080af4967397941af2a81409ad6c055b93101880c1855bcf140540236eaf8e27

Analysis

max time kernel
125s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

080af4967397941af2a81409ad6c055b93101880c1855bcf140540236eaf8e27.exe
Size

80KB
MD5

230819220240e023dfffde465bf26b8b
SHA1

217291c76204976ef69ccb4506ad3e86d25739e8
SHA256

080af4967397941af2a81409ad6c055b93101880c1855bcf140540236eaf8e27
SHA512

a2354e5c719e23713da7b55fc5e703fcc8f0c00a686e3aa305906bbf234369f29d0d92f2d52341f6f1ea36a539a1f25cdba1c00471b51e050889cfd9ed1de19f
SSDEEP

1536:ktsT9AowREm+NM660E2i+zouvoTE5YMkhohBE8VGh:eHoVXNM662i+zomo0UAEQGh

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okpkgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahpdcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djklgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajjjjghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbdano32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djpfbahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlobmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oknnanhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oalpigkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgpobmca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqdbfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Decmjjie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkefphem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bndblcdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cicjokll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnenchoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkqdnkge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdgehobe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmmkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdgehobe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dijppjfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjkiephp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niihlkdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppamjcpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjlnhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaejhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjoknhbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqdlmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deqqek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okkalnjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaejhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppffec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjlnhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkefphem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nffceq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dicbfhni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okpkgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akjgdjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckcbaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdcmnfop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pphckb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnoiqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biigildg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjaiac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqbohocd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlkiaece.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjpceko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkghqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okkalnjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpmmfbfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjeaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqdbfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abdoqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqilaplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqbohocd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miklkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppdjpcng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjeaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dilmeida.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjkcqdje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajnol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkghqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglnnkid.exe

Executes dropped EXE 64 IoCs

pid	Process
4708	Mhjpceko.exe
4528	Miklkm32.exe
5004	Mpedgghj.exe
1176	Mhmmieil.exe
3904	Mjkiephp.exe
3504	Mdcmnfop.exe
2248	Njmejp32.exe
3700	Nagngjmj.exe
2708	Nfdfoala.exe
3252	Nmnnlk32.exe
4416	Nffceq32.exe
2244	Nmpkakak.exe
1148	Nhfoocaa.exe
2080	Niglfl32.exe
1668	Nandhi32.exe
2728	Nkghqo32.exe
2556	Niihlkdm.exe
1388	Ndomiddc.exe
4768	Oileakbj.exe
1116	Opfnne32.exe
1216	Okkalnjm.exe
1848	Oaejhh32.exe
2840	Ogbbqo32.exe
2512	Oknnanhj.exe
4316	Opjgidfa.exe
212	Okpkgm32.exe
956	Onngci32.exe
1352	Odhppclh.exe
3744	Okbhlm32.exe
1484	Oalpigkb.exe
1980	Pgihanii.exe
4348	Ppamjcpj.exe
2884	Phiekaql.exe
2372	Pnenchoc.exe
5104	Ppdjpcng.exe
4420	Pgnblm32.exe
1228	Pjlnhi32.exe
3600	Ppffec32.exe
4468	Pgpobmca.exe
1688	Pjoknhbe.exe
1800	Pphckb32.exe
2284	Pgbkgmao.exe
4244	Pnlcdg32.exe
3304	Qdflaa32.exe
4504	Qnopjfgi.exe
2304	Qpmmfbfl.exe
4012	Qggebl32.exe
4448	Qjeaog32.exe
2420	Adkelplc.exe
864	Akenij32.exe
3616	Aaofedkl.exe
2392	Aglnnkid.exe
4844	Ajjjjghg.exe
4776	Aqdbfa32.exe
4544	Agnkck32.exe
4044	Akjgdjoj.exe
4300	Abdoqd32.exe
960	Agqhik32.exe
2452	Anjpeelk.exe
1732	Aqilaplo.exe
2868	Ahpdcn32.exe
336	Anmmkd32.exe
3080	Bdgehobe.exe
1348	Bkamdi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jknbhdmb.dll	Niglfl32.exe
File created	C:\Windows\SysWOW64\Opfnne32.exe	Oileakbj.exe
File opened for modification	C:\Windows\SysWOW64\Bggnijof.exe	Bdiamnpc.exe
File created	C:\Windows\SysWOW64\Ljiochji.dll	Celgjlpn.exe
File created	C:\Windows\SysWOW64\Dlobmd32.exe	Diafqi32.exe
File opened for modification	C:\Windows\SysWOW64\Nagngjmj.exe	Njmejp32.exe
File created	C:\Windows\SysWOW64\Niglfl32.exe	Nhfoocaa.exe
File created	C:\Windows\SysWOW64\Jabajbcd.dll	Anmmkd32.exe
File created	C:\Windows\SysWOW64\Odhppclh.exe	Onngci32.exe
File created	C:\Windows\SysWOW64\Ajjjjghg.exe	Aglnnkid.exe
File created	C:\Windows\SysWOW64\Pjoknhbe.exe	Pgpobmca.exe
File created	C:\Windows\SysWOW64\Nepgghpg.dll	Agnkck32.exe
File created	C:\Windows\SysWOW64\Pgihanii.exe	Oalpigkb.exe
File created	C:\Windows\SysWOW64\Lhgdahgp.dll	Pjlnhi32.exe
File created	C:\Windows\SysWOW64\Ppdpcn32.dll	Dilmeida.exe
File created	C:\Windows\SysWOW64\Chhciafp.dll	080af4967397941af2a81409ad6c055b93101880c1855bcf140540236eaf8e27.exe
File created	C:\Windows\SysWOW64\Clbcll32.dll	Dndlba32.exe
File created	C:\Windows\SysWOW64\Qggebl32.exe	Qpmmfbfl.exe
File created	C:\Windows\SysWOW64\Ckfofe32.exe	Cigcjj32.exe
File created	C:\Windows\SysWOW64\Dafhdj32.dll	Phiekaql.exe
File created	C:\Windows\SysWOW64\Gbjnanih.dll	Ajjjjghg.exe
File opened for modification	C:\Windows\SysWOW64\Abdoqd32.exe	Akjgdjoj.exe
File created	C:\Windows\SysWOW64\Anjpeelk.exe	Agqhik32.exe
File created	C:\Windows\SysWOW64\Dlkiaece.exe	Dilmeida.exe
File opened for modification	C:\Windows\SysWOW64\Mdcmnfop.exe	Mjkiephp.exe
File created	C:\Windows\SysWOW64\Nhfoocaa.exe	Nmpkakak.exe
File created	C:\Windows\SysWOW64\Nmpkakak.exe	Nffceq32.exe
File created	C:\Windows\SysWOW64\Oknnanhj.exe	Ogbbqo32.exe
File opened for modification	C:\Windows\SysWOW64\Dajnol32.exe	Dbgndoho.exe
File created	C:\Windows\SysWOW64\Eldlhckj.exe	Eejcki32.exe
File created	C:\Windows\SysWOW64\Fijbhpbc.dll	Anjpeelk.exe
File created	C:\Windows\SysWOW64\Odgodh32.dll	Bnaffdfc.exe
File created	C:\Windows\SysWOW64\Iobilpno.dll	Cqghcn32.exe
File opened for modification	C:\Windows\SysWOW64\Oknnanhj.exe	Ogbbqo32.exe
File created	C:\Windows\SysWOW64\Kblfejda.dll	Onngci32.exe
File created	C:\Windows\SysWOW64\Lhjicplp.dll	Pphckb32.exe
File opened for modification	C:\Windows\SysWOW64\Dilmeida.exe	Deqqek32.exe
File created	C:\Windows\SysWOW64\Mhjpceko.exe	080af4967397941af2a81409ad6c055b93101880c1855bcf140540236eaf8e27.exe
File created	C:\Windows\SysWOW64\Cacjdgkj.dll	Mpedgghj.exe
File created	C:\Windows\SysWOW64\Bjqfnh32.dll	Dlkiaece.exe
File created	C:\Windows\SysWOW64\Mpedgghj.exe	Miklkm32.exe
File opened for modification	C:\Windows\SysWOW64\Pjoknhbe.exe	Pgpobmca.exe
File created	C:\Windows\SysWOW64\Kcjael32.dll	Qkqdnkge.exe
File opened for modification	C:\Windows\SysWOW64\Dlobmd32.exe	Diafqi32.exe
File created	C:\Windows\SysWOW64\Onngci32.exe	Okpkgm32.exe
File opened for modification	C:\Windows\SysWOW64\Pgbkgmao.exe	Pphckb32.exe
File created	C:\Windows\SysWOW64\Abdoqd32.exe	Akjgdjoj.exe
File opened for modification	C:\Windows\SysWOW64\Bkefphem.exe	Bdlncn32.exe
File created	C:\Windows\SysWOW64\Ckcbaf32.exe	Canocm32.exe
File created	C:\Windows\SysWOW64\Apleaenp.dll	Eejcki32.exe
File opened for modification	C:\Windows\SysWOW64\Oaejhh32.exe	Okkalnjm.exe
File opened for modification	C:\Windows\SysWOW64\Okpkgm32.exe	Opjgidfa.exe
File opened for modification	C:\Windows\SysWOW64\Cicjokll.exe	Cegnol32.exe
File created	C:\Windows\SysWOW64\Bqbohocd.exe	Bndblcdq.exe
File created	C:\Windows\SysWOW64\Bgodjiio.exe	Bqdlmo32.exe
File created	C:\Windows\SysWOW64\Jnbecgdc.dll	Ceeaim32.exe
File created	C:\Windows\SysWOW64\Jibdpo32.dll	Ckfofe32.exe
File created	C:\Windows\SysWOW64\Gnibpanm.dll	Ppdjpcng.exe
File created	C:\Windows\SysWOW64\Bkefphem.exe	Bdlncn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnoiqd32.exe	Bkamdi32.exe
File created	C:\Windows\SysWOW64\Hhdbfa32.dll	Bdiamnpc.exe
File opened for modification	C:\Windows\SysWOW64\Bndblcdq.exe	Bkefphem.exe
File opened for modification	C:\Windows\SysWOW64\Bqdlmo32.exe	Bjkcqdje.exe
File opened for modification	C:\Windows\SysWOW64\Dbdano32.exe	Djmima32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6100	5772	WerFault.exe	208

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onngci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnnlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oileakbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqdbfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoiqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckcbaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhjpceko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miklkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjoknhbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bggnijof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cicjokll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbnknpqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dabhomea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oknnanhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnenchoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppffec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndomiddc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okkalnjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaejhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okbhlm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oalpigkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agqhik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cqghcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbdano32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okpkgm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdflaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akjgdjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejdonq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nffceq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agnkck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmmkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkilbni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Canocm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djklgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djpfbahm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkcqdje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phiekaql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkelplc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Decmjjie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhmmieil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnopjfgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkefphem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odhppclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjlnhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bndblcdq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Celgjlpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diafqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdlncn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dndlba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dijppjfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfdfoala.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhfoocaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppdjpcng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbkgmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niihlkdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqilaplo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnblm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegnol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlobmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqdlmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbbdip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dilmeida.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbbqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pphckb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjgegjko.dll"	Mjkiephp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaejhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fijbhpbc.dll"	Anjpeelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnoiqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegnol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbhncfq.dll"	Dbbdip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhjpceko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amnioced.dll"	Mdcmnfop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niihlkdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oaejhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjkcqdje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaqphgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmcch32.dll"	Nmnnlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmpkakak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhacdgi.dll"	Odhppclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajfpi32.dll"	Biigildg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmijkj32.dll"	Cgaqphgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bggnijof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgodjiio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iooodacm.dll"	Miklkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhmmieil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfdfoala.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnknkkci.dll"	Ogbbqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkqdnkge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldphm32.dll"	Akjgdjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eggkfmfh.dll"	Dajnol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dicbfhni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmnnlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgihanii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfgcag32.dll"	Ppamjcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahpdcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljiochji.dll"	Celgjlpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dndlba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgpobmca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agnkck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oakojnlp.dll"	Nffceq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niihlkdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haapme32.dll"	Agqhik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jojbil32.dll"	Bdgehobe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceeaim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaoimpil.dll"	Cicjokll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nojgmmgl.dll"	Oknnanhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odhppclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppamjcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbhjg32.dll"	Qdflaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkqdnkge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agqhik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cigcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjjjj32.dll"	Djpfbahm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	080af4967397941af2a81409ad6c055b93101880c1855bcf140540236eaf8e27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkpjo32.dll"	Pgihanii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepgghpg.dll"	Agnkck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppdpcn32.dll"	Dilmeida.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dajnol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aidjgo32.dll"	Nhfoocaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pphckb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obbcmknk.dll"	Bgodjiio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkamdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llbndn32.dll"	Ckcbaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcll32.dll"	Dndlba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dijppjfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnojon32.dll"	Djmima32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niglfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkghqo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4708	5076	080af4967397941af2a81409ad6c055b93101880c1855bcf140540236eaf8e27.exe	92
PID 5076 wrote to memory of 4708	5076	080af4967397941af2a81409ad6c055b93101880c1855bcf140540236eaf8e27.exe	92
PID 5076 wrote to memory of 4708	5076	080af4967397941af2a81409ad6c055b93101880c1855bcf140540236eaf8e27.exe	92
PID 4708 wrote to memory of 4528	4708	Mhjpceko.exe	93
PID 4708 wrote to memory of 4528	4708	Mhjpceko.exe	93
PID 4708 wrote to memory of 4528	4708	Mhjpceko.exe	93
PID 4528 wrote to memory of 5004	4528	Miklkm32.exe	94
PID 4528 wrote to memory of 5004	4528	Miklkm32.exe	94
PID 4528 wrote to memory of 5004	4528	Miklkm32.exe	94
PID 5004 wrote to memory of 1176	5004	Mpedgghj.exe	95
PID 5004 wrote to memory of 1176	5004	Mpedgghj.exe	95
PID 5004 wrote to memory of 1176	5004	Mpedgghj.exe	95
PID 1176 wrote to memory of 3904	1176	Mhmmieil.exe	96
PID 1176 wrote to memory of 3904	1176	Mhmmieil.exe	96
PID 1176 wrote to memory of 3904	1176	Mhmmieil.exe	96
PID 3904 wrote to memory of 3504	3904	Mjkiephp.exe	97
PID 3904 wrote to memory of 3504	3904	Mjkiephp.exe	97
PID 3904 wrote to memory of 3504	3904	Mjkiephp.exe	97
PID 3504 wrote to memory of 2248	3504	Mdcmnfop.exe	98
PID 3504 wrote to memory of 2248	3504	Mdcmnfop.exe	98
PID 3504 wrote to memory of 2248	3504	Mdcmnfop.exe	98
PID 2248 wrote to memory of 3700	2248	Njmejp32.exe	100
PID 2248 wrote to memory of 3700	2248	Njmejp32.exe	100
PID 2248 wrote to memory of 3700	2248	Njmejp32.exe	100
PID 3700 wrote to memory of 2708	3700	Nagngjmj.exe	101
PID 3700 wrote to memory of 2708	3700	Nagngjmj.exe	101
PID 3700 wrote to memory of 2708	3700	Nagngjmj.exe	101
PID 2708 wrote to memory of 3252	2708	Nfdfoala.exe	102
PID 2708 wrote to memory of 3252	2708	Nfdfoala.exe	102
PID 2708 wrote to memory of 3252	2708	Nfdfoala.exe	102
PID 3252 wrote to memory of 4416	3252	Nmnnlk32.exe	103
PID 3252 wrote to memory of 4416	3252	Nmnnlk32.exe	103
PID 3252 wrote to memory of 4416	3252	Nmnnlk32.exe	103
PID 4416 wrote to memory of 2244	4416	Nffceq32.exe	104
PID 4416 wrote to memory of 2244	4416	Nffceq32.exe	104
PID 4416 wrote to memory of 2244	4416	Nffceq32.exe	104
PID 2244 wrote to memory of 1148	2244	Nmpkakak.exe	105
PID 2244 wrote to memory of 1148	2244	Nmpkakak.exe	105
PID 2244 wrote to memory of 1148	2244	Nmpkakak.exe	105
PID 1148 wrote to memory of 2080	1148	Nhfoocaa.exe	106
PID 1148 wrote to memory of 2080	1148	Nhfoocaa.exe	106
PID 1148 wrote to memory of 2080	1148	Nhfoocaa.exe	106
PID 2080 wrote to memory of 1668	2080	Niglfl32.exe	107
PID 2080 wrote to memory of 1668	2080	Niglfl32.exe	107
PID 2080 wrote to memory of 1668	2080	Niglfl32.exe	107
PID 1668 wrote to memory of 2728	1668	Nandhi32.exe	108
PID 1668 wrote to memory of 2728	1668	Nandhi32.exe	108
PID 1668 wrote to memory of 2728	1668	Nandhi32.exe	108
PID 2728 wrote to memory of 2556	2728	Nkghqo32.exe	109
PID 2728 wrote to memory of 2556	2728	Nkghqo32.exe	109
PID 2728 wrote to memory of 2556	2728	Nkghqo32.exe	109
PID 2556 wrote to memory of 1388	2556	Niihlkdm.exe	110
PID 2556 wrote to memory of 1388	2556	Niihlkdm.exe	110
PID 2556 wrote to memory of 1388	2556	Niihlkdm.exe	110
PID 1388 wrote to memory of 4768	1388	Ndomiddc.exe	111
PID 1388 wrote to memory of 4768	1388	Ndomiddc.exe	111
PID 1388 wrote to memory of 4768	1388	Ndomiddc.exe	111
PID 4768 wrote to memory of 1116	4768	Oileakbj.exe	112
PID 4768 wrote to memory of 1116	4768	Oileakbj.exe	112
PID 4768 wrote to memory of 1116	4768	Oileakbj.exe	112
PID 1116 wrote to memory of 1216	1116	Opfnne32.exe	113
PID 1116 wrote to memory of 1216	1116	Opfnne32.exe	113
PID 1116 wrote to memory of 1216	1116	Opfnne32.exe	113
PID 1216 wrote to memory of 1848	1216	Okkalnjm.exe	114

C:\Users\Admin\AppData\Local\Temp\080af4967397941af2a81409ad6c055b93101880c1855bcf140540236eaf8e27.exe
"C:\Users\Admin\AppData\Local\Temp\080af4967397941af2a81409ad6c055b93101880c1855bcf140540236eaf8e27.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\Mhjpceko.exe
  C:\Windows\system32\Mhjpceko.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Windows\SysWOW64\Miklkm32.exe
    C:\Windows\system32\Miklkm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\SysWOW64\Mpedgghj.exe
      C:\Windows\system32\Mpedgghj.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\SysWOW64\Mhmmieil.exe
        
        C:\Windows\system32\Mhmmieil.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
      - C:\Windows\SysWOW64\Mjkiephp.exe
        
        C:\Windows\system32\Mjkiephp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Mdcmnfop.exe
        
        C:\Windows\system32\Mdcmnfop.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Njmejp32.exe
        
        C:\Windows\system32\Njmejp32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Nagngjmj.exe
        
        C:\Windows\system32\Nagngjmj.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Nfdfoala.exe
        
        C:\Windows\system32\Nfdfoala.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Nmnnlk32.exe
        
        C:\Windows\system32\Nmnnlk32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Nffceq32.exe
        
        C:\Windows\system32\Nffceq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Nmpkakak.exe
        
        C:\Windows\system32\Nmpkakak.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Nhfoocaa.exe
        
        C:\Windows\system32\Nhfoocaa.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Niglfl32.exe
        
        C:\Windows\system32\Niglfl32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Nandhi32.exe
        
        C:\Windows\system32\Nandhi32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Nkghqo32.exe
        
        C:\Windows\system32\Nkghqo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Niihlkdm.exe
        
        C:\Windows\system32\Niihlkdm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Ndomiddc.exe
        
        C:\Windows\system32\Ndomiddc.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Oileakbj.exe
        
        C:\Windows\system32\Oileakbj.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Opfnne32.exe
        
        C:\Windows\system32\Opfnne32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Okkalnjm.exe
        
        C:\Windows\system32\Okkalnjm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Oaejhh32.exe
        
        C:\Windows\system32\Oaejhh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Ogbbqo32.exe
        
        C:\Windows\system32\Ogbbqo32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Oknnanhj.exe
        
        C:\Windows\system32\Oknnanhj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Opjgidfa.exe
        
        C:\Windows\system32\Opjgidfa.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\Okpkgm32.exe
        
        C:\Windows\system32\Okpkgm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\Onngci32.exe
        
        C:\Windows\system32\Onngci32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\Odhppclh.exe
        
        C:\Windows\system32\Odhppclh.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Okbhlm32.exe
        
        C:\Windows\system32\Okbhlm32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Oalpigkb.exe
        
        C:\Windows\system32\Oalpigkb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Pgihanii.exe
        
        C:\Windows\system32\Pgihanii.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Ppamjcpj.exe
        
        C:\Windows\system32\Ppamjcpj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Phiekaql.exe
        
        C:\Windows\system32\Phiekaql.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Pnenchoc.exe
        
        C:\Windows\system32\Pnenchoc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Ppdjpcng.exe
        
        C:\Windows\system32\Ppdjpcng.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Pgnblm32.exe
        
        C:\Windows\system32\Pgnblm32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\Pjlnhi32.exe
        
        C:\Windows\system32\Pjlnhi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Ppffec32.exe
        
        C:\Windows\system32\Ppffec32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\Pgpobmca.exe
        
        C:\Windows\system32\Pgpobmca.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Pjoknhbe.exe
        
        C:\Windows\system32\Pjoknhbe.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Pphckb32.exe
        
        C:\Windows\system32\Pphckb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Pgbkgmao.exe
        
        C:\Windows\system32\Pgbkgmao.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\Pnlcdg32.exe
        
        C:\Windows\system32\Pnlcdg32.exe
        44⤵
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\Qdflaa32.exe
        
        C:\Windows\system32\Qdflaa32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Qkqdnkge.exe
        
        C:\Windows\system32\Qkqdnkge.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Qnopjfgi.exe
        
        C:\Windows\system32\Qnopjfgi.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Qpmmfbfl.exe
        
        C:\Windows\system32\Qpmmfbfl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\Qggebl32.exe
        
        C:\Windows\system32\Qggebl32.exe
        49⤵
        Executes dropped EXE
        
        PID:4012
        
        C:\Windows\SysWOW64\Qjeaog32.exe
        
        C:\Windows\system32\Qjeaog32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Adkelplc.exe
        
        C:\Windows\system32\Adkelplc.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Akenij32.exe
        
        C:\Windows\system32\Akenij32.exe
        52⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Windows\SysWOW64\Aaofedkl.exe
        
        C:\Windows\system32\Aaofedkl.exe
        53⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Aglnnkid.exe
        
        C:\Windows\system32\Aglnnkid.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\Ajjjjghg.exe
        
        C:\Windows\system32\Ajjjjghg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\Aqdbfa32.exe
        
        C:\Windows\system32\Aqdbfa32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\Agnkck32.exe
        
        C:\Windows\system32\Agnkck32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Akjgdjoj.exe
        
        C:\Windows\system32\Akjgdjoj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Abdoqd32.exe
        
        C:\Windows\system32\Abdoqd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Agqhik32.exe
        
        C:\Windows\system32\Agqhik32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Anjpeelk.exe
        
        C:\Windows\system32\Anjpeelk.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Aqilaplo.exe
        
        C:\Windows\system32\Aqilaplo.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\Ahpdcn32.exe
        
        C:\Windows\system32\Ahpdcn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Anmmkd32.exe
        
        C:\Windows\system32\Anmmkd32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Windows\SysWOW64\Bdgehobe.exe
        
        C:\Windows\system32\Bdgehobe.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Bkamdi32.exe
        
        C:\Windows\system32\Bkamdi32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Bnoiqd32.exe
        
        C:\Windows\system32\Bnoiqd32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Bdiamnpc.exe
        
        C:\Windows\system32\Bdiamnpc.exe
        68⤵
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\Bggnijof.exe
        
        C:\Windows\system32\Bggnijof.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Bnaffdfc.exe
        
        C:\Windows\system32\Bnaffdfc.exe
        70⤵
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\Bdlncn32.exe
        
        C:\Windows\system32\Bdlncn32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Bkefphem.exe
        
        C:\Windows\system32\Bkefphem.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Bndblcdq.exe
        
        C:\Windows\system32\Bndblcdq.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Bqbohocd.exe
        
        C:\Windows\system32\Bqbohocd.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2688
        
        C:\Windows\SysWOW64\Biigildg.exe
        
        C:\Windows\system32\Biigildg.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Bjkcqdje.exe
        
        C:\Windows\system32\Bjkcqdje.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Bqdlmo32.exe
        
        C:\Windows\system32\Bqdlmo32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Bgodjiio.exe
        
        C:\Windows\system32\Bgodjiio.exe
        78⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Bkjpkg32.exe
        
        C:\Windows\system32\Bkjpkg32.exe
        79⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Cqghcn32.exe
        
        C:\Windows\system32\Cqghcn32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Cgaqphgl.exe
        
        C:\Windows\system32\Cgaqphgl.exe
        81⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Cnkilbni.exe
        
        C:\Windows\system32\Cnkilbni.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Ceeaim32.exe
        
        C:\Windows\system32\Ceeaim32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Cjaiac32.exe
        
        C:\Windows\system32\Cjaiac32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5500
        
        C:\Windows\SysWOW64\Cegnol32.exe
        
        C:\Windows\system32\Cegnol32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Cicjokll.exe
        
        C:\Windows\system32\Cicjokll.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Canocm32.exe
        
        C:\Windows\system32\Canocm32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Windows\SysWOW64\Ckcbaf32.exe
        
        C:\Windows\system32\Ckcbaf32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Cbnknpqj.exe
        
        C:\Windows\system32\Cbnknpqj.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Celgjlpn.exe
        
        C:\Windows\system32\Celgjlpn.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Cigcjj32.exe
        
        C:\Windows\system32\Cigcjj32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Ckfofe32.exe
        
        C:\Windows\system32\Ckfofe32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Dndlba32.exe
        
        C:\Windows\system32\Dndlba32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Dabhomea.exe
        
        C:\Windows\system32\Dabhomea.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Dijppjfd.exe
        
        C:\Windows\system32\Dijppjfd.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Djklgb32.exe
        
        C:\Windows\system32\Djklgb32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\Dbbdip32.exe
        
        C:\Windows\system32\Dbbdip32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Deqqek32.exe
        
        C:\Windows\system32\Deqqek32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Dilmeida.exe
        
        C:\Windows\system32\Dilmeida.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Dlkiaece.exe
        
        C:\Windows\system32\Dlkiaece.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Djmima32.exe
        
        C:\Windows\system32\Djmima32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Dbdano32.exe
        
        C:\Windows\system32\Dbdano32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Decmjjie.exe
        
        C:\Windows\system32\Decmjjie.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Windows\SysWOW64\Dlmegd32.exe
        
        C:\Windows\system32\Dlmegd32.exe
        104⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Djpfbahm.exe
        
        C:\Windows\system32\Djpfbahm.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Dbgndoho.exe
        
        C:\Windows\system32\Dbgndoho.exe
        106⤵
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Dajnol32.exe
        
        C:\Windows\system32\Dajnol32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Diafqi32.exe
        
        C:\Windows\system32\Diafqi32.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Dlobmd32.exe
        
        C:\Windows\system32\Dlobmd32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Dicbfhni.exe
        
        C:\Windows\system32\Dicbfhni.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Ejdonq32.exe
        
        C:\Windows\system32\Ejdonq32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Eejcki32.exe
        
        C:\Windows\system32\Eejcki32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Eldlhckj.exe
        
        C:\Windows\system32\Eldlhckj.exe
        113⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 220
        114⤵
        Program crash
        
        PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5772 -ip 5772
1⤵
PID:6004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3996,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:8
1⤵
PID:6136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akenij32.exe

Filesize
80KB

MD5
81e8658b457b2eebbea78917e51b4517

SHA1
024935e2c607a405a744b4d95bd377af4e647af0

SHA256
28ee9c44ffc48fd638133cc03c5ac732efeb069cc63847fffb36423661764542

SHA512
ac44303df67ac2f3df676ddadb003dda69fd5fa1d611ce185d021dab5e89a648cbee78f19ecf45789388f636f8aff1bc133d50be0fb63affbab8f2fd7b3e17cf

Download Submit
C:\Windows\SysWOW64\Aqdbfa32.exe

Filesize
80KB

MD5
75afcde8957a2e252e48de81fd8430b1

SHA1
759972817b42a3ccd168798f7f3679dbfdb2a834

SHA256
09fb41dfd2d178eed0c2370ae43a79e432cb66fef25e8a7edc466a0cc66c3ca1

SHA512
7ff66cae5e1578e4418a45cab851214b8f745b3c95529816bab7aa2cf499bacbe7782dafb21e829ce21a9d5d55610667ecaec2334073558ef818475ed0e5b84c

Download Submit
C:\Windows\SysWOW64\Dlobmd32.exe

Filesize
80KB

MD5
ad4d5ee88d486fc7c893d6506617a008

SHA1
7c9d597dd27d70dba6d309a822e9e20afba7e1e5

SHA256
dd4ccc694d89eb483ceadaed01d485bd351d92ffb05fba9871de34b8d328fa67

SHA512
0c1d0b9d8801dfea25d0535fe4c8eecee3587a2387073e6741481d8c06b6a03982d4ece57f07fc20ffc3a072cfb532f72a4756406b4283ab38dcc0f9232b05ef

Download Submit
C:\Windows\SysWOW64\Eejcki32.exe

Filesize
80KB

MD5
0222b484d105ee866e14bae4cf5ff748

SHA1
ff04e6174cc405aadbd08e610528ed4cf379306d

SHA256
a06620bdb1f4ce86e35e6bc7c23f347b67ad40c552ebd91c5f12a9605b575a3a

SHA512
0b8ed31ddb20c7f41aa3d2c7c873a28ebbd83566107dff8a0eaa6f15384b0c058bf47f2245eb5e8df6afbee70f7881f4608abc11baf07cb0036cfa3e7b756d85

Download Submit
C:\Windows\SysWOW64\Mdcmnfop.exe

Filesize
80KB

MD5
9ebba629101fa0a954c1b9ba53ca9fa6

SHA1
54dd46111468081109b0042c2b05b3b0c3409d2a

SHA256
6e829f9534980f9498608744819826b89f902395a74fb31fb1298e436ec8fa63

SHA512
e4adb0ecfb74c23098c65f1f18cdf18671d936883cc662bce749695ec221012c89dff838aed16c59ccffed109cf44408172c006b67a164af9cca9a2298a19bcf

Download Submit
C:\Windows\SysWOW64\Mhjpceko.exe

Filesize
80KB

MD5
0d2cbee21e5a6613347204da8ea06bb3

SHA1
5790cab364ca93f6babc64902cf1c23276f15af8

SHA256
6a4e1c8fbfba9d9cc2c92e8af9fb8f909b365eb179257fe6919780e13dd0d504

SHA512
4496cd7b0d2122b4d683325e26418f6f0f19aad92b90e3a0faf8227bb3a0ae1e97872d4b906a78b6581d733528efd64fa7099332aea75ca8575685073e352078

Download Submit
C:\Windows\SysWOW64\Mhmmieil.exe

Filesize
80KB

MD5
fdb7bcce09f4f262519dd6000f38de96

SHA1
5d4dc69b6f0f393c87315f57becb2cf080df31de

SHA256
da5f4a397cbece2c1522e5873815834294711ee56c7673810676231fcc1bc78c

SHA512
51276e96fb8615abd002073591e3438be347d65667ebc399c19f0327984604a9b1eeef2130f3c5187f4c8b5569238d89a71b2c5cf9d45f9ebcf2f60e1251acd6

Download Submit
C:\Windows\SysWOW64\Miklkm32.exe

Filesize
80KB

MD5
72ed0498c060afd1b55d271132a726e4

SHA1
4bf0c55b1d795d5e846c12efae6351b7b46444bf

SHA256
f0e7a6b9b24e9147228c2138c4fc5bb4fc366592a273b5adbbd11dc0d95c8233

SHA512
3da19a479e3f68e3b76484f2229cb8fd6631d7984be208abb832789e6f5eda806a6e9fe7685fb518258391978bf923a9dc8433c03cf5ba224e93de1d056ff3f1

Download Submit
C:\Windows\SysWOW64\Mjkiephp.exe

Filesize
80KB

MD5
51e702f8d515e6540db422ca228ffc60

SHA1
f11372c24cc250f76a818c60405fd4a5b4091d10

SHA256
7ff784d451be09402c9348808b634425f93446d77a69d26e78976e42fb179ad2

SHA512
1e038f59ba35254bafc6350219d6b535a48d76ef8a4f0e1afff491e31eb4d6f9b4895b859a670cd4625a71e77c4ecc136bad22831a444fbc8d014ed99deb3b35

Download Submit
C:\Windows\SysWOW64\Mpedgghj.exe

Filesize
80KB

MD5
bd6a491b5ac7f1b9e73ccda1510e869c

SHA1
6b6dad4e4f066f73b88d04cf6a93ee91f60d7367

SHA256
67ebb0efa0dbde11fbf765be223b635f4ec0e71dcf81949eca4bf7f0878c8bfa

SHA512
0596e0b50d0184180bb3d982070da4f65b2d51e81698613cb005aa8e8a9c90bc0151a45081c73631cc6341a5cf6856eb6f15082ce9f007883194ce41e7b8f1e4

Download Submit
C:\Windows\SysWOW64\Nagngjmj.exe

Filesize
80KB

MD5
6f91b1e032b0fddeea0389d58607eb34

SHA1
c7883062fc1e552ea160dd97ab8c853daf894466

SHA256
7fcf55877fdb2dd0ad9f3209a3fe9b5f3d6f687f139667f4952e1b60bd414fd7

SHA512
54dcb549836cc39b6e95087e0ed3608142f1f878905c023a4bc3d3413187c03f30fb5a8eab6ea84968ce14df7719e129e0c224758a072289eeca1116a8dbdb17

Download Submit
C:\Windows\SysWOW64\Nandhi32.exe

Filesize
80KB

MD5
66a0af66449d62e130bfec86bf3ae625

SHA1
63d6f15b6d9c239aed9c40cad03bd1ecde82d388

SHA256
00c46c055ae453fe54f9cad9916d34b85f1acbdf08e398cce47aeaccec2aa304

SHA512
70d4817f0c2fee8924b11c5b2628df00621d079ed3a401cb590cd3cc7310b75030cb579eb20c93aa37a668a273030acc7382b0bbcb6fe23e3863201442462b18

Download Submit
C:\Windows\SysWOW64\Ndomiddc.exe

Filesize
80KB

MD5
a9047e1fc50222d2f9607a13af8e5ed2

SHA1
1935c65f58f9f2cd38eb2f35d5ddd233dbc23b49

SHA256
d44bb5bb42e651c856bc92f80546f1a4001e01c8287497eab21771872a0e97dd

SHA512
b242e7d85681bf253f11270bfe9a6a4fd127f42dab872a165cf316d043079fee70f99eee81a7f30893b9e2e82d8547b9d8ade9f26ea6239050176fea9e6208d4

Download Submit
C:\Windows\SysWOW64\Nfdfoala.exe

Filesize
80KB

MD5
9db41232061c778151775f0358e6a9de

SHA1
61963fb7db903e840a8a9e48dcec0f44eb9ec72e

SHA256
936851876e52e67ba4fd71d6bde9c18d976352c5787d96fcf62548357e3a018e

SHA512
e2fbfeba29baab673aa65827ffbb52ed718e76bcc7a73a3bf41dcd23eeb2a1b30301c7bf0a6f7934b6e6f8ed5e8f900d8239bd750992e0ce7adcd4ebf623557f

Download Submit
C:\Windows\SysWOW64\Nffceq32.exe

Filesize
80KB

MD5
a26055759481dac3e8ba838509f5a203

SHA1
19e1b96545f4e0174f3e67c407626d6eea8c742c

SHA256
f9e75fe03bcdf9c04359ecf147b1e35a8a0671636311a893bd5229cf0fe55048

SHA512
1f131e3f8906f564cba38e50c5c52cc53b120b499282cf336511e28e1b4a591d0aa80eeb80afde45c9b2aaa542c9f22ebcb15d70dde178cac0983886e4b5cb2e

Download Submit
C:\Windows\SysWOW64\Nhfoocaa.exe

Filesize
80KB

MD5
45a4803365ed1519dd11b550ebefff21

SHA1
40df0d69cc19013e1fabafd9a27cb1f627312fd1

SHA256
0490300ec291e2434dfb163e41a05c804f50e672c6aa1f98722fe066d2ecf686

SHA512
f727f596a3516338f266b6adbc6a444c88a83074533c64f74a89ab7cd5a84d17dc9764176f0ca91c5723e12fdb9d50b1a4a490859d9c963549039cbcf0f367c1

Download Submit
C:\Windows\SysWOW64\Niglfl32.exe

Filesize
80KB

MD5
35391c376f7f6ff1a618a3c9bfe1a1ff

SHA1
b72d445f9575b3ae87b4f803c473848148fd5c6d

SHA256
9db8a4b974b66fe1378c8566d8a8f7adf0114515e809312bbeb38052eca78e2b

SHA512
d41390bed03c83a63f60a12f952607bfe1a99a38098e4a06cfe58433d4a0d2e263fe2563bd07ba0567e453bd5d50dcf51847a8fedaee8ee38c8f89a379c9511c

Download Submit
C:\Windows\SysWOW64\Niihlkdm.exe

Filesize
80KB

MD5
e92e37123c465c188b99ae48a6d3714b

SHA1
5399cc2ffb01a4fb639f4617c58e93b9b52e1fcd

SHA256
d2978fce07bf1e65ba18d4b61f2d88d2ba9de3ab49b5311d2f8798880bdef200

SHA512
95d53025e08352078388aab530f734c0398859c14e0bddaa0db105275cf8e03bf8ba003aba298115c5c25ea5ba36f32ab7dd5fc629f3a0b3c7e13985681b6383

Download Submit
C:\Windows\SysWOW64\Njmejp32.exe

Filesize
80KB

MD5
1c8503ed8c071d947ecb3c17061b274c

SHA1
010d4dd2bf605f2ebc8c9099dbe59f7e727f11e2

SHA256
f6c69c1f8b099a3c7f1bf028dd0a15576096f018656dfa591e7a9501dfb530a1

SHA512
9473987a2ee8a33341c0e3fb439836ac1bd697a36273e06841503b02ed0f6578f8f1cf0e3dd284ed39efa90952142496fb31b575f21f0696647b385724f373d7

Download Submit
C:\Windows\SysWOW64\Nkghqo32.exe

Filesize
80KB

MD5
82263c48020a8be60764ebc3b1c7fbd8

SHA1
fd12446ebb568b032fb72da20d8d470325a530bc

SHA256
1486cb47dfee16ed13fda4ce76849a0d907de12fd07378aef1946b9417f4ac16

SHA512
b26bea8eded889052e1bcc7ab2597bb3b8f9cc2805d39466a18b50effd483dc4f62c83c48ef4425b98893ef8ddb39ef2694b8cc9a52ec29aab61e282bf9e9f40

Download Submit
C:\Windows\SysWOW64\Nmnnlk32.exe

Filesize
80KB

MD5
989e6e464b4749f128ae0628ed0e956f

SHA1
24862f14b7ee8c4c1f8a7e81e260ee2b71dc12c1

SHA256
3382aca7dde2261b3d5778ba5c458422e0adafc9c9db679cc3864dc6b8fed956

SHA512
ae4ce2a52a8bfec9e89c396c6d5dff0690fbb1153fe905386a5b7078a288e2e62a853662f3921fe747e2770a4491ecd282f90f2f1994820fae3b03ea1d3d19b0

Download Submit
C:\Windows\SysWOW64\Nmpkakak.exe

Filesize
80KB

MD5
5fd05f720e7f0fcde635f089501127ef

SHA1
de884700937ef2d963c02ef6c08cbeb6dfc44c71

SHA256
f95d877558d614236f3b759e40aafd03426fb2587b28c80d3c3567cb352bc794

SHA512
db5b20863ca81fe65f25b8c2b0e060dec9a6d3161a13634cad82fa880d6c59215ff1d7236b552335bc43367d6f84b358a3157f5327ad73b0ef00a4f9ab420bd0

Download Submit
C:\Windows\SysWOW64\Oaejhh32.exe

Filesize
80KB

MD5
ad98afe67e8efe709a97894e10926263

SHA1
3456915fa20b92c604fccce803cff28022c18ffb

SHA256
aac6826cb3e1453c088bea380ab6f6f9ee227364b0278d9cc9d2cee77720d709

SHA512
8c6d2f1e6b7e177cf3f01fd0265cef945ce9715486832099ad30328396cb26f89d5ede4db6446dca8f513c898ea6b8c9ba37febe2c52e311da2c9903f9bfd16f

Download Submit
C:\Windows\SysWOW64\Oalpigkb.exe

Filesize
80KB

MD5
ac06c7ba2be6d5622bc96b01cfbeceb3

SHA1
6f1ea2d74d70f4e2ae2901177668ca107a139e89

SHA256
96f5d795fe8edaafe9e1ccb7a137275c8a8e7c4857683bdcfdec6c2986679b10

SHA512
2d9a2d53ec26e1f96a561db9377d93d5bff1670e4cfe40f1731da02c439d325d46e253ee10efd6cff7d097503d4beabc1cad895ac031c2479ac8c92544269e5f

Download Submit
C:\Windows\SysWOW64\Odhppclh.exe

Filesize
80KB

MD5
1fd2aaea29837e8ec2e990ea5d563fdf

SHA1
85789e108fbfdd9979bcb49ddf28cc748b38ec0e

SHA256
5ef6cafeca8cc86073651abed477a19ae29846ee8254a6508319ef4a6c81a6ea

SHA512
73ba86432d2d1d9b397251be0f740fd24b72dabaf716fa97be30cb85d4ecc3fa9315c0d72fd0b0a265f9a13a32c0300aee188f1ae8b0a28d49a6ce6f8a9b0ace

Download Submit
C:\Windows\SysWOW64\Ogbbqo32.exe

Filesize
80KB

MD5
960827ca8e1a33ba03f9e15028a88e92

SHA1
d182459a787dd70f34bf9f7cf899febfcd7ffd81

SHA256
6751a5efb0da5acc1c1168880349e70418f3771e2195da7f62bde601ce39d174

SHA512
e0a6710f50177f21ae82a712facb8eba99493c778efe563cd657115125355a17c13d82b6f9412d514736823283213bf054c9248498258177f3a5c490bc128511

Download Submit
C:\Windows\SysWOW64\Oileakbj.exe

Filesize
80KB

MD5
d576647478e5cca7bc97ee25710f566b

SHA1
8f6ccf57832594f466145549dda2232a20a24be9

SHA256
4df165b4162f824569d183b2c8afd88b12a9474ba7f0d3e0c1c87b45b461cc50

SHA512
6f5f205b94d03d2d4862b0f41d3659652f3a9215dea5f39634fab4d2c27bde0ce1b1ca60df730452f8f42120f40d6f0bdb552079c6e482564d64e5260c94b237

Download Submit
C:\Windows\SysWOW64\Okbhlm32.exe

Filesize
80KB

MD5
618b712d3c9ce792e6e27bc122a50d55

SHA1
16b9ecf4b90174fde3bcb25e7f8d0cb1c18d5b86

SHA256
83eb07c386229ddae68aa18260e0ad7e2a01b3924a24f31df20b03a0feb74a2e

SHA512
2dca14bc46884cb4b08dad8f6cb9c4f3e7b0682292194ee88ab29482eb46f8906441634604fbea57e38165d294eb0fa79d1676392dc4d5f59c2673eb7e7ef508

Download Submit
C:\Windows\SysWOW64\Okkalnjm.exe

Filesize
80KB

MD5
6feb80b11736f5ce29c494cfd0ea78c4

SHA1
042b2c138e20e502e072fc6406513b428f21b938

SHA256
7a0a6827aa9cedcda91129b49001ebda5bad98506e3ff2634dd9ab18f6858ffb

SHA512
9bf14cd6b0bd2c4e31f3b0dc1ed44fd03615b53c976cb3ef6a8e20685900ee2f4abe893240b0971d9e29f41773bc4c31675d4d81acac9c6a0637e64e0d11847d

Download Submit
C:\Windows\SysWOW64\Oknnanhj.exe

Filesize
80KB

MD5
ad51f8c275e04b02c9fc08699c0fc9ac

SHA1
e03223235bbaaeefe9c36325bbceddbb35fd9bdd

SHA256
0504d843e134133687e33ed507e03e03058c9c8636386fbfb0dbebdb8bb46b9b

SHA512
4bac7d1cd004b25d96153c45098fd18aa205745cb06057b107e37a1773dc2eb820ff7e419886f28d35d87adf74a07cecdd87c8a438cc993cd82ad325f9d9ce10

Download Submit
C:\Windows\SysWOW64\Okpkgm32.exe

Filesize
80KB

MD5
d385b3dd62d0b731f89ea06b9ab94ba8

SHA1
de34bc2fb356ea9f3adf5f1611e127e72d042a49

SHA256
07dd679d7723904fc57e3ef3199ecab2e4f0e43b3286ebff5f90bafc84df4f04

SHA512
4448db9a3f3b9828d7231e119f94b30ef75d53de54dc7b4eb248f9347f0cdb4a72c9492a9a07a46d794e761dccfb61c4e11dc69651c47fc053900c50ed40cc5b

Download Submit
C:\Windows\SysWOW64\Onngci32.exe

Filesize
80KB

MD5
2689a0147d73f21144cb4d24873f4d91

SHA1
bd6d325fa9e9a4c84ddb7e114964c0ae19ebcc48

SHA256
6a53a58d1acc7e595807555b4d6df72bad43d8d8ba3c05965b70b23c08832a80

SHA512
c149adc84a59d18e0489fcef28465fd57b3025fcf127316054b3fc2766da60e1da528dc3722e850b9eb9339fd5706ca9450c6d26fab49fa10b974dde1fb09973

Download Submit
C:\Windows\SysWOW64\Opfnne32.exe

Filesize
80KB

MD5
67c72532b3448f7086c902147391d5dd

SHA1
bc162fe2f42fff254e3ffe987a39673bdda8c62e

SHA256
39db4124af241e8bafce061ed0742e80fb4e2ebb1168b87f434763c439a94c79

SHA512
54152579af44f14fb0a0c0575d14f84367046876474c863328274494a3fa1bfd8fe0500278ea6ca616f4a210593b79ebb96b57fc06531f104cc178512924e007

Download Submit
C:\Windows\SysWOW64\Opjgidfa.exe

Filesize
80KB

MD5
9399ed3154fee61df9fbf8aee1158baf

SHA1
a9832693e767b78199a995ceb5363a9d62ba3451

SHA256
fd1c81e703ed3c3e74ac2daa27926fb5b4364e43fed70eda4579c3d47d9bd404

SHA512
9e3470247ec79c431602c1a2e1a2b080a273f3cf179d2795fbdab3cb7e19ea8f1e8862e6420eec49a26ff9a09828c94985455a7469d6a31fc410b80edfb0c827

Download Submit
C:\Windows\SysWOW64\Pgihanii.exe

Filesize
80KB

MD5
c0a55245e71c3e12d686f96ef08c67c2

SHA1
7f6aa26795f48e07e20d5845747955102ff28769

SHA256
1b5e4c104fe0f0bf20af0ed33e59fa001f97f5afb59ed40c7a10a565e6fc2c33

SHA512
fd7ac533e654ced3f2a75ee83b624b03607758dd8ed7191ce6efa78d54fd1ff5b5b2030ecc622109fb31226406040aba45553c1122f28f0696d021b9c5c78ae9

Download Submit
C:\Windows\SysWOW64\Pjoknhbe.exe

Filesize
80KB

MD5
7ed1fafd7ab8daeaa72da8fbe92b32d9

SHA1
306e41af58537fe0fcd2a47b68830285ce82035f

SHA256
f327bad84d5fea4e1cbf7b14a09d920a41996e091b81a4a551bb03f42bdbffc9

SHA512
b23cee5e4b2652e8dfd91bccdd5bd08ce86d580fc789ec7e2b64cd8720b7787a8ed99bbb7fc17f8bc1704fe0ce2aec6070b28eb09de16b9223aec4dde0dd7f2a

Download Submit
C:\Windows\SysWOW64\Ppamjcpj.exe

Filesize
80KB

MD5
3bd81a0d5c5563902d3e9a984ebdb140

SHA1
c2438e8f53a340f8275fb9bd062869abc6f66f57

SHA256
0e4cd2da7f879635048d931361535b83459b142b68ff8dc6f1631988da726229

SHA512
ca9e446518e11e2aca35de3a606e2e75b4bab8799aa6281fc88e3d7285639d38d13d4e7ac0cfc725ff72fb5a955a9ee130e6dbec2158096e35e977fad62fdb45

Download Submit
memory/212-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/336-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/448-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/864-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/956-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/960-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1116-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1148-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1176-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1176-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1216-167-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1228-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1348-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1352-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1388-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1484-239-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1668-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1688-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1732-429-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1752-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1800-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1848-175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2244-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2248-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2248-588-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2304-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2392-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2420-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2512-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2556-135-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2688-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2708-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2728-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2828-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2840-188-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2868-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2884-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3040-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3080-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3252-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3304-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3504-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3504-581-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3600-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3616-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3700-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3744-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3904-574-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3904-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4012-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4044-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4244-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4300-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4316-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4348-255-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4420-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4448-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4468-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4504-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4528-553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4528-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4708-546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4708-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4768-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4776-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4844-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4872-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5000-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5004-560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5004-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5016-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5076-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5076-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5104-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5128-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5168-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5208-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5248-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5288-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5328-533-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5368-540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5412-547-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5456-554-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5500-561-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5544-568-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5588-575-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5632-582-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5676-589-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads