8dbcb10531e19c9484f80da0c57d0c4b9a9687d8dd4f5aee0d244b2a8fc89b9d

Analysis

max time kernel
95s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dbcb10531e19c9484f80da0c57d0c4b9a9687d8dd4f5aee0d244b2a8fc89b9d.exe
Size

88KB
MD5

8b93acc27513a2d22eeb2693d7d00d25
SHA1

0588a421315f448cc6be1f0d86b1264f68f0b6c8
SHA256

8dbcb10531e19c9484f80da0c57d0c4b9a9687d8dd4f5aee0d244b2a8fc89b9d
SHA512

632101dc67335ad4b8e3452812cbbf8aaf6e3db55047415bd2af032a69712bed5f25b0464d764097db85e6bf07029d8d2d16ee60a73ca367bdf8f2a524110b52
SSDEEP

1536:qrAhitgiENDCDxJzmzsPTLq1NG3i7oPcDiDdJ1Ens/Lhnouy8L:pitjcCE1Mi7oPcGEn+BoutL

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8dbcb10531e19c9484f80da0c57d0c4b9a9687d8dd4f5aee0d244b2a8fc89b9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe

Executes dropped EXE 64 IoCs

pid	Process
2184	Lenamdem.exe
2352	Lmdina32.exe
1960	Lbabgh32.exe
4236	Lepncd32.exe
5060	Lmgfda32.exe
3088	Ldanqkki.exe
1784	Lebkhc32.exe
4620	Lllcen32.exe
716	Mdckfk32.exe
3236	Mipcob32.exe
376	Mpjlklok.exe
5048	Mgddhf32.exe
3920	Mmnldp32.exe
1756	Mdhdajea.exe
3736	Meiaib32.exe
4196	Mpoefk32.exe
5076	Mgimcebb.exe
1040	Mmbfpp32.exe
2084	Mdmnlj32.exe
4664	Menjdbgj.exe
2192	Miifeq32.exe
3032	Mlhbal32.exe
4356	Ngmgne32.exe
4544	Nilcjp32.exe
4836	Nljofl32.exe
4328	Nebdoa32.exe
2504	Nphhmj32.exe
4412	Ndcdmikd.exe
4316	Njqmepik.exe
912	Npjebj32.exe
3084	Ngdmod32.exe
4560	Njciko32.exe
1116	Nlaegk32.exe
2960	Ndhmhh32.exe
692	Nggjdc32.exe
388	Njefqo32.exe
4948	Olcbmj32.exe
3220	Oponmilc.exe
2508	Ocnjidkf.exe
3344	Oflgep32.exe
1732	Oncofm32.exe
1000	Opakbi32.exe
4396	Ocpgod32.exe
2016	Ofnckp32.exe
4644	Olhlhjpd.exe
4172	Odocigqg.exe
3268	Ojllan32.exe
3328	Olkhmi32.exe
4540	Oqfdnhfk.exe
964	Onjegled.exe
1664	Oqhacgdh.exe
2304	Ogbipa32.exe
4364	Ojaelm32.exe
4380	Pgefeajb.exe
1472	Pqmjog32.exe
4344	Pggbkagp.exe
208	Pjeoglgc.exe
4828	Pqpgdfnp.exe
868	Pjmehkqk.exe
3700	Qqfmde32.exe
4488	Qceiaa32.exe
2912	Qfcfml32.exe
3564	Qmmnjfnl.exe
2388	Qddfkd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Mpjlklok.exe	Mipcob32.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Lllcen32.exe	Lebkhc32.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Lmdina32.exe	Lenamdem.exe
File opened for modification	C:\Windows\SysWOW64\Mgimcebb.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Bfajji32.dll	8dbcb10531e19c9484f80da0c57d0c4b9a9687d8dd4f5aee0d244b2a8fc89b9d.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Opakbi32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ldanqkki.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Fmijnn32.dll	Mgimcebb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5320	6108	WerFault.exe	205

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8dbcb10531e19c9484f80da0c57d0c4b9a9687d8dd4f5aee0d244b2a8fc89b9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miifeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8dbcb10531e19c9484f80da0c57d0c4b9a9687d8dd4f5aee0d244b2a8fc89b9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagcnd32.dll"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	8dbcb10531e19c9484f80da0c57d0c4b9a9687d8dd4f5aee0d244b2a8fc89b9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pqpgdfnp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 2184	3512	8dbcb10531e19c9484f80da0c57d0c4b9a9687d8dd4f5aee0d244b2a8fc89b9d.exe	83
PID 3512 wrote to memory of 2184	3512	8dbcb10531e19c9484f80da0c57d0c4b9a9687d8dd4f5aee0d244b2a8fc89b9d.exe	83
PID 3512 wrote to memory of 2184	3512	8dbcb10531e19c9484f80da0c57d0c4b9a9687d8dd4f5aee0d244b2a8fc89b9d.exe	83
PID 2184 wrote to memory of 2352	2184	Lenamdem.exe	84
PID 2184 wrote to memory of 2352	2184	Lenamdem.exe	84
PID 2184 wrote to memory of 2352	2184	Lenamdem.exe	84
PID 2352 wrote to memory of 1960	2352	Lmdina32.exe	85
PID 2352 wrote to memory of 1960	2352	Lmdina32.exe	85
PID 2352 wrote to memory of 1960	2352	Lmdina32.exe	85
PID 1960 wrote to memory of 4236	1960	Lbabgh32.exe	87
PID 1960 wrote to memory of 4236	1960	Lbabgh32.exe	87
PID 1960 wrote to memory of 4236	1960	Lbabgh32.exe	87
PID 4236 wrote to memory of 5060	4236	Lepncd32.exe	88
PID 4236 wrote to memory of 5060	4236	Lepncd32.exe	88
PID 4236 wrote to memory of 5060	4236	Lepncd32.exe	88
PID 5060 wrote to memory of 3088	5060	Lmgfda32.exe	89
PID 5060 wrote to memory of 3088	5060	Lmgfda32.exe	89
PID 5060 wrote to memory of 3088	5060	Lmgfda32.exe	89
PID 3088 wrote to memory of 1784	3088	Ldanqkki.exe	90
PID 3088 wrote to memory of 1784	3088	Ldanqkki.exe	90
PID 3088 wrote to memory of 1784	3088	Ldanqkki.exe	90
PID 1784 wrote to memory of 4620	1784	Lebkhc32.exe	91
PID 1784 wrote to memory of 4620	1784	Lebkhc32.exe	91
PID 1784 wrote to memory of 4620	1784	Lebkhc32.exe	91
PID 4620 wrote to memory of 716	4620	Lllcen32.exe	92
PID 4620 wrote to memory of 716	4620	Lllcen32.exe	92
PID 4620 wrote to memory of 716	4620	Lllcen32.exe	92
PID 716 wrote to memory of 3236	716	Mdckfk32.exe	93
PID 716 wrote to memory of 3236	716	Mdckfk32.exe	93
PID 716 wrote to memory of 3236	716	Mdckfk32.exe	93
PID 3236 wrote to memory of 376	3236	Mipcob32.exe	95
PID 3236 wrote to memory of 376	3236	Mipcob32.exe	95
PID 3236 wrote to memory of 376	3236	Mipcob32.exe	95
PID 376 wrote to memory of 5048	376	Mpjlklok.exe	96
PID 376 wrote to memory of 5048	376	Mpjlklok.exe	96
PID 376 wrote to memory of 5048	376	Mpjlklok.exe	96
PID 5048 wrote to memory of 3920	5048	Mgddhf32.exe	97
PID 5048 wrote to memory of 3920	5048	Mgddhf32.exe	97
PID 5048 wrote to memory of 3920	5048	Mgddhf32.exe	97
PID 3920 wrote to memory of 1756	3920	Mmnldp32.exe	98
PID 3920 wrote to memory of 1756	3920	Mmnldp32.exe	98
PID 3920 wrote to memory of 1756	3920	Mmnldp32.exe	98
PID 1756 wrote to memory of 3736	1756	Mdhdajea.exe	99
PID 1756 wrote to memory of 3736	1756	Mdhdajea.exe	99
PID 1756 wrote to memory of 3736	1756	Mdhdajea.exe	99
PID 3736 wrote to memory of 4196	3736	Meiaib32.exe	100
PID 3736 wrote to memory of 4196	3736	Meiaib32.exe	100
PID 3736 wrote to memory of 4196	3736	Meiaib32.exe	100
PID 4196 wrote to memory of 5076	4196	Mpoefk32.exe	101
PID 4196 wrote to memory of 5076	4196	Mpoefk32.exe	101
PID 4196 wrote to memory of 5076	4196	Mpoefk32.exe	101
PID 5076 wrote to memory of 1040	5076	Mgimcebb.exe	102
PID 5076 wrote to memory of 1040	5076	Mgimcebb.exe	102
PID 5076 wrote to memory of 1040	5076	Mgimcebb.exe	102
PID 1040 wrote to memory of 2084	1040	Mmbfpp32.exe	103
PID 1040 wrote to memory of 2084	1040	Mmbfpp32.exe	103
PID 1040 wrote to memory of 2084	1040	Mmbfpp32.exe	103
PID 2084 wrote to memory of 4664	2084	Mdmnlj32.exe	104
PID 2084 wrote to memory of 4664	2084	Mdmnlj32.exe	104
PID 2084 wrote to memory of 4664	2084	Mdmnlj32.exe	104
PID 4664 wrote to memory of 2192	4664	Menjdbgj.exe	105
PID 4664 wrote to memory of 2192	4664	Menjdbgj.exe	105
PID 4664 wrote to memory of 2192	4664	Menjdbgj.exe	105
PID 2192 wrote to memory of 3032	2192	Miifeq32.exe	107

C:\Users\Admin\AppData\Local\Temp\8dbcb10531e19c9484f80da0c57d0c4b9a9687d8dd4f5aee0d244b2a8fc89b9d.exe
"C:\Users\Admin\AppData\Local\Temp\8dbcb10531e19c9484f80da0c57d0c4b9a9687d8dd4f5aee0d244b2a8fc89b9d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\SysWOW64\Lenamdem.exe
  C:\Windows\system32\Lenamdem.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\Lmdina32.exe
    C:\Windows\system32\Lmdina32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\Lbabgh32.exe
      C:\Windows\system32\Lbabgh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        25⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        31⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        34⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1568
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        78⤵
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        85⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        87⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        88⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        89⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        95⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        99⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        105⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        111⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 408
        118⤵
        Program crash
        
        PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6108 -ip 6108
1⤵
PID:5144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
64KB

MD5
22e83b66fcad7ac61a5d60ceb5b29761

SHA1
188a345818db5afff7951a3ef18d03eb980750de

SHA256
00bdef76b9ac79e9bb3306d16c6f319dadcad797ca304be0b8db46ab706be480

SHA512
9bd838173d85c0c2867761036620b64376501ad25eea581d456d818289df17fd6521a88678a9bf3bc372e2b2f14bea18ca69688b1f41d35ca1e9204fb8878a69

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
88KB

MD5
10a7c9d364fcf527a5a1986530f1eeda

SHA1
9cd11f441bf05651efdb263156a3cc2105277620

SHA256
4034302d7a28248fe8a9560c0000869c30df8551aab1d20df0e82b69fabb341e

SHA512
05f699bbd9683764eec167da4aed75d66577f886f0313589b3b22c2d6a228ad23373a65c383d464ebc6069f17484295946702fcc181dd67ae72318aed50b29a0

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
88KB

MD5
6f8e8239ced51ecc32aeb1baec661abb

SHA1
15c57b2398ba10c2843ad6b9eb735f5902b272f6

SHA256
e23444e87b5b0dee1639fec3dfd350af9e13c8b0fba31664fd4895eaa7fe38de

SHA512
fb8eb32dfd8b4168d1edb9a984fdf4697ff6082a9a330320b38cacdabdea6b3bd4b69bcdd27734489275d145ce8ca770d0f5ade679c4405a71c2caa1563cfc32

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
88KB

MD5
2bee5635c1ee87cd2253b31b37e5f5ed

SHA1
e31b0acfc510aea8255874aacf7a6d709fa62005

SHA256
68b2add38993a0a4d521c6c4e2480b8831e8c0d96e720389421718a4caac4fee

SHA512
075243197837f79841fab78ac12ef4df0e50082412899885800ce502a5e735336613d88c3640260ee061bde5546cf3ed0200cbec1905d4524dfec6c2347bcbb9

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
88KB

MD5
a8f0a7bf25907ea10b78082a113efb6c

SHA1
1503ec68384e5508e6e7e729f6639f878491ee2b

SHA256
5437af8e85622fa96f06ff2bb1ddddbd20d3663d30e3fc930986cfdb8d83168c

SHA512
02463fd2298eef522ecdc51efacb39840739be752ab07bdaf3759c63f66eef949e57d916fa5220f019c55a169f431ef176ce8cb94ac12141e532850bbd781df0

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
88KB

MD5
e8f01565244ffd99b08fe229466bd386

SHA1
fe734266fe0fb653494fb775677f2fd5e84391d2

SHA256
9cb43f4eeafb1f4d5223e9e0f80b6be3edf5bd8470b4d9f938d0cefed93c078a

SHA512
4b337f458d09d10fbb054d469dbfa004143feb9704c34d274eba18358c2b8f8a89b1931422b48a95e51ce6e2aa7818444a0c50411893fef5edf813ac9556ff97

Download Submit
C:\Windows\SysWOW64\Jjhijoaa.dll

Filesize
7KB

MD5
922a742bed1883669b5d0044abdfd8c4

SHA1
e032723bd695fb48e9f5bfa0f61ee604da695a51

SHA256
55d276db35bdb51d881894ac056cdfb6e42a43316bb8bf98fcf17816c30a5db1

SHA512
4fc4920a71713a977682e41849791302e34c04ca0beafe58fafcd213964ec01577669b28fdbbd8a1ee324892222e2742270ec41a611ae85d62d14436db26ccce

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
88KB

MD5
44944e81089e32341ed6ba5e7c609080

SHA1
6ebf576828cde44acce2611fd32da233c996f35c

SHA256
d053b8d88e7dcf2b8af3fa17ca2035650109cd2f23380cee00cb29ab01a925ba

SHA512
0c0b05038bb08a64582bede5f5caad3ba1c7cb1911b0ee2208fac3502d2c2409cbee828d3556d64a031e9cc7570b0ce4b6a05b4c2b6b1cb7fe79ebaf84df1bec

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
88KB

MD5
3900f3d91e91a0e91fd3c3627451ce1a

SHA1
dbe0e4776695128038f60574d38709c36d7c571e

SHA256
96e997f866dd26d34797842824cc4acc7720def7c066f5daf4f91dfced125c2e

SHA512
e240eb998e821404bc91b148f89be79e28961a8d4f31e8f16d9460c85092d4807a043f6198ad1bb5eb5276041f739d4abcdc950eaa7d842fa2b2386fd331b9f0

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
88KB

MD5
480e26d09056a156009c881b3d009401

SHA1
886a87186170149880c6ef600a668e16e3216aa5

SHA256
e686fa8873376ef783eab33c102cb7ee093eb52677a9b43c49669152a66a7874

SHA512
b2f90fbfc11d1e11e8f287048a4e2d1db206ea78c82d4d5dd204f231d2085ea734d7f42191f8602b41aa7999d181d55eaaf74a79a44a5a90d98599bc6fa6d98a

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
88KB

MD5
8b86b542d1025baa350b0890871160d0

SHA1
ff7e62c81ba53c2be138b8215b6ad4982ff43ad8

SHA256
548670dabad03534f25ef9105d1a722d511e5a8774cddf1debca3b50090e77c2

SHA512
e6e999a61eaf704c089fcbbe7e4fd3f1f51cd2c1b3629fcc9fbd9c169e2277262c90605b43e220de23153965f6cf0b46e7220b5772d80ea95b399d0c9c61af9d

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
88KB

MD5
052ae343951bb087262d3d7a6a7239ad

SHA1
0651dfec032871077a6959985efd60a643f713b3

SHA256
ae4eb6a53bd10546a3f7f33f631e200cfdabd49770d9c4b47ad3eac72f0c3d43

SHA512
9de62ed85b72cbc8cacde06808c671f73b77b33c57e3cb0deb9bae09577ca36242160a8004b773d33fb98e0dfbd37b65d385684b482f8e87d874772e01b5345b

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
88KB

MD5
31d791cbee55c60f17a89f9531f531fc

SHA1
ddbfa6535ff1d405f89fcc66f9ad33d97050af6b

SHA256
84c641a1a9448e02615b68c7a604bed52cdb5564a3570a5379807a67f5d35a72

SHA512
7f5e756e680f871815488291e8008d0d5316da1be26191095731893f8c445154c89ff7ca476d384838db524159a7f129e555e14530efc6eb252b859a57a00a2e

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
88KB

MD5
349b87cf4fd24580168c0bf225c559f9

SHA1
5d276f2c15de03209b9f0f3c67039af9396c0f3d

SHA256
764471580d1990518224aa17735c4984e761e479b9f13827c95d86c7327b373c

SHA512
aaa393e76de5e0c08ff7841f7fc520066c04fe25dc5306032930b4025e229530e5e161d37f694ff0a64865b88c3af6ec85c3e98897f10e462224a8232bebea0b

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
88KB

MD5
d8ebdf88a07508873519959b75b9cc7b

SHA1
ad451d583d8ede7f7a53ea314b379550b339e408

SHA256
25c582551b833ae001cf7d274775fe0c9993bc323a9493831892bc0ce0a9510e

SHA512
cf80a160f47c6baaef27e8165d8dbfeb83f97552aa1a6e042643be07017dd283eb3bc6a99cbfaf7ff48c7634d06dd4d2557b365b26725942b2db8e05264a49d7

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
88KB

MD5
70b1f89d17a165f0f0431165fe1aadd6

SHA1
a540f99adc26a9295e49aa5b446391467f718215

SHA256
00e0706d9e182dec8a85c5dcc5fc7f591c3b41f02a884f64eaa11f8c5ca0c835

SHA512
f98bf43ac3aea5c82f91eefa8690cdc5e53a445b0487ac7ac5178fec9fc5ced99b186cb1e8cb2ad6b7134e714fb0a44dd18c0a17677e2baf69105bf5e2421463

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
88KB

MD5
5a83675b5b229cb16689d150d5ba2d7b

SHA1
f97eb177b0baf8fd3dec91f819d8283ec3102c2c

SHA256
4070f163b0ca2a1daa5e4ff61a65f79752830b6abac4c674e10aa74e3515d776

SHA512
916d5a7b2c0d1d047d58af8fba8cf2231a85552cfaed64415bbbda0db62b3111915e45b2c2cfa0f1a0248d03725a4f431f7ecddedeffceb43f1ea747038aeab2

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
88KB

MD5
961ee51507fb8542fec0ddc5a6b98e0f

SHA1
03e75f3c1a3f9ec5169211ebe4c4f148ab49270c

SHA256
e05a348ac3043eb7f61e627ff692dcd826a96f1e9d9b38b9a26689020e81f30e

SHA512
c6aca63dd1aa78a340d063e1aba0c203ce807db35cd2643df56c602b56daaaf2aef8fd9a8ad2731cd50486090a2ee92136853f4be77ddc58a313d2a1ab622a93

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
88KB

MD5
ac91c732afdb7caabb617186746f2983

SHA1
b89f53172177351d0c601b05f01f0cbdb0d70403

SHA256
4a11a56e83e9a29f34338deefc8248343b79fec1dc8cd4e656b1ac73521c002c

SHA512
c2ef93abb66fa24e1d77a02312150c9ec677c309bfafa65bf5506d1b17ec32fd1d36a8de9335775d22af36d09f58ffba329ea02e0b9e2ae04b36af0a11108011

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
88KB

MD5
45933382286fe087cdf65b1b1f40f505

SHA1
ba4d5ad0fdd6346100c6dcb04bdc5cd9522aacbb

SHA256
7becc4bddfe30311ba6581741d25c38af35625cd0f67eed66b171ec99715e357

SHA512
04dc5f731576cb1cc9804a3caf174d1f5aa63f8495429b2e97b59651dfca692ad45bb6abdf73df2981f1433fcfa99f3ff87a636e3a1e8a06441edad562e706ee

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
88KB

MD5
21a4a9e6415c2ec134c68716b816edb4

SHA1
86f0c3a050639cfdda3aedbe7913ba1255fc1eac

SHA256
3641ff358e8b8e92fff5375473b97186a34d4d025f11907fa502ed26eb51cd4c

SHA512
f53b6608b3bedc3204f8498fc3231ce233315dd7d302ad778de86ad618be0e3ecbf02564d8f0e3d495a8dcbeb9c8b532e8582571a87c6fc707ca6d711634676d

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
88KB

MD5
11e2698fd59ac7961986930b10b26043

SHA1
a6648f8f789321e71887f5c4449cf9e4b8b6a397

SHA256
e62c208a8b0b1c582bb8a65f04b5635da38d33d47e70c62f167fc7f38a6da9dd

SHA512
b574e7e9867a23fcd670ad35dcbc1fab80b7666d5a81f7852ada99bda64eb722505b71a2da1819f03096910a186fe0231652c8dd0973ab105e031611abeee8bb

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
88KB

MD5
6fc716adb0a96ddbd5235f30fc498075

SHA1
5752ae3b34fc6b3ab48053d21c86bc62443aadef

SHA256
9c0c0b875cc029fccb9dfbdcda17298d07f062230f158a249acb6b9edb14fdce

SHA512
8d4faa339c29f6d2151f1e3ce1b937d8704c390f983487672178c617a11a4074e58e0c9919957d5c7df5d7a8327f6be5cb86f6fb90d8eb64b2af77a57554a10a

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
88KB

MD5
d1625ea5692409990f9a5895b4ff928b

SHA1
0ad3a4308a681a79b8e5f9a2b2a410c4004c48f9

SHA256
d05965a77c29505864b2cb36faac860e7884224d106620e0e2daff9687d09227

SHA512
04096682e0d7c893479483fcd0e86a47f9b79840c590279db71b81b3efe47f4ef85e0756e15a3a45b35a403881567aeaed45062ccba480e5b7afbae71d708866

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
88KB

MD5
569b193f0340ed8a5278c47c62a0cbb1

SHA1
82ee42c58d50c1e8ec4a1789fc1bd5ae94fdebd6

SHA256
27ead5389a38110a3a26ea457cf951baf27b7a0cfc63d63e34bfbc39c13214f9

SHA512
ff3d379954385a549dd24cb3a9de138d4fe0a6d0dcccf52948bf970af8e9372d2724ec80d5820abf095d3494f760f816264b905d5fb4d8f5d5ab0288d430c2d3

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
88KB

MD5
ba4d28020d0ddab4ae942798e134f68f

SHA1
1ec7bcd2379abc22491c1fcfb1f5a738cf00c14e

SHA256
5bf40dc862afd3519d91734aea75e302de40c2c475d736584f8540f55914df3b

SHA512
d55e75187522d2d786477ad314002712450e8e220a2c042a3cca262619748c775a79eea6070a07919a31a61cc576d518c2887651f022f9c6af966f25ef84a373

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
88KB

MD5
2e98ce3637a91a729359182ac6ecb8b8

SHA1
3156511e71999ecd88b02864ea887dca08e16e8a

SHA256
e4aeed6a76fc81f70be7489f057fcaac48a6910833c83eb8e644b1d39207e31a

SHA512
4db172660d3568539cf24b9e64c88b88d924f95bf82cf14f81b53fbfba42c3a564ff5b5e43d8d4fab8d28bc1c9d6490d1f6e5317bd786f7750e5d3eac9c75fc6

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
88KB

MD5
f69c99af64fc65b512ae20c58cc02f98

SHA1
458b9524f096a9f91495d969af9ef5f47cc0cb0f

SHA256
2333498c0b7978aa76bd955d3c8b966ee8a3503b83d419391419202d10c00f76

SHA512
b0556789111b4c15f291d6a4f1ac605f5e940172358f196a4d8bd7d90b65fb342e372e953d5ee73a8a446c780265fd4a151e6cb313b2872b02fc3e902c8699f0

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
88KB

MD5
6816c3d844e113cd6d8203d67efc4600

SHA1
778398581410081de0f2468207e7f80e53ba1ff2

SHA256
d9df46151f5590d87ee213b3b81b3511831afe6079b03da7f99fbc5e72908315

SHA512
837f24575e05440f1046be4a2a04c43fcde8c42280e310a0577a762151908e27deba8edae63439b9ce610708d212af7b678a290b90a186c764364aca98e62a0f

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
88KB

MD5
0be16e44695035ade1c51c44a5fc4a3b

SHA1
05b82ef6c0f503dbe5873e51a2794777b8066241

SHA256
dc6a8ce20bfb8f2283339ac09961d24416e31096765ef49baa4e068f2ef180c6

SHA512
ec9fdd7733198adcc27de4db92bd5102675f2a5405b6c56f678c48ac8a4bab49a8d40277ed7b668aec01efe2f3e501ebb54075c55d8d2aa3cd8783b8a4991a78

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
88KB

MD5
a76a75f0442edae35448d12f58f059bd

SHA1
4caecb7e3914d9bf8a1b5bc7a8b685e548fef605

SHA256
c8e1d254f06658253da6e60b17729405a0eaeca6b7b5858e1c62a88228f36f7a

SHA512
247b45dd8b3331be4f589a04d4ed6e2ea24af2fcbbfc487b9002ea76e0c1aabebbe327cc56b07b4246d013b5368ff68c9d9f57e62dc6ec562283ffa4c8c46d3e

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
88KB

MD5
96c040ca428cbf69a51e9d9948e4d9ed

SHA1
ea713207b0aad5225045cce760d48b16a8b4188b

SHA256
ee5b2099e0ef64d494ed4cac8e565dd0cc08380c5f4c7691013803ecb3dcb839

SHA512
b8ca185bd9feaeadeecf9775e82dbb632a16cb5564ab7a094d1a91fdbaea556caff28b0edb5b635c44ba0fbbef228a2b7df5aa3613fc622d9ac273483f821577

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
88KB

MD5
910bc2737c559f1cae049800b8683977

SHA1
45e5e0b6e19be640aa4ff5ca33869964a04c50af

SHA256
5ae28d0715e6776a9b47339863f0e2dba6dcd7eefcbd161d6c3ced890735e003

SHA512
7026cac3924a67cff2af562e63e91cf43603ea1c29cb3cdcf1cf7477334aefacfe19cdfdfca5bd425f0c2430888e4b5170202a4c5ddd36d4b8857aab50012243

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
88KB

MD5
c73e55ee221563d865231a16b6125edc

SHA1
e3619af84597facb1e483096a6ce076812a056b0

SHA256
6d22e33ff9b2a2563e183234bde4599004ce9aa5580f81d2ad6b3f646eda06c9

SHA512
f1e23884546adb9961e80393656ee4d1646384dd97db6b6f0d25db138a1b6a1eef26186333d66cbff865c2da7e4d92e49859ad9741fefd2964f08688d5cf4713

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
88KB

MD5
3a09f2aa399ac680257858f51ed51f4d

SHA1
d499e301d8ebdf66f01b8e9296e77e06854ed567

SHA256
13e9d5c222fbf687f643d20c2e34b649650995863fab726d01189972db1592b1

SHA512
7d91f8c48f67c669b6b30fc02ee121c4455e7a669dc7b4a61ab41756199f9c1bdd0bbbeb29d265481a7820dbf46d7efd4264030ae20b6ad11f8d39dcf123852d

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
88KB

MD5
5acd7f2407d91999cb47f3eae20fdbbc

SHA1
9a2bcfacf9ab623212aab84bb0f5561be5bf4c04

SHA256
8f834b49c4a4331aaae6c6e3711d3a6681566507922af74df3b826b00bbcd6e5

SHA512
f7ed3daf2182fb9d29a1dee369ae4a8d08415d15fd61eb4daea5390daa887346239314a4830c754091e92e74a3d55d23abdd710047126e472e1e34105659e2de

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
88KB

MD5
d88edcf87278f34932c24adc3afe7552

SHA1
3ed86196bc32baaa83b39ebb770ed904cb75d791

SHA256
d70f2c644913bdf97f797b08beeb1af70ab0f397b375ea8f4240a34bbe36eac2

SHA512
1ec47df8d1e313f390bc970db0c28142e18735bedfc01806655b2ccc75ff25731b0ebd6bb313b126f1409dbf977c3046caf089eaf88a49ed52134d9077bd87b2

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
88KB

MD5
c1852ac33c83e7084ea791980919ce47

SHA1
a10f3d4f67e9b160e095d0dd4682fefa2f66ce63

SHA256
c2492c7748a94541ae3132aa85b85d066c0543a8ac2229adc5c179bc43589cf1

SHA512
16c55367a2dcefce3b5e44507ecb3a00c2c6add4fd6eabee336df211d2b7f69bd17bf8f81645ff7cbd49b98a560efcd55fc8fa328fa864ef46d4109db8b49d31

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
88KB

MD5
e2f44cb0a07598dcfd76464bc34d579c

SHA1
0d8f43396ec447c966d3948f136ece7ad400d364

SHA256
a9e4d379c10dde4fe5b6082997148da1e14cd6b45c3bc33cfbdaaface4a1a1e2

SHA512
af632b24c9759bc71b2991fd179bf65434d88d21812c845cf00aadea1b691e3d9d9689ac1c937f26307ed567de23191a58eb06c8dc9f2beda00e77fab167819e

Download Submit
memory/208-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/376-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/388-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/692-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/736-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/912-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/964-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1000-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1116-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-878-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-871-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3236-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-877-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3920-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4172-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4664-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-876-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5196-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5244-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5280-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5336-855-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5336-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5392-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5436-851-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5436-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5480-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5788-838-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5920-833-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads