0e54b1072c7414070d6331bb7317ee004f7b794a96cbd16b3669825ca3fabe38

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7f9b53f7b150d41f4a6d0501110e240N.exe
Size

128KB
MD5

e7f9b53f7b150d41f4a6d0501110e240
SHA1

6e643c9c4f48b40985d4c1cfd8efef604b9cec35
SHA256

0e54b1072c7414070d6331bb7317ee004f7b794a96cbd16b3669825ca3fabe38
SHA512

db2c5b6f83fce98327f19f35baf07e303b4f357e22204d4b6c0dcd365d5c2048339a95373284673348edca528001828e238613664006832fdac5a67f6027c8d9
SSDEEP

3072:ZVfaoBteA9ugiwlYD+sR7ZSeDc5wkpHxG:ZZaoTe9giw6+y7ZpHCA

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjaabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogekbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boihcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ombcji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkibgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjodla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmdgikhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmkmjjaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npgmpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfandnla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Panhbfep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokmdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmkmjjaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfcabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mqkiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npepkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkibgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onkidm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjaabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npgmpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdenmbkk.exe

Executes dropped EXE 64 IoCs

pid	Process
2188	Mjlhgaqp.exe
1628	Mqfpckhm.exe
3304	Moipoh32.exe
4060	Mjodla32.exe
4084	Mokmdh32.exe
4044	Mgbefe32.exe
3520	Mjaabq32.exe
5036	Mqkiok32.exe
3736	Mgeakekd.exe
4268	Mjcngpjh.exe
3660	Nmbjcljl.exe
2928	Nggnadib.exe
2504	Nmdgikhi.exe
548	Ncnofeof.exe
4644	Njhgbp32.exe
2916	Npepkf32.exe
216	Ncqlkemc.exe
4908	Nfohgqlg.exe
5048	Njjdho32.exe
4888	Npgmpf32.exe
2436	Nfaemp32.exe
2540	Nmkmjjaa.exe
3516	Nagiji32.exe
2092	Nfcabp32.exe
2304	Onkidm32.exe
2696	Ocgbld32.exe
4484	Offnhpfo.exe
5008	Oakbehfe.exe
5080	Ogekbb32.exe
2088	Ombcji32.exe
3340	Opqofe32.exe
4864	Ofkgcobj.exe
4352	Onapdl32.exe
3240	Ocohmc32.exe
4536	Ofmdio32.exe
5068	Ondljl32.exe
3668	Oabhfg32.exe
4064	Ocaebc32.exe
1356	Pnfiplog.exe
3436	Paeelgnj.exe
404	Pfandnla.exe
3208	Pnifekmd.exe
3556	Pdenmbkk.exe
1380	Pmnbfhal.exe
1672	Phcgcqab.exe
4300	Pffgom32.exe
1244	Ppolhcnm.exe
2744	Pnplfj32.exe
4256	Panhbfep.exe
1584	Qfkqjmdg.exe
688	Qaqegecm.exe
1788	Qjiipk32.exe
1052	Qodeajbg.exe
4172	Ahmjjoig.exe
3036	Aogbfi32.exe
4796	Adcjop32.exe
1192	Afbgkl32.exe
3812	Aagkhd32.exe
3332	Adfgdpmi.exe
972	Aajhndkb.exe
3004	Ahdpjn32.exe
2292	Amqhbe32.exe
1440	Adkqoohc.exe
2616	Aaoaic32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmephjke.dll	Pmnbfhal.exe
File opened for modification	C:\Windows\SysWOW64\Aogbfi32.exe	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Cjijid32.dll	Njhgbp32.exe
File created	C:\Windows\SysWOW64\Ombcji32.exe	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Oabhfg32.exe	Ondljl32.exe
File created	C:\Windows\SysWOW64\Giidol32.dll	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Cnocia32.dll	Mjodla32.exe
File opened for modification	C:\Windows\SysWOW64\Ondljl32.exe	Ofmdio32.exe
File created	C:\Windows\SysWOW64\Pnifekmd.exe	Pfandnla.exe
File opened for modification	C:\Windows\SysWOW64\Ocohmc32.exe	Onapdl32.exe
File created	C:\Windows\SysWOW64\Mkfefigf.dll	Qfkqjmdg.exe
File opened for modification	C:\Windows\SysWOW64\Oakbehfe.exe	Offnhpfo.exe
File opened for modification	C:\Windows\SysWOW64\Phcgcqab.exe	Pmnbfhal.exe
File created	C:\Windows\SysWOW64\Qfkqjmdg.exe	Panhbfep.exe
File opened for modification	C:\Windows\SysWOW64\Mgbefe32.exe	Mokmdh32.exe
File created	C:\Windows\SysWOW64\Iocbnhog.dll	Mjaabq32.exe
File opened for modification	C:\Windows\SysWOW64\Mgeakekd.exe	Mqkiok32.exe
File created	C:\Windows\SysWOW64\Boihcf32.exe	Bgbpaipl.exe
File created	C:\Windows\SysWOW64\Mjodla32.exe	Moipoh32.exe
File opened for modification	C:\Windows\SysWOW64\Qfkqjmdg.exe	Panhbfep.exe
File created	C:\Windows\SysWOW64\Dbmdml32.dll	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Ahdpjn32.exe	Aajhndkb.exe
File created	C:\Windows\SysWOW64\Oeeape32.dll	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Ddgibkpc.exe
File opened for modification	C:\Windows\SysWOW64\Ombcji32.exe	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Ofmdio32.exe	Ocohmc32.exe
File created	C:\Windows\SysWOW64\Pdenmbkk.exe	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Aogbfi32.exe	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Adcjop32.exe	Aogbfi32.exe
File created	C:\Windows\SysWOW64\Mjlhgaqp.exe	e7f9b53f7b150d41f4a6d0501110e240N.exe
File created	C:\Windows\SysWOW64\Nagiji32.exe	Nmkmjjaa.exe
File opened for modification	C:\Windows\SysWOW64\Pmnbfhal.exe	Pdenmbkk.exe
File opened for modification	C:\Windows\SysWOW64\Afbgkl32.exe	Adcjop32.exe
File created	C:\Windows\SysWOW64\Hgncclck.dll	Cdpcal32.exe
File created	C:\Windows\SysWOW64\Oakbehfe.exe	Offnhpfo.exe
File opened for modification	C:\Windows\SysWOW64\Ocaebc32.exe	Oabhfg32.exe
File created	C:\Windows\SysWOW64\Kioghlbd.dll	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Nggnadib.exe	Nmbjcljl.exe
File created	C:\Windows\SysWOW64\Cpbjkn32.exe	Cgifbhid.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Aqjpajgi.dll	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Lihcbd32.dll	Ocgbld32.exe
File created	C:\Windows\SysWOW64\Nnahhegq.dll	Onapdl32.exe
File created	C:\Windows\SysWOW64\Hlhefcoo.dll	Paeelgnj.exe
File created	C:\Windows\SysWOW64\Mioaanec.dll	Aaoaic32.exe
File opened for modification	C:\Windows\SysWOW64\Bgbpaipl.exe	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Gpojkp32.dll	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Nmbjcljl.exe	Mjcngpjh.exe
File opened for modification	C:\Windows\SysWOW64\Nfaemp32.exe	Npgmpf32.exe
File created	C:\Windows\SysWOW64\Panhbfep.exe	Pnplfj32.exe
File created	C:\Windows\SysWOW64\Ipjijkpg.dll	Dddllkbf.exe
File opened for modification	C:\Windows\SysWOW64\Npgmpf32.exe	Njjdho32.exe
File created	C:\Windows\SysWOW64\Flbfjl32.dll	Oakbehfe.exe
File opened for modification	C:\Windows\SysWOW64\Cnhgjaml.exe	Cdpcal32.exe
File created	C:\Windows\SysWOW64\Ocohmc32.exe	Onapdl32.exe
File created	C:\Windows\SysWOW64\Hhblffgn.dll	Panhbfep.exe
File created	C:\Windows\SysWOW64\Pnbddbhk.dll	Aajhndkb.exe
File opened for modification	C:\Windows\SysWOW64\Cgqlcg32.exe	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Mgeakekd.exe	Mqkiok32.exe
File opened for modification	C:\Windows\SysWOW64\Onkidm32.exe	Nfcabp32.exe
File created	C:\Windows\SysWOW64\Opqofe32.exe	Ombcji32.exe
File created	C:\Windows\SysWOW64\Fgijpe32.dll	Bddcenpi.exe
File opened for modification	C:\Windows\SysWOW64\Amqhbe32.exe	Ahdpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Bgkiaj32.exe	Aaoaic32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1648	2628	WerFault.exe	170

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggnadib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofkgcobj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaoaic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkphhgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjdho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmkmjjaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paeelgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodeajbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7f9b53f7b150d41f4a6d0501110e240N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncqlkemc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npgmpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogekbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfkqjmdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpdnjple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bddcenpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjcngpjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nagiji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgbld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ombcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aogbfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfkpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bogkmgba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqkiok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnofeof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oabhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmnbfhal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjodla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqlcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahmfpap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgibkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfcabp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adfgdpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpcal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbjcljl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcgcqab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qaqegecm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aagkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baannc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbemgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Offnhpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moipoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onkidm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opqofe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbjkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahmjjoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njhgbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npepkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfaemp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ondljl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfiplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnifekmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdenmbkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcjop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbgkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajhndkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boihcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmdgikhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgkiaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgbpaipl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgjimp32.dll"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadiippo.dll"	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjlhgaqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmdgikhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhblffgn.dll"	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhlki32.dll"	Qaqegecm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obqhpfck.dll"	Mgeakekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll"	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpojkp32.dll"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njjdho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqnma32.dll"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giidol32.dll"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgemej32.dll"	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjcngpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll"	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnocia32.dll"	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nagiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ombcji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ahdpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	e7f9b53f7b150d41f4a6d0501110e240N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oakbehfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhal32.dll"	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmbjcljl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbddbhk.dll"	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmlia32.dll"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnfiplog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Onkidm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Panhbfep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bajqda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Onkidm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dannpknl.dll"	Njjdho32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 2188	3580	e7f9b53f7b150d41f4a6d0501110e240N.exe	82
PID 3580 wrote to memory of 2188	3580	e7f9b53f7b150d41f4a6d0501110e240N.exe	82
PID 3580 wrote to memory of 2188	3580	e7f9b53f7b150d41f4a6d0501110e240N.exe	82
PID 2188 wrote to memory of 1628	2188	Mjlhgaqp.exe	83
PID 2188 wrote to memory of 1628	2188	Mjlhgaqp.exe	83
PID 2188 wrote to memory of 1628	2188	Mjlhgaqp.exe	83
PID 1628 wrote to memory of 3304	1628	Mqfpckhm.exe	85
PID 1628 wrote to memory of 3304	1628	Mqfpckhm.exe	85
PID 1628 wrote to memory of 3304	1628	Mqfpckhm.exe	85
PID 3304 wrote to memory of 4060	3304	Moipoh32.exe	86
PID 3304 wrote to memory of 4060	3304	Moipoh32.exe	86
PID 3304 wrote to memory of 4060	3304	Moipoh32.exe	86
PID 4060 wrote to memory of 4084	4060	Mjodla32.exe	87
PID 4060 wrote to memory of 4084	4060	Mjodla32.exe	87
PID 4060 wrote to memory of 4084	4060	Mjodla32.exe	87
PID 4084 wrote to memory of 4044	4084	Mokmdh32.exe	88
PID 4084 wrote to memory of 4044	4084	Mokmdh32.exe	88
PID 4084 wrote to memory of 4044	4084	Mokmdh32.exe	88
PID 4044 wrote to memory of 3520	4044	Mgbefe32.exe	89
PID 4044 wrote to memory of 3520	4044	Mgbefe32.exe	89
PID 4044 wrote to memory of 3520	4044	Mgbefe32.exe	89
PID 3520 wrote to memory of 5036	3520	Mjaabq32.exe	90
PID 3520 wrote to memory of 5036	3520	Mjaabq32.exe	90
PID 3520 wrote to memory of 5036	3520	Mjaabq32.exe	90
PID 5036 wrote to memory of 3736	5036	Mqkiok32.exe	91
PID 5036 wrote to memory of 3736	5036	Mqkiok32.exe	91
PID 5036 wrote to memory of 3736	5036	Mqkiok32.exe	91
PID 3736 wrote to memory of 4268	3736	Mgeakekd.exe	92
PID 3736 wrote to memory of 4268	3736	Mgeakekd.exe	92
PID 3736 wrote to memory of 4268	3736	Mgeakekd.exe	92
PID 4268 wrote to memory of 3660	4268	Mjcngpjh.exe	94
PID 4268 wrote to memory of 3660	4268	Mjcngpjh.exe	94
PID 4268 wrote to memory of 3660	4268	Mjcngpjh.exe	94
PID 3660 wrote to memory of 2928	3660	Nmbjcljl.exe	95
PID 3660 wrote to memory of 2928	3660	Nmbjcljl.exe	95
PID 3660 wrote to memory of 2928	3660	Nmbjcljl.exe	95
PID 2928 wrote to memory of 2504	2928	Nggnadib.exe	96
PID 2928 wrote to memory of 2504	2928	Nggnadib.exe	96
PID 2928 wrote to memory of 2504	2928	Nggnadib.exe	96
PID 2504 wrote to memory of 548	2504	Nmdgikhi.exe	97
PID 2504 wrote to memory of 548	2504	Nmdgikhi.exe	97
PID 2504 wrote to memory of 548	2504	Nmdgikhi.exe	97
PID 548 wrote to memory of 4644	548	Ncnofeof.exe	98
PID 548 wrote to memory of 4644	548	Ncnofeof.exe	98
PID 548 wrote to memory of 4644	548	Ncnofeof.exe	98
PID 4644 wrote to memory of 2916	4644	Njhgbp32.exe	99
PID 4644 wrote to memory of 2916	4644	Njhgbp32.exe	99
PID 4644 wrote to memory of 2916	4644	Njhgbp32.exe	99
PID 2916 wrote to memory of 216	2916	Npepkf32.exe	100
PID 2916 wrote to memory of 216	2916	Npepkf32.exe	100
PID 2916 wrote to memory of 216	2916	Npepkf32.exe	100
PID 216 wrote to memory of 4908	216	Ncqlkemc.exe	101
PID 216 wrote to memory of 4908	216	Ncqlkemc.exe	101
PID 216 wrote to memory of 4908	216	Ncqlkemc.exe	101
PID 4908 wrote to memory of 5048	4908	Nfohgqlg.exe	102
PID 4908 wrote to memory of 5048	4908	Nfohgqlg.exe	102
PID 4908 wrote to memory of 5048	4908	Nfohgqlg.exe	102
PID 5048 wrote to memory of 4888	5048	Njjdho32.exe	103
PID 5048 wrote to memory of 4888	5048	Njjdho32.exe	103
PID 5048 wrote to memory of 4888	5048	Njjdho32.exe	103
PID 4888 wrote to memory of 2436	4888	Npgmpf32.exe	104
PID 4888 wrote to memory of 2436	4888	Npgmpf32.exe	104
PID 4888 wrote to memory of 2436	4888	Npgmpf32.exe	104
PID 2436 wrote to memory of 2540	2436	Nfaemp32.exe	105

C:\Users\Admin\AppData\Local\Temp\e7f9b53f7b150d41f4a6d0501110e240N.exe
"C:\Users\Admin\AppData\Local\Temp\e7f9b53f7b150d41f4a6d0501110e240N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\SysWOW64\Mjlhgaqp.exe
  C:\Windows\system32\Mjlhgaqp.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\Mqfpckhm.exe
    C:\Windows\system32\Mqfpckhm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\SysWOW64\Moipoh32.exe
      C:\Windows\system32\Moipoh32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4060
      - C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2692
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2320
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        88⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 232
        89⤵
        Program crash
        
        PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2628 -ip 2628
1⤵
PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adcjop32.exe

Filesize
128KB

MD5
e816f7e25fab817bfcf31b3f833733c4

SHA1
cb98fd109df9bb00d54525e1c125dcabf44cb888

SHA256
0207f3a45163c0e5c9c95ae5fd4e076e264e2e21da3fc12c79253545433cfd2e

SHA512
d4ada11b0ceac88626014ecef8f5dd66703efd907b9b677a24ee37ea09f6cec51ab1d91c88024fe0158ab0eb6837101b865582533ea66688b6efde186d7eaefa

Download Submit
C:\Windows\SysWOW64\Adkqoohc.exe

Filesize
128KB

MD5
f02948190b7d07d663348c6833c2331f

SHA1
5a5fbb297b77f63b1f75038c826bd0393222644d

SHA256
a223dea78bbafabdbaf59eac56a07466eef6a8b264c70628807dba85c0678667

SHA512
b70c1fc040ecd49538f053214f9af85897b8fd661e3c72c2fd6bda82352ada1edcd6f4352ce643f18bc9ea0193c71e4b0046b5d2d5a7395529cfb33197a6c649

Download Submit
C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
128KB

MD5
d96cfb56b1c1020458bace435d2e7377

SHA1
22676987dbd15c0411b5ce1e02d351ffa4f99309

SHA256
555bec6568054f8612453a042e1c8488249f27e7517d81cec04cdd79b45291a5

SHA512
affc4d807bbce9c8d7dc8d1eca3962f3529ce4518d1d600a82a47343e5a8405e54d121b68bd5dedd3278c0cb576c446ae74502aa578faacd77c77428998d531e

Download Submit
C:\Windows\SysWOW64\Bkibgh32.exe

Filesize
128KB

MD5
96bc15c952b0829d48b808538eddeab1

SHA1
93cd13f4539cca0dace5cd7c9dc413d54ce99be0

SHA256
f25d9289e2e7bca01b99008e7b2b3cccec7443ff152d9567ebe97e6d35d9f6ab

SHA512
4570a19abbf6551920f4d1c45b0d4bf59fbf1c3bcabee309e1b2b619ebe6dde0be508da97fedde806ee5e9082a81586d8305504baf7ec6049396e792ec86fd4c

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
64KB

MD5
8f969b603f23a92a20e9928b76d28b38

SHA1
40ddf9057bfdf0181be1e64d5d4f775a40957cab

SHA256
0a3ffef9c9fc482aadecb3b25397fdcae81cb3b8ca183940093adcea14ac50d6

SHA512
391413c472930882697287209b943d2928e1915b2aba55ef4537e3f7137104f7a29c01b6512416f891f58df1f63d9bec05adbb34c439462032ddf77345d847b4

Download Submit
C:\Windows\SysWOW64\Cgifbhid.exe

Filesize
128KB

MD5
51d66784e7c2f584275c94babfcf0ee3

SHA1
6220a71fdd6d8f89f36bf54d766c9a855594dfd4

SHA256
fef1e99b63bb384f99c08ac3e59d616e560709d3882543791653e9e5282aeac9

SHA512
0c9d9b355df1623e51ef5b264db13c93d1221e2a0d29c4a2ef35cc3293a4998462239e65dc0dc05f7106a4e00ce15f5268670eceeb1fe3020ba69088be90db59

Download Submit
C:\Windows\SysWOW64\Ckgohf32.exe

Filesize
128KB

MD5
282e0484f034a079d360f14efed3e2e4

SHA1
0d854982a65a603c196c4f05ba2086c5f5139247

SHA256
4fba19fdbbc09f59130e57a697cb5e08c9e722c1352ee53f1117d203b21c035f

SHA512
550c6781d29df390ab6184ea43911cc9b97696779ad148aee83f0503ebdda087d40e454e3d96637d4deb48e7b260235a05d55877c6e9e90ac7293c3af0946ed8

Download Submit
C:\Windows\SysWOW64\Cnocia32.dll

Filesize
7KB

MD5
3d421c1a0dd52e92243d00b7f52ed90f

SHA1
a6a93e77766428985df5999d6d787a40d1f8062b

SHA256
38c2a2b219a200ef91caa800a90e78b1e7a6172db4b453721f0d2ae0790e06a6

SHA512
dd1adbef3cf586ca2697795668ca526c0da521ea001df06fddaa212637a9a7ea3e79fcfd68b801251d998cf1942f55ab2fc501f021c9f3aaa9ca97de1bbf55ea

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
128KB

MD5
71a47396c9db4e466aff88dcd30c5f37

SHA1
3f309c5591fc074c22cadbd1415fde9e6bed7312

SHA256
f126ba4e04063266bbbaf645a26db37984cb55d3441da18a90df59fbf1a571df

SHA512
ad39e8437c9b23612fcc2b0feec0dc579e53044e502de5ebcd27f049a5890fcd5cd2c9f1ebffb849d4471d2012f0ef244c237e85f1b994788c0b583948867941

Download Submit
C:\Windows\SysWOW64\Mgbefe32.exe

Filesize
128KB

MD5
502790974b354f74550bb72a8f85da43

SHA1
c4ee3aa765411739e4433bc5d654bea4f3fbb92a

SHA256
21cda1f10d94c81b447a1c3c44fc0beafb1e4f40932e2283da23b6721b878f47

SHA512
a509482a8f77ec6bb8e4518708c07f42c430adbd43fa2c9facf9ccb1513a31eab2cd3a7f3849510506b6d289ff70b54d09448dd13110a6dc6d5276cbdb9526ac

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
128KB

MD5
e8cef5b2c80e24915f5334c229d1adf0

SHA1
8f59b252de0bf4622fb54f9083d42ac72900524e

SHA256
20a86287a737754faaa1ee05a76a1f7b28e69274eb7ccda0cde3dce1de531f45

SHA512
39a735b7c890d5e9f91b5d6402c4f1d90b755360ad37ff62ce456d0e9f7f1d4eef4664b3ce1979a0747b4c8fa66a3d58ebe4eaf20967ae50ed374106f9b46f7b

Download Submit
C:\Windows\SysWOW64\Mjaabq32.exe

Filesize
128KB

MD5
b11238ac9ac254cdd51dfa432c77bbf4

SHA1
ffed7d2cb6c1e88c25b1438d7bc63faa5530cb3f

SHA256
1591355fa41b4603687d38290d644276a91092f430731ff10102795e02115c07

SHA512
f1a0c2b096492977c1d978e472249375b4fb9bbc4bc3d38b6becb55c32c75bfa0f894a713ab979058e101ff69d10048e5cc10542c76ddf3fe1161155c4dc3c01

Download Submit
C:\Windows\SysWOW64\Mjcngpjh.exe

Filesize
128KB

MD5
df8a1a1394ff5d5aefd045992f10de61

SHA1
7ce27756b096db5810a9213f0f250af287e1f318

SHA256
b35aac41d9eb41e53c7b9d83745d1692ccd89cc86470f8f5aeb4e54ea257e862

SHA512
1e089e3286d61f91eb4b084a81b98b93c24c1111d6ab65e060927147c4291d20b5994540af0901e0673dbf299c83aba1218e8a6e4d54985408aec1d2a1d6f139

Download Submit
C:\Windows\SysWOW64\Mjlhgaqp.exe

Filesize
128KB

MD5
45d2bc638e91de8a33b9ea336ebd440d

SHA1
f91441622e844822403966e581d6b703819a7f36

SHA256
e6d805c82f786d709997dc02ca51a769a54e704bcaf24f7cead2c5d6b1625bef

SHA512
bbb08d645c283c67ae7e1ef0ac52503874854df89ffec39899f668bac05a837b0e9b1e2f6e9483474768bab540aa5cd74666d9a443d6f7d60c2a5a7974d040b6

Download Submit
C:\Windows\SysWOW64\Mjodla32.exe

Filesize
128KB

MD5
1bdf23d756bb18ff57c97e1dad9b9e34

SHA1
b9fb2a2bbec8b75ffefcd4bec8faa2ae6fecfd7d

SHA256
2f5e4194b0a69d3bff7bc779154cda0ee0639c011020fff9c1741683882fbb5b

SHA512
7c71a7e63e791513eacba554507ba34b9cb73c3e51e616cfa188fa42995a43850efaffb114fe8b98c6c6e491abb4e5ab50cdb291b6d74be9875e641d2cae9443

Download Submit
C:\Windows\SysWOW64\Moipoh32.exe

Filesize
128KB

MD5
b89059d9a6f681fdd4182d3f7dd8664e

SHA1
d03fe661c8a0911ae4cf1e8d485b3f2efce3d21d

SHA256
6b958cddcf94e00eddd8f6e46166ce7df7e565f68875a3fa1a93e72d0fe827f6

SHA512
8cba92e1f937c497288cebfe617af4d06ede020606ef642557f970d4603a421aa0eb359e9f2a8908206f5583abb8d279d9a62662ddb02ce460efd8277ea52168

Download Submit
C:\Windows\SysWOW64\Mokmdh32.exe

Filesize
128KB

MD5
ccb923676b96ab9046b1d1ebef1769d9

SHA1
76ba96110307b64b5b58ade787415d21cca63cf1

SHA256
835c02d9e547d0bd057fe832c08e5a0805695cc9efb82e996edc3d1597ce2ead

SHA512
8b0ab8c882c9d4d4ec7ad87491202a966fa552df86c2d85ed44124f9098c17132692be998f2ace90565aa3a93e69dea7476d80d06428eb5f75887ee7c4deaadd

Download Submit
C:\Windows\SysWOW64\Mqfpckhm.exe

Filesize
128KB

MD5
d953cbb7e843082fdc8ee2d4e8d338ed

SHA1
5438e36f77b79a6edd47e56e22835f2766f49f3e

SHA256
5bdb35a4327d50196c26efcde42716de5ece5045731af748df25b4ca86c578e3

SHA512
ec5152880acc52152ad387005a4a3bfb246ab2862866737c5996a8430c2e3ac59add75c0528fdcea5160190ade74d3fe89025d1fcb4082756406caa067175660

Download Submit
C:\Windows\SysWOW64\Mqkiok32.exe

Filesize
128KB

MD5
3dfe0936e504ddb2fbea81b9934cfafb

SHA1
04ec966ff2290d9fbd1456987c453be0d4f768ad

SHA256
6201cd7fd4826fab58ed9d7e3a46a0835f40a8ae61114575dad16eb22c9e71ef

SHA512
e8b6d3b03d04889d40dcbcffb332807c50dc6d4ffdb1deb57443c690951ab81ed1f9de46584f37b51ec9c4639b447d54d94b146cfc428883b37f79912543e3f0

Download Submit
C:\Windows\SysWOW64\Nagiji32.exe

Filesize
128KB

MD5
06b183e82503961c953da529d7b920d5

SHA1
151746c0695d3d66878c18a2f4b1c52dc41a4925

SHA256
2401a834a6889214d39647668ba8d64a42439890a5d9585fca23cb8731171b95

SHA512
5f6c7f875eee36e431615b30aa6e9c3943cd5299f9c0fc6bf70154615e1e0806b579ae960d6aca02ffe081c670e39b474a1c5627c0d5047ffdc4e641a38228de

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
128KB

MD5
d8bb367adbf3d5725b0e6cce2f26a677

SHA1
c8b0d048a4c32f107e850764e109b4b7ae3670ee

SHA256
3df3ede28d36e0240c9fcf1d076bcd0e627d0e3a0aa0b22aaa4984045095674d

SHA512
622fef1cc3bf1ec34f392d503d4e27680c0f7f225bbf23ac29d04fb6e4c2cebe0cf5cc5ad074223deda7135d6c9d17de191f8355cde94e9e2f8a28f9372f421b

Download Submit
C:\Windows\SysWOW64\Ncqlkemc.exe

Filesize
128KB

MD5
397658ffe6b03d4d3e6312d6cf1d55f8

SHA1
27e4a71e3426508d30c456303cee884e90bcfb00

SHA256
9ac47a85b7e183c104f49625b203c9ffaee72f2189a8ae54915833168e5b1569

SHA512
b71c8c1ec2e0355b896ea760cb827238462fa7981a99b0120d1250e57e81836f4da5241d63f891d141a52decfee6cdb21ce3c449a3dd8db7010a4c5752801bbc

Download Submit
C:\Windows\SysWOW64\Nfaemp32.exe

Filesize
128KB

MD5
1dd5d1d6f930beb0e562a573da4ef3fd

SHA1
e5e16cdd659f65c1091badbfb32eefbbd0eadecc

SHA256
2bc564a5aee75169191a120fb150a684469992a279869a14fad354882b2d0ed3

SHA512
6b1dd8f063c62ed4e5d2040ae5f65b1e20f5b0cf11fceb7b1a192133d0d5088a0c28a75c1d0ffd2a8c85235b6ff07c9a29832b25bc896822c110d8fa3810d5ef

Download Submit
C:\Windows\SysWOW64\Nfcabp32.exe

Filesize
128KB

MD5
28d5a73a6ba773406d1b5b79f0c314dc

SHA1
4a27088b2ef97ea2c01a4b1021b7c78f9a3cca28

SHA256
574522ce71c929a02706f7d50e374d5beca7f488fc53c0a951019fde30f46e53

SHA512
11d28df6f6ca68d32facf00c777a9976c6abf082fd29f60d6367b9770059f028fd026756dd5600855c5d2424e4ad536e00c9d3032f834aaad503b373d2384989

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
128KB

MD5
7e00f3a44133da37e75eb3649757e6e5

SHA1
1d76757fffbdc7a08e19c8cb90e0eb57ac08127d

SHA256
1a0f50abc246c76515b059bbb4bd558a8ec8732b05b44ce150df358895a815af

SHA512
d1e3fd5216a99f465804d5e421a0eb3b421e51ef992fecbf43eb119a78bc5f4cba3c53e272ebe8a565ea72d17e1022b2d55c9b2b69e5dd20cf3b63dad93dbf82

Download Submit
C:\Windows\SysWOW64\Nggnadib.exe

Filesize
128KB

MD5
05deb1d25758a01ae0eb14780ad58229

SHA1
996bcc258cd3fccf6ef83297663e0a39c2e216a5

SHA256
2384289bdb09d4a866ba3974a927c916c4e230e2077a3a265b484f08d1383ce7

SHA512
a1ed084b2595882bfd2ced1123fa2cb6e7b0c8c2511566e869f9261299369806f90723ae72aeb12076003332d6112ca8f745bd17e5a1106146ab51457d09fbc7

Download Submit
C:\Windows\SysWOW64\Njhgbp32.exe

Filesize
128KB

MD5
08e939e372408f0eefbb5cb64009e319

SHA1
8205c127f9b2c4712420712d9356d68a58e2304d

SHA256
5b79afd182cf2daa90d879bdb2f2ff730e3d80ff945ea2362c54d206b0a44da0

SHA512
7dcb63189f5d0380d18d7eb3c38bbd68471bc2a2e29eec35e01708bac87a935124898334fffd3052819a16c14870dd02a093c65236786674113db79e406f00d2

Download Submit
C:\Windows\SysWOW64\Njjdho32.exe

Filesize
128KB

MD5
c26ed026a766c3bd11a306e49cc51776

SHA1
94d708b8d630c0c2eac0910bf4f28b08340e6d13

SHA256
e7cc75e462ba6cabc208ecf71b5d7097acbd2d19899b3329c8de559e794be8fd

SHA512
b9c3de60dd595ef7b7a5067454d6a9eb0fdcfe062b57da8a06708d6189ecd99550545cfe7250580cffdde5c1c5d2b23032a8279071fc370fb4cf8b12dc489fe1

Download Submit
C:\Windows\SysWOW64\Nmbjcljl.exe

Filesize
128KB

MD5
268be7471fd67dd72490aede1d6321a6

SHA1
c960b2de700a5cd76b87f1b525cd98c3054bbbb1

SHA256
7cdffcf874c9d9fb5a41c1ad3a722a45f7e07e000bcace7caa675b2b487c6f00

SHA512
00492be1387a4766f3f8a533707c9180ac3765aa24e60bf051a33b1e53218d5a949a97a3b927e61c23e9377455ee89fe1f130087da45a5f7cca6acf2eb929eaa

Download Submit
C:\Windows\SysWOW64\Nmdgikhi.exe

Filesize
128KB

MD5
5b956793ef33d3a5845a73e01b568638

SHA1
249d912ebe18ed1899dcb50c653e35dbb7bd2a2c

SHA256
6af1a4c92eca63abe907406b0a03e6ae41f4509d36d5ece138db9967d49d7ad8

SHA512
301e16affb0e2c180446abd4997e8185d9eaa9172266122cc179f9d6c9438e00c25bb80460080a82253e31ebc844b395b0c01fe2103c311749e9880ea34eae1e

Download Submit
C:\Windows\SysWOW64\Nmkmjjaa.exe

Filesize
128KB

MD5
bfba6950e5ba37bac88cdc44fc85d5c1

SHA1
f722d8cdecf129e45e3fc6be38c7c2c97914e84b

SHA256
3c5b011cf7a0972130a75fa6c99fd99d25a0258cdcb6124fe7804d6dc1ec6718

SHA512
b34f27c2b3ef4bff830dc049a6d87a6847459cf3a025ad2aab272034dead426071b9c6a013417e8549d42edc7eb20b93a781f03215074e61dbcd910152bf6d29

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
128KB

MD5
3439a0f1340b836d9b8042598f104592

SHA1
b5ac87f2006c899fc1b0772c87455bfb9502f307

SHA256
6374934d93f8d6861cb226c3d3f380cf5777c59773a764809583cdc93dcb2e5c

SHA512
03eba336e1f1dbc4153c3ead907c4657724bb779f864678a6bae479be6f062115c49ac0fc62aea32d2b3170957825d17ed96f369580437e64fa5ced3ac6a0b58

Download Submit
C:\Windows\SysWOW64\Npgmpf32.exe

Filesize
128KB

MD5
2fde783245c1c61e7766abbf1f682d0c

SHA1
61152b95aa61d8b5d40eb4e62c9c113286492b1c

SHA256
4a83f981aa86aa7c3ff7c6c76666f98ef305743c3f156d29b7464b1f51eb8aed

SHA512
40e02361cc57839062800d13c37db94f4495ac2e2d97983910133aa74840552bab87e17a7b75b4dd7c9b9d63e1aa8bf1a4e45da4e1042cd6eacc8ea36810dc89

Download Submit
C:\Windows\SysWOW64\Oakbehfe.exe

Filesize
128KB

MD5
2ba404dd22dafc880bb0e3cb8d5f34d2

SHA1
9aac3ce56b1f374dcc12022d1a330f697e77a27e

SHA256
708f453738ccba9a7d30c031893a7a85a189eb809e085d7d4c6adff558bd9340

SHA512
492f0a9192449f92da1ca81e6a0c8356202781ef65370e4599187bdd682045e8255f328ab344632d9eaaabf3ef583de6a2cbb84860c8ea04b35ae3069b88f874

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
128KB

MD5
48f2325f04ea67abb1e3b7472ac20691

SHA1
ba2bde58e9df757b96630227fedfeaee800efab5

SHA256
1a9f3c2ed1ff34abc80b2b9de47e9d01e75b08abea9af4180f135386afda2233

SHA512
a3b47e7820e0a586ad93bac3571a109212f4a0a8b2899cb5f945943da9374aabe974a4bad763a1384a18e1b8176489a773be97158fda6fa5725a2f7ab24cea48

Download Submit
C:\Windows\SysWOW64\Offnhpfo.exe

Filesize
128KB

MD5
a8de414b971d797cd8411b4a381264f6

SHA1
6427e5e19575739b3ba87a76a80e15c11c843154

SHA256
f2badddbc989d4c2a747865d1e3e77f7d386d34031d51b091c5d5046e5f5227b

SHA512
f8fd979b0370dbfd8930cc3bbeb8d97819560271daacf262ffaf6dd9b11d7890d78399d0078c2a8f3e10c950f582f4f25e9e187028f0170021ac15f296a4804a

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
128KB

MD5
d3a7097cc48b322c5c41e17f23ca5ba2

SHA1
ca9e11a5c724b5852d83de1caec9416b94d80f41

SHA256
991106ca95617d2bfed53ac99611f030f6b3a0e4ce13a03be53c7fb3a0bdf912

SHA512
15ff37bdc53d542ec2952ca73543c7cbd31dcecc74e0f3d6b03ffef0427d2a025925115466ac11a8bc76339fd7c200419677adf97fc40e24909729c20c8e8ccc

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
128KB

MD5
88b1a3608d551eb1b0c144712bca160d

SHA1
4d8e7380431a418598a2493bde22ffd612d51405

SHA256
0aa9ce3408c261d5dc6c5263e9478b0c9af63e8d1792f0152d72c0e3bd141cd2

SHA512
b3d9e5424e285fccd70445ffb142e0cb3b56ccc9842122bd9377674987e72f1c27478f0a375c807d4f06e9d5586591b949d20edaf79d04c99fe9521c7d62a640

Download Submit
C:\Windows\SysWOW64\Ombcji32.exe

Filesize
128KB

MD5
05c38245911e928690aaf652d64ab0fb

SHA1
cf6c165c0c53d70c5441ad60b1f488bdbdaf7b5e

SHA256
27c908480aad03f7516a0fd69be57bc9155e8dfe5cc286ae1c49afc4356cb793

SHA512
fddde936df9a8526f6b3844981369bec94ec11840b5eeaa87c242158e1e8ee21366a3f18113559c7a3eb9a16e6e2fe818da7b240a9ea8671bdb1078bc800e9d1

Download Submit
C:\Windows\SysWOW64\Onkidm32.exe

Filesize
128KB

MD5
413ec6b4a691502afe3668ad53b2dd29

SHA1
673585502f6ea2b4b0cb1f6ac446b100aa38ff5e

SHA256
bf26f6d31c305788caf66c85a983b33f06c5ef3fc960362348d7b57dac90897f

SHA512
d5c8fa00af9f89187acb82d3d31b9535dc8a8de103100fd89cb49a2c88edba9db5bca11b7d3c422712cd54443f1f7affaac6f725fab98c9b0e055f3fe7a6c183

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
128KB

MD5
a1e673253bf5e1c064d170904eaa9cb8

SHA1
611f4f756c1b77b632310749600e35f9501b4490

SHA256
ec83963aa21888065514d828273112f52514e8f2011e9a0d314237e09ab07966

SHA512
1bdf5ade0fe0f72dc9394bdf2ef07f8f8813a380ce2a0d9d135c5dd52dfbcdb97e27c3dd56160b451ac7a734e7eed803187b49734f7524946f4580cca2a59235

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
128KB

MD5
40828bcf3e40330b74a3c70fc62f68f3

SHA1
026a2bb83770d052409f4954fc0acf26f3cf57dc

SHA256
c33cc8921abb397dd3e652c415f0fbfc73a8b1c6a6a28f2d116791fe1e673205

SHA512
357aea806aa0ee99514e492b43189850f755661de50b560f01f2fad512d7526b719b3cd6ed6d924d69f1b00081cd31d486f1bb77b3ad506b7166986e85d057f6

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
128KB

MD5
6468a9a821c3f079f832ab1c1bee2dfb

SHA1
4bf9e965f956c128c37f3443c0a81a788636358c

SHA256
a6a4a3275876d01a3bb53092a4342909e849d19eef342bd1b67a93393d5f53bb

SHA512
f7c546f24979fd5bff1276e4b9e8eb4cdb2cacaa04bd588ed927752150fa4b733ed5fd7df5260262bb4c1126dd6f38e567106404c56645bf39cd99e4a942a045

Download Submit
C:\Windows\SysWOW64\Pmnbfhal.exe

Filesize
128KB

MD5
67f22e5297f72fa02b1fe5353e683bca

SHA1
ecdb8fd248cb1902aa42b69778fd9bc6cedcfdf4

SHA256
ca6711647bba23e075707a66b25ff461bcd7c65d742f7b5a37f1ee0ace73e7bd

SHA512
4310847fcde48664a79ce612ec7a1efb83199b50e9503b59e12c74a156a7b3e850f808e3a8a66a6ef017d815b4896f3f414e46908d0b9502f99478f88c1b0e08

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
128KB

MD5
18f128c24e1162eeea933682abb7cd9d

SHA1
0ea705e4dbde1ad72db0156f818a80d16c5b1837

SHA256
65ca8c9e691e0f06bcc426ae14154bcaa5c0366eb9126d3c095ec9b4f9d48ad1

SHA512
b97ad87389c46960f6fd5d8c16583701ec3bc36120fdc931878c8065ec38ae218d7997481d4899babeb440fa073242b4cc0d87684f6fcb97df7531d80d0dbb91

Download Submit
memory/216-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/220-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/404-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/464-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/548-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/688-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/972-428-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1052-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1192-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1216-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1244-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1352-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1356-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1380-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1440-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1584-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1600-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1628-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1628-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1672-338-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1788-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1928-580-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1932-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2020-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2060-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2184-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2188-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2188-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2292-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2304-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2320-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2436-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2504-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2540-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2616-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2628-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2692-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2744-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2916-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2928-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2956-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3004-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3036-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3208-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3240-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3304-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3304-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3332-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3340-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3436-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3516-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3520-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3520-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3556-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3580-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3580-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3660-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3664-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3668-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3676-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3736-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3812-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4044-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4044-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4060-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4060-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4064-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4172-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4188-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4256-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4268-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4300-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4332-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4340-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4352-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4400-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4484-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4536-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4600-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4644-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4796-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4864-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4888-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4912-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5008-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5036-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5048-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5068-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5080-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads