	C:\Windows\SysWOW64\Aglmllpq.dll	Ipgkjlmg.exe
File opened for modification	C:\Windows\SysWOW64\Jhifomdj.exe	Joqafgni.exe
File created	C:\Windows\SysWOW64\Padnaq32.exe	Pbcncibp.exe
File opened for modification	C:\Windows\SysWOW64\Hpkknmgd.exe	Hajkqfoe.exe
File opened for modification	C:\Windows\SysWOW64\Jbojlfdp.exe	Jhifomdj.exe
File created	C:\Windows\SysWOW64\Ieagmcmq.exe	Ipdndloi.exe
File opened for modification	C:\Windows\SysWOW64\Mfkkqmiq.exe	Lcmodajm.exe
File opened for modification	C:\Windows\SysWOW64\Laiipofp.exe	Lhqefjpo.exe
File created	C:\Windows\SysWOW64\Khgbqkhj.exe	Kcjjhdjb.exe
File created	C:\Windows\SysWOW64\Lplfcf32.exe	Ljbnfleo.exe
File created	C:\Windows\SysWOW64\Jhifomdj.exe	Joqafgni.exe
File opened for modification	C:\Windows\SysWOW64\Hppeim32.exe	Haodle32.exe
File opened for modification	C:\Windows\SysWOW64\Ipdndloi.exe	Iacngdgj.exe
File created	C:\Windows\SysWOW64\Ihpcinld.exe	Ieagmcmq.exe
File opened for modification	C:\Windows\SysWOW64\Khgbqkhj.exe	Kcjjhdjb.exe
File created	C:\Windows\SysWOW64\Hajkqfoe.exe	b8eb79990b8bc8bc00a304416b3a3bb0N.exe
File opened for modification	C:\Windows\SysWOW64\Jpnakk32.exe	Jidinqpb.exe
File created	C:\Windows\SysWOW64\Kpmmljnd.dll	Jhkbdmbg.exe
File created	C:\Windows\SysWOW64\Pninea32.dll	Mfbaalbi.exe
File opened for modification	C:\Windows\SysWOW64\Ojqcnhkl.exe	Oiagde32.exe
File created	C:\Windows\SysWOW64\Pakdbp32.exe	Pjaleemj.exe
File created	C:\Windows\SysWOW64\Hnnljj32.exe	Hpkknmgd.exe
File created	C:\Windows\SysWOW64\Dlofiddl.dll	Haodle32.exe
File created	C:\Windows\SysWOW64\Nphnbpql.dll	Kpqggh32.exe
File created	C:\Windows\SysWOW64\Lohqnd32.exe	Lljdai32.exe
File opened for modification	C:\Windows\SysWOW64\Lohqnd32.exe	Lljdai32.exe
File opened for modification	C:\Windows\SysWOW64\Lpochfji.exe	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Ofjqihnn.exe	Oqmhqapg.exe
File created	C:\Windows\SysWOW64\Pmmlla32.exe	Ppikbm32.exe
File created	C:\Windows\SysWOW64\Cjehdpem.dll	Hnnljj32.exe
File created	C:\Windows\SysWOW64\Dhlbgmif.dll	Pcgdhkem.exe
File created	C:\Windows\SysWOW64\Laiipofp.exe	Lhqefjpo.exe
File created	C:\Windows\SysWOW64\Mjpnkbfj.dll	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Mfnhfm32.exe	Modpib32.exe
File created	C:\Windows\SysWOW64\Mfbaalbi.exe	Mljmhflh.exe
File opened for modification	C:\Windows\SysWOW64\Nfgklkoc.exe	Momcpa32.exe
File created	C:\Windows\SysWOW64\Pjcikejg.exe	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Jhnojl32.exe	Jbagbebm.exe
File created	C:\Windows\SysWOW64\Haaaaeim.exe	Hnbeeiji.exe
File created	C:\Windows\SysWOW64\Lkjaaljm.dll	Jimldogg.exe
File created	C:\Windows\SysWOW64\Emlmcm32.dll	Lhqefjpo.exe
File created	C:\Windows\SysWOW64\Fllhjc32.dll	Ofjqihnn.exe
File created	C:\Windows\SysWOW64\Pkpbai32.dll	Hppeim32.exe
File created	C:\Windows\SysWOW64\Hobbfhjl.dll	Mhjhmhhd.exe
File opened for modification	C:\Windows\SysWOW64\Pciqnk32.exe	Pakdbp32.exe
File opened for modification	C:\Windows\SysWOW64\Hnnljj32.exe	Hpkknmgd.exe
File created	C:\Windows\SysWOW64\Jfpqiega.dll	Mljmhflh.exe
File created	C:\Windows\SysWOW64\Mlljnf32.exe	Mfbaalbi.exe
File opened for modification	C:\Windows\SysWOW64\Pjaleemj.exe	Pcgdhkem.exe
File created	C:\Windows\SysWOW64\Mjjkejin.dll	Jhnojl32.exe
File created	C:\Windows\SysWOW64\Mfenglqf.exe	Mlljnf32.exe
File opened for modification	C:\Windows\SysWOW64\Ofckhj32.exe	Ocdnln32.exe
File opened for modification	C:\Windows\SysWOW64\Pbcncibp.exe	Ppdbgncl.exe
File created	C:\Windows\SysWOW64\Jbojlfdp.exe	Jhifomdj.exe
File opened for modification	C:\Windows\SysWOW64\Ieagmcmq.exe	Ipdndloi.exe
File created	C:\Windows\SysWOW64\Ibegfglj.exe	Ipgkjlmg.exe
File created	C:\Windows\SysWOW64\Jimldogg.exe	Johggfha.exe
File opened for modification	C:\Windows\SysWOW64\Nfqnbjfi.exe	Nofefp32.exe
File opened for modification	C:\Windows\SysWOW64\Iacngdgj.exe	Haaaaeim.exe
File created	C:\Windows\SysWOW64\Ipdndloi.exe	Iacngdgj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5136	6072	WerFault.exe	187

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Haodle32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnakk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbagbebm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgkgijg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpeaoih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lancko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbcncibp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iacngdgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lakfeodm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfnhfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqmhqapg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pakdbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pciqnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidinqpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhifomdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lafmjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlljnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgklkoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Padnaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjaleemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pififb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnphoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Haaaaeim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khgbqkhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modpib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjidgkog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodiqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiagde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hppeim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Joqafgni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Johggfha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcjjhdjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekbjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klekfinp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbphglbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdnln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofckhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimldogg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koajmepf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljbnfleo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmodajm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofmobmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcikejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbojlfdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhkbdmbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhnojl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khlklj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmaciefp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmcpoedn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjmni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofefp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpkknmgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpmhdmea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihpcinld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihdldn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jojdlfeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibeoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lohqnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfkkqmiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnnljj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibegfglj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipihpkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojqcnhkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpqggh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khgbqkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojqcnhkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbagbebm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nofefp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfigmnlg.dll"	Nodiqp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ihdldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jimldogg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnebjidl.dll"	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deaiemli.dll"	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipihpkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbojlfdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcapicdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Haodle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mfbaalbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgkan32.dll"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjcikejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klekfinp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofckhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnnljj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiqkhgo.dll"	Ibegfglj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoiaikp.dll"	Jpnakk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeodmbol.dll"	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	b8eb79990b8bc8bc00a304416b3a3bb0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfgklkoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnbeeiji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hajkqfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmnkgfc.dll"	Ipdndloi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kekbjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hajkqfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfjqmbc.dll"	Momcpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggocdgo.dll"	Hpmhdmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdjokcd.dll"	Kabcopmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iankhggi.dll"	Mfkkqmiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofjqihnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Haaaaeim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Haodle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Haaaaeim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglmllpq.dll"	Ipgkjlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhkbdmbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khlklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpenlneh.dll"	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpmhdmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goniok32.dll"	Ihdldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofckhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipdndloi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Johggfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmhel32.dll"	Ipihpkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppdbgncl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 4816	2060	b8eb79990b8bc8bc00a304416b3a3bb0N.exe	90
PID 2060 wrote to memory of 4816	2060	b8eb79990b8bc8bc00a304416b3a3bb0N.exe	90
PID 2060 wrote to memory of 4816	2060	b8eb79990b8bc8bc00a304416b3a3bb0N.exe	90
PID 4816 wrote to memory of 5000	4816	Hajkqfoe.exe	91
PID 4816 wrote to memory of 5000	4816	Hajkqfoe.exe	91
PID 4816 wrote to memory of 5000	4816	Hajkqfoe.exe	91
PID 5000 wrote to memory of 2224	5000	Hpkknmgd.exe	92
PID 5000 wrote to memory of 2224	5000	Hpkknmgd.exe	92
PID 5000 wrote to memory of 2224	5000	Hpkknmgd.exe	92
PID 2224 wrote to memory of 1708	2224	Hnnljj32.exe	94
PID 2224 wrote to memory of 1708	2224	Hnnljj32.exe	94
PID 2224 wrote to memory of 1708	2224	Hnnljj32.exe	94
PID 1708 wrote to memory of 808	1708	Hpmhdmea.exe	96
PID 1708 wrote to memory of 808	1708	Hpmhdmea.exe	96
PID 1708 wrote to memory of 808	1708	Hpmhdmea.exe	96
PID 808 wrote to memory of 2872	808	Hnphoj32.exe	97
PID 808 wrote to memory of 2872	808	Hnphoj32.exe	97
PID 808 wrote to memory of 2872	808	Hnphoj32.exe	97
PID 2872 wrote to memory of 1408	2872	Haodle32.exe	98
PID 2872 wrote to memory of 1408	2872	Haodle32.exe	98
PID 2872 wrote to memory of 1408	2872	Haodle32.exe	98
PID 1408 wrote to memory of 1424	1408	Hppeim32.exe	99
PID 1408 wrote to memory of 1424	1408	Hppeim32.exe	99
PID 1408 wrote to memory of 1424	1408	Hppeim32.exe	99
PID 1424 wrote to memory of 2888	1424	Hnbeeiji.exe	100
PID 1424 wrote to memory of 2888	1424	Hnbeeiji.exe	100
PID 1424 wrote to memory of 2888	1424	Hnbeeiji.exe	100
PID 2888 wrote to memory of 3808	2888	Haaaaeim.exe	101
PID 2888 wrote to memory of 3808	2888	Haaaaeim.exe	101
PID 2888 wrote to memory of 3808	2888	Haaaaeim.exe	101
PID 3808 wrote to memory of 2388	3808	Iacngdgj.exe	102
PID 3808 wrote to memory of 2388	3808	Iacngdgj.exe	102
PID 3808 wrote to memory of 2388	3808	Iacngdgj.exe	102
PID 2388 wrote to memory of 1180	2388	Ipdndloi.exe	103
PID 2388 wrote to memory of 1180	2388	Ipdndloi.exe	103
PID 2388 wrote to memory of 1180	2388	Ipdndloi.exe	103
PID 1180 wrote to memory of 4384	1180	Ieagmcmq.exe	105
PID 1180 wrote to memory of 4384	1180	Ieagmcmq.exe	105
PID 1180 wrote to memory of 4384	1180	Ieagmcmq.exe	105
PID 4384 wrote to memory of 472	4384	Ihpcinld.exe	106
PID 4384 wrote to memory of 472	4384	Ihpcinld.exe	106
PID 4384 wrote to memory of 472	4384	Ihpcinld.exe	106
PID 472 wrote to memory of 820	472	Ipgkjlmg.exe	107
PID 472 wrote to memory of 820	472	Ipgkjlmg.exe	107
PID 472 wrote to memory of 820	472	Ipgkjlmg.exe	107
PID 820 wrote to memory of 3596	820	Ibegfglj.exe	108
PID 820 wrote to memory of 3596	820	Ibegfglj.exe	108
PID 820 wrote to memory of 3596	820	Ibegfglj.exe	108
PID 3596 wrote to memory of 3608	3596	Ipihpkkd.exe	109
PID 3596 wrote to memory of 3608	3596	Ipihpkkd.exe	109
PID 3596 wrote to memory of 3608	3596	Ipihpkkd.exe	109
PID 3608 wrote to memory of 644	3608	Ihdldn32.exe	110
PID 3608 wrote to memory of 644	3608	Ihdldn32.exe	110
PID 3608 wrote to memory of 644	3608	Ihdldn32.exe	110
PID 644 wrote to memory of 4564	644	Ipkdek32.exe	111
PID 644 wrote to memory of 4564	644	Ipkdek32.exe	111
PID 644 wrote to memory of 4564	644	Ipkdek32.exe	111
PID 4564 wrote to memory of 4452	4564	Jidinqpb.exe	112
PID 4564 wrote to memory of 4452	4564	Jidinqpb.exe	112
PID 4564 wrote to memory of 4452	4564	Jidinqpb.exe	112
PID 4452 wrote to memory of 4076	4452	Jpnakk32.exe	113
PID 4452 wrote to memory of 4076	4452	Jpnakk32.exe	113
PID 4452 wrote to memory of 4076	4452	Jpnakk32.exe	113
PID 4076 wrote to memory of 3112	4076	Joqafgni.exe	114

C:\Users\Admin\AppData\Local\Temp\b8eb79990b8bc8bc00a304416b3a3bb0N.exe
"C:\Users\Admin\AppData\Local\Temp\b8eb79990b8bc8bc00a304416b3a3bb0N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\Hajkqfoe.exe
  C:\Windows\system32\Hajkqfoe.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\Hpkknmgd.exe
    C:\Windows\system32\Hpkknmgd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\SysWOW64\Hnnljj32.exe
      C:\Windows\system32\Hnnljj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Windows\SysWOW64\Hnphoj32.exe
        
        C:\Windows\system32\Hnphoj32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Ihpcinld.exe
        
        C:\Windows\system32\Ihpcinld.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:472
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Jbojlfdp.exe
        
        C:\Windows\system32\Jbojlfdp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        31⤵
        Executes dropped EXE
        
        PID:1296
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        32⤵
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:416
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        47⤵
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        48⤵
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2300
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3532
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        77⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5812
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:6072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 428
        97⤵
        Program crash
        
        PID:5136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6072 -ip 6072
1⤵
PID:6136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8
1⤵
PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haaaaeim.exe

Filesize
192KB

MD5
a20583042e3183795e9613c667ef2fed

SHA1
0174945ffaac454dbc3a6406a6bd7ce28a4babd2

SHA256
44050916878cae398fb2fca98efb6ac8dac6eb6c5b90b0041df265f30a99d845

SHA512
9e0dcaf181e5570850144a25e9f45dac2de81b8fd3878d035e5e798a1213263caa8983d90986b18ee965a2be1f4c40ac3f37e343a5c05fd161c690de1b1fe39a

Download Submit
C:\Windows\SysWOW64\Hajkqfoe.exe

Filesize
192KB

MD5
2b04cbc854b6db1a61336342e727bfa6

SHA1
9a4f0c48a665ac49f16fac81464b6c961fb106e2

SHA256
92bdc807909341547f5a8b772718315afcdd2b5ab44717c7dc3fc22a928082ff

SHA512
684ed5650abd900b3ba2ecc7a2679b7e17069678f5ac858e5f9ab0efc50e238df37601ee8f87152721553e81ac8342b46b98fc4cc4d125e7c1c4b59e8ed62535

Download Submit
C:\Windows\SysWOW64\Haodle32.exe

Filesize
192KB

MD5
23bed754c1ccbe499b698cc4d5b46b5c

SHA1
01b0d85d545e3a07b27f957f5daa54acec185c4b

SHA256
b474b161d2327338b167ed2cefe51fec373f73cee38469804a004ce1441b576e

SHA512
e741ed63e06d29b458f740f41846beaf59e38455d1b4640bd6319ce87080873eb3d15acf5dfaa03b119760f622297116866bfa8cd9faceaf845205aa7af0f28b

Download Submit
C:\Windows\SysWOW64\Hnbeeiji.exe

Filesize
192KB

MD5
7d32b086eea7e8af3951b03fb669d132

SHA1
274b5bf494fff276d34e7bd5475575ca2dbfa759

SHA256
7f076433e154348ca23701d86ca193d42e60649af76257380b0619568a64a7ed

SHA512
15e0db91f0fe2c09ffc1533dab7fc6d47b554c39a0e0ff1bb774afc0c91cf3192ef8ea65e5737bc8e76a73f392aeb5b2ad8709b72b6373c9f94239f45d91ea77

Download Submit
C:\Windows\SysWOW64\Hnnljj32.exe

Filesize
192KB

MD5
5e65f503476adddd459e387c30d43cf5

SHA1
401a235e07286c1d94bbb0dd9c27f060d3ff5abb

SHA256
8935c609af13f2dac0b3aa7b8ccd16a859888ca3dd0c347598edae01d295c612

SHA512
ec5445b4bfde194a0ff67ec0cc52f0c533f50a047707ffddda4cde40719c6ce7324ba369eb70b892e9d2d3ad96d10913b4321608b714a2ff55ea25e180899859

Download Submit
C:\Windows\SysWOW64\Hnphoj32.exe

Filesize
192KB

MD5
03648c42ebb1ee6f571d2eb2212388aa

SHA1
d225081a923a49056f7c50774b9c6d9d9a51a21b

SHA256
be7567fc16ab074c118ec3e6d073a1ef54cc28ea4996c71dd408dcedc5fde08b

SHA512
ac3ba6aa433b1435690b21887fd8332c51952e0080f1dd02f005effe15b8c7749b2ef59c191d83612248712ddfa2307cd41a2661076d0271eba8ef16a98eac1b

Download Submit
C:\Windows\SysWOW64\Hpkknmgd.exe

Filesize
192KB

MD5
0b32579ccb18c5a34d46a9a5b16a2c64

SHA1
8ce5ca059dd9ac209b6183220e15896bb9358c16

SHA256
87b0310b0b0318b7fe0ae4f9fb7d94a872d62d84346d085dbdc252ea7fbec2be

SHA512
1bce862f288d5059cab74f8236f33841c5ec62b036d0b6e5a2a92a02840308bda892d074824fb72a6d580ae45962cce5e203f9a8c99d1e32088f71832f27854f

Download Submit
C:\Windows\SysWOW64\Hpmhdmea.exe

Filesize
192KB

MD5
7cc63cbc14ad12c47c90a372921f9ce5

SHA1
62b90d2e7724d87e47755f4260870c37e89e8625

SHA256
eadedacb8ad7636e38fc6fbcd47385ed0b0f1859ebbb1c87b4e9f50c13f4a790

SHA512
55ad854070c5219ada3aedeb8800d2aa08cab111c0575cb794502f1f4af7b2aca3a87d7e90a05d2c641becbc9c6c7efc9150d347753cb4b4361389e42ae6589b

Download Submit
C:\Windows\SysWOW64\Hppeim32.exe

Filesize
192KB

MD5
379ccf29e75100e80d4915c4e1c9e3c5

SHA1
e57389bcb33c03906b8b5929c18d0b661bd45916

SHA256
07b078248b775beadf1838332884a62eec5b32f3e33f081f35737a2654d8c359

SHA512
4c86179fdfdfceb0dc43887046ecce1d2bfd13e2b0ea15412759034bba7d3226b7f6c1a62190f5fe5ce46064d22ffd96025deefa837c8e78b3cc7e7e6bc00d08

Download Submit
C:\Windows\SysWOW64\Iacngdgj.exe

Filesize
192KB

MD5
202120d6d1dc194845513d3f3d9977bd

SHA1
1d64c67712c83034269937722d692c345992b43b

SHA256
b14d9cd0ee65696740f6e88b10c8b319bbfb622bbe7e63edec3f63abe751e02a

SHA512
44c7525f0e9cb7970a39dd5eb2538e556857232e2d639ce250f8927362f9138b26c41ad3c89ec1bc8d73c7cee4ac990245b91081f587e24106cdef116386702c

Download Submit
C:\Windows\SysWOW64\Ibegfglj.exe

Filesize
192KB

MD5
6c136c09f33fd82f17f83adc0f55fbae

SHA1
e40fc53af195592b69907f52ee6fe513cf94ebf8

SHA256
e332817097466bd2b313f327b870122d36bea93371490e51e2186d835adc362c

SHA512
aba9eb2f399690bc858c27aa8aa957be2a6c92dcf772dbf279d75ac5b40c58122f563e7eadbd61e5523179b2e87bfdb5e9cfbe300fca5dc930dba808299dabfc

Download Submit
C:\Windows\SysWOW64\Ieagmcmq.exe

Filesize
192KB

MD5
d199686c82c9ab0867c61d187a97e80b

SHA1
88d4732080bb68bb762b4ea7426e70a828951b65

SHA256
a05df5c4b80b547afcfbe3424db0ca380cb1348f4d409e2daa9a64b851849e64

SHA512
c1b3cb51f2f5a8e1b239ce1e0b7695bf76865f0c6c282991eb1e425e23c91dc8c9487488e388d252db19f535614b91bc8265bda8b38bbf4b87b44ae93ad035e2

Download Submit
C:\Windows\SysWOW64\Ihdldn32.exe

Filesize
192KB

MD5
7a4f9aa8b0d1b6ddde0e6e931291fd01

SHA1
ba8d82dbcb2fe8618fc6c57cc23faf25bb6e2b01

SHA256
bb969f74a7a083d40f90a3df1f34858be478711c5b45d08e59ea6f3271f8ad3e

SHA512
8ae345ab1a2c4fb986cc04da454eaf160454ac72f159291648f0e153b83dedc848e44c72ed52eeb47b91c966ac7fc13a6fc9e6756575b05fae7f4a33660f3b57

Download Submit
C:\Windows\SysWOW64\Ihdldn32.exe

Filesize
192KB

MD5
765e818921258a6262885f04a51a9d8d

SHA1
392c7a2042af31ca4718a7816242392b11fee7b7

SHA256
299d21eb075b183c76cee8cf02e45f055c23a672e062e642d92aeaae4dd474a7

SHA512
cbd1305d8dca5ee8144544a342a15d582fa41dfa60219fdd08825baccf02882f0fa29734487d57a344a53015c9504aec6cfa747c1f82f18925bd6ac9d3a5dc4a

Download Submit
C:\Windows\SysWOW64\Ihpcinld.exe

Filesize
192KB

MD5
a9c922cf26de09c69c792e302b84396a

SHA1
7f08a7bc5b04634a75b8cd34550d112d76e82ba6

SHA256
a5fe450f4a4d56e1ee0aeeb45c27c1d89e97d7e499b797602f1fd85ce233542d

SHA512
980498c76f9c48daaae968610607e9fbfb9ce8d8ae6c469c14374ffe0e2e46deeec34f9a3e8c783bb7090ca27edb6f0512f686d44e65da8895c2714066e4eeb2

Download Submit
C:\Windows\SysWOW64\Ipdndloi.exe

Filesize
192KB

MD5
875fc21111404cd501eae91dbc712f31

SHA1
7315e5e66970afff078dc6418019b0db443331b8

SHA256
39e3a182e08bfc03757eb1e2b4c7f91b786d8c5fd858a4996a596772d2990438

SHA512
e37aad71d78b76962cbccb8423306dc13b3526733508eb33fb055a878de666eab49657d657859c936f9be3db42076062b75d6c8a44ccb134230c06cca0341864

Download Submit
C:\Windows\SysWOW64\Ipgkjlmg.exe

Filesize
192KB

MD5
7babff1690dbbe5cfb688327da7ca6b6

SHA1
f9733ccd2121f47ceddd0f9f261385607c420450

SHA256
015b6cd8f4ab4bde635e1744f898035314d4af47bd5a010cf1200c253c7e968e

SHA512
f7110791162f8cd6591c5a38a236a78ba653b88b84b4691b28ec93454aa03588d239db478be58760b1378735ac3b2652d635ce7c83fc3a520cf15a65034a7b50

Download Submit
C:\Windows\SysWOW64\Ipihpkkd.exe

Filesize
192KB

MD5
0e4c7b14c8f5a6edba5e66d8a84c2615

SHA1
bb6179f4aadf98f9d01d223de66b803cca0c1a12

SHA256
3d5ed0bf4cd84586f81c404ffebe457ff5e1e016945ea07e100f9e7b8b64ab1e

SHA512
1e8f73c6f198dd3120a3b38187b0aec50cb1402c9d048aeda57594fa73d4d58f0d9553ffbd55c13632cf03ae41129c8ac9b165466980a77329f3436abb5c9d59

Download Submit
C:\Windows\SysWOW64\Ipkdek32.exe

Filesize
192KB

MD5
2d968d258120b6229d7528b91a593a52

SHA1
b237a9294decb0116608ae4be82587840bad55ab

SHA256
542c0ab4b1fbaa68e6f3ccaf593e0eb681600a8c24484007baf9ed3b75f03509

SHA512
02561695e53600be492852cec296c50fcb0f23390b11de777115edc9a11fbb373b12012d883794ba9b07b458bb8c890832da076765389bfff97d4f5d95f49e64

Download Submit
C:\Windows\SysWOW64\Jbagbebm.exe

Filesize
192KB

MD5
d2fa64267278ba623d133c6d59a82336

SHA1
9c1ef571202a36cf14e9defa59fd5df5d95bd3d2

SHA256
fa1332dca50b4fa5269b913061cb3444366e77929a2432b6aa658ff35709919d

SHA512
a1388db27b158ee87ddb61a45ea02dfbc35322abe220e5074680324b4d36ed7a673f28f3a0e966f92f3fbc7794c55449ddb670f4c8e21a4a98b68892129d3268

Download Submit
C:\Windows\SysWOW64\Jbojlfdp.exe

Filesize
192KB

MD5
c14fff3185b8d265da627385945f0326

SHA1
1bb54855f1e1492a2d57ae0b335494c1b1581795

SHA256
2c24ddc9f4ce5293cfaa9e550f699e52f08e2455275ff901a1ef928b332a7c4b

SHA512
6466f1e886f5d6de1d7b867e109d8f65407a6edb6a758db720d2ecae3c6db8c55de2c30eaf52e5d7ed7eb68c92034fd6137e5b27b782f8ad6b272a9cdeff8fab

Download Submit
C:\Windows\SysWOW64\Jggocdgo.dll

Filesize
7KB

MD5
7f55c9010205b205f2d0c694bacae278

SHA1
f7a30bfdb86f8b64cd0b7219a813558b857a62b0

SHA256
23c2c800ee8de57c0b38835bcb16543c3ba0b9ff41646300264e43891a6b7615

SHA512
671fe9ad3215fae6b7ca3fae2c07f781441e83ec0da31bb2ae005cbd3fd3c481f13fe4f9d636a7d4fe813ef4b84b236f4b4b655cb372a207ceaf4d39f730c41e

Download Submit
C:\Windows\SysWOW64\Jhifomdj.exe

Filesize
192KB

MD5
25161191b5071dc2049fa773db024c58

SHA1
c30241a4abd27045f86dd99b1c916aec88b749b3

SHA256
a44c9eb38a567a93f0b27a9e86ee7fcf55f0e9e2a7c9ce9d352cc7d3399ad02f

SHA512
246bd0f3b867a8f5c761c34939de85d08dea87cd977ca757c5309e5c8681ef12b56f82eeffa166fd32e0cb0e1b41cbc48319440db2f31180be9ef4223bbd86d1

Download Submit
C:\Windows\SysWOW64\Jhkbdmbg.exe

Filesize
192KB

MD5
5018aa223ba1490c8b2da96f41c0419b

SHA1
85af48aab6e309dba5185bf04254e44bb7148d91

SHA256
961c227569955804f37b45edbb62849747c3fbaa3c949dbf6c64164c4a386fa0

SHA512
cd1921639785557bb37d1581b055a666554ab981c9a008b3d143c372b1c22a020f03a9060bab3bd5bad9648f7dcdd5e48942b0318f94814e0d5088030e61086b

Download Submit
C:\Windows\SysWOW64\Jhnojl32.exe

Filesize
192KB

MD5
878cd68aeb386a4171fdc4219bbdb7fe

SHA1
f93ab47b79d1319c767c04b82175737b3ee75878

SHA256
67b3c52f0dc9346539dc1ac37ca5d20f8d08d61d0768d18980d2510c15f93709

SHA512
2aea58349f052fb75149353ba21d78f82402e0effcfd234cc1676a065f1b08534f5554b3637673ef8db6cda4438da8de7dcb29b3226813c7468f95d7eea303bf

Download Submit
C:\Windows\SysWOW64\Jidinqpb.exe

Filesize
192KB

MD5
26ea8096aac14acec933253d13531cc2

SHA1
fac8fa940608058a7860d3f825d1671aa430e09f

SHA256
7c3af16f90cdbbb33bef10a97f91e82b0fbbfd555558059da8c9a662c37ec323

SHA512
c13017075989a2fbdeb25be190198ac6c5641dbd6dd06931f459009ace33c40cbf34fa1295f7fa8541a4e01e8bdcbca8e27d55e199955cbdbdfe35b210dd12a8

Download Submit
C:\Windows\SysWOW64\Jimldogg.exe

Filesize
192KB

MD5
7a52f383037e15d1a5f807701f5a33f8

SHA1
5ef98f546a0a44cc70b427993578070a1ec90d79

SHA256
409824aa127d335f7a539bf6b76209e2dd811fd9ee8c394091488c38a66d87ff

SHA512
1ed7c5f7da1795d29ad637677588c8434397d1a61734c98a7bea63b24ff31d644d34bf4641d4c7f83327db9b6fb5bae04f82303cb118478c0e08ddd1601f1f59

Download Submit
C:\Windows\SysWOW64\Johggfha.exe

Filesize
192KB

MD5
6b2cebbd780beafb0852171d63bb1b76

SHA1
d03df51aa104219dd65fd9e019e297dab22d012e

SHA256
af6e06ab78725fc37a781e65b09361195e9094a9e0ee004c8760c849dc336e02

SHA512
8ece7aa016d47601bfee7ae3d664f5acef8952ae5e97338acfa3cdc3e73314844a873adc0c78d407caa0338a6124cec6950f1a5d63c8e3c172adef2b4dbe870c

Download Submit
C:\Windows\SysWOW64\Jojdlfeo.exe

Filesize
192KB

MD5
26e2f3b604c039694d53de0867c163f6

SHA1
28756c6781475cfb65e77a34f3cf7af75366282d

SHA256
1ca183028b222e01a47a7504d7d85c2ab863c71b61a6b41c423cc9df234cc044

SHA512
471a62a5ff997549233ac1fe7a0ad137cf30ec876963b0c946ca548c03b25b3f4d22313a45b6835e04eaf73d3ac9b1c29e925d130f0fcca5f74410bf2ebe4485

Download Submit
C:\Windows\SysWOW64\Joqafgni.exe

Filesize
192KB

MD5
c9630a33815c60d916831c6f11505317

SHA1
b8b100d8145ae23ce1b9c862725326ad8a94da88

SHA256
dc2ef585dc4f003aab8c566636a6c9590d4424f56929563c6a24517b75909f3e

SHA512
3a7b60d2ad0d52d69cff7b82348d42b57824e25e4e99d9838a6409a48206e10e5a104d9c4c2e37bfbb5308ef3f63866ef8db5464d44c6d4173d059c84c4fe054

Download Submit
C:\Windows\SysWOW64\Jpnakk32.exe

Filesize
192KB

MD5
ef5416e4156d142ad7dfa4228ed65ec1

SHA1
dc858f30e099d09112d9954ae551d6a95169c0f6

SHA256
a652f90df272c0c65f155cd16b323482ce049e725d87d71e382f57a52294338e

SHA512
70aea073d718d591b7c48ff672475d1968c680f64776f5a2debe5012fd391cd4891288d099f290791d4aef723e27b4ca2a0260422034c73fcd2f63bc2d28fa49

Download Submit
C:\Windows\SysWOW64\Kcjjhdjb.exe

Filesize
192KB

MD5
b3e4eaa28f0beac97ccd8e40cbac70f7

SHA1
cf406423b784b37b23bf23130e7f63b61df9f3e4

SHA256
61b8fcd116066cc9bea89ef1980622cbcd8499beb24e53fa40f06e2454367684

SHA512
e1361cb99d4ad264490bd02e1f7f81b6d33aefcf2219b24377c2995b00f6de13dd028cc95d6bb705b5ab3155ccc3177189279e102efba34f8c5bdf2c5c0b609a

Download Submit
C:\Windows\SysWOW64\Kedlip32.exe

Filesize
192KB

MD5
a724fc3073ea21ab6d1da3667301e52a

SHA1
de83d8cf890e8b6b41b693fdcf2ca847cd174bba

SHA256
ce4158ad1d5122c67383cecaa4be3d76b757f088349e6bab4a966ac91b1312a6

SHA512
3deaa0bb89e34a33128d556171cec07b16e55183722b5775d90b0bd23c030dc4698b720dd45f673c7598780b1a6008bed2582ec95cfad4f5ab296593347abe8e

Download Submit
C:\Windows\SysWOW64\Kibeoo32.exe

Filesize
192KB

MD5
e119a9d98378b4bd110c2d051919419a

SHA1
51b503f0b47ab86def693a9e660bff172903dd91

SHA256
3629119535c002bb439f5bba1a056f9f99c4edbafe3945a23cf06cafc4fb65f6

SHA512
0d952f79b47edb8aa992e864dbcac899fec3e6eaf6294722bf6b46b9452d8175491904ed35055862f7f24900671b93593203031722680dccea13f29763af1d54

Download Submit
C:\Windows\SysWOW64\Kpiqfima.exe

Filesize
192KB

MD5
85a2c4474f106f89851229dfc467d813

SHA1
157140d4330742acb34052a9016fd6310e727150

SHA256
4ce2e0684fd6e384fcdaf8feeb3f72104f08d62a976bcda8d7b5c8b7d4318a0f

SHA512
0b4f667afd90aadc2271413a8187437b0e9245508902ea2939cb2cd91025e158c884f5dadefe37a4b7d111d130a0f6be94ec84f9601295dbab42b1f80da7411a

Download Submit
C:\Windows\SysWOW64\Laiipofp.exe

Filesize
192KB

MD5
36b594c29695a6aed8dfe582715a9fc3

SHA1
a6957a4cfe36a2682fcc9e831c4c9c339cb992fe

SHA256
a8964d5bce682aefbe34c7a86680c9a77f7856844c753cc07a93a94ec10ea7ae

SHA512
c5802ce4535da4ec362276277226b4ee4fd41d916eba0d29eb9a7f6404212bfb2fbdd668d22348f6eb0a4b004fa897c5e3342d097a8f01ee88191294346342a1

Download Submit
C:\Windows\SysWOW64\Lcmodajm.exe

Filesize
192KB

MD5
32fd3a9576fed3bfcc44be9834bebdf0

SHA1
be69037e28a432beeb485e029c76767a5e770115

SHA256
8b890e1bcbc545dee9089cb3e3ba7a1673d51e8bd04227868db0269d27cb9102

SHA512
44211f473de11ae2f3ca425e7ff23df08da71de9611a9b2098f699f427dc53fe973fd20ad098ec6ba9b55aad10763ff7d6ec5d99649971cedc5efee953efbcbb

Download Submit
C:\Windows\SysWOW64\Mfbaalbi.exe

Filesize
192KB

MD5
a42fee58b94852db1ce12b9ecc593ccb

SHA1
c59878203393dc9e3031000164601e1f2c0e6490

SHA256
911fcc9f6ece19fb4d436987db64b6e9a5fce9d049e339a60d09144a304df079

SHA512
7506da6c30e128f9967dda17770e9e960eccf00ac9714b3c4d47080a57ccb895cf00798012557ad203b784a2276e691a0c297cbf6ba8369fc2813b8c5c62424a

Download Submit
C:\Windows\SysWOW64\Mfenglqf.exe

Filesize
192KB

MD5
88083b9f9c0bbf48a36681420475d2bb

SHA1
7d62e90e350da2c3b02201d3a4718e5116778176

SHA256
4695c385b1b5ce5a90663d6666fcf7653ea3c5aaa1c1eaefe814f991fdacacbf

SHA512
5d3f532f9d42b5218284d945a9d41e63527f06fad47c747db637b64d93ee33d6a2b6c0d1a9ba2b1be09c621f20e21c632304b86c8751b48e74b87f523cb82031

Download Submit
C:\Windows\SysWOW64\Nfqnbjfi.exe

Filesize
192KB

MD5
b7d537b937e5543e2c4a11ee4cd73c70

SHA1
eb83d022ad46c81b553053b463fbd0fec4335eb2

SHA256
5990cb61cd084040986fa815d3aacac3930afcb70cf7baeed3b337159a1062a7

SHA512
0196185c579c3401895e38c68bb404130c01aed088c0e50f0f4c0bba5972623bf27412cc68e86e0233f2a4f1bf0c1578f5c0b1237cba4f1ed39c5cac36b8d36f

Download Submit
C:\Windows\SysWOW64\Ofjqihnn.exe

Filesize
192KB

MD5
568baeca106ddefe0937edc012c58093

SHA1
b6571885d71b798cd94f1aabaed2df32b0927ade

SHA256
b9a705824ec2556f742eda947f72e461aa491b114e139663fa6ca3a3290eab7c

SHA512
1a1d02fdab76fb8d5c6fb3ad5a079387a18f995db1f2b1778cc1462d83807bfa6ee117847c2ba207c972972360827088c833915d0c3b4250fb0afe281fb1a833

Download Submit
C:\Windows\SysWOW64\Padnaq32.exe

Filesize
192KB

MD5
e58b427467e4cefb4b2a96b065fb83a6

SHA1
98807f9f24e656863587206f1fb904374d507c17

SHA256
27780e3291b01be2d38f2c614c4e47d412251c3dd6b5f69e8f2c492f9637114c

SHA512
40f56f7dccdde21ac324deb869627852fbe7853720c764049907bfc2afcc0a701537ea2f2af8afe4756e060bb94f7b001c4b13c1a92d29369d722eb358dc1229

Download Submit
memory/416-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/472-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/644-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/692-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/732-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/808-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/808-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/820-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/980-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1004-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1232-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1424-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-750-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3112-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3288-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3808-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3880-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-755-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5124-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5168-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5208-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5248-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5288-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5328-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5368-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5408-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5456-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5500-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5544-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5596-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5640-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5684-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5732-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6072-648-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads