e897d59170f5685f1adf764d38ba2338241210371073002551c3afddb54efc8c

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e897d59170f5685f1adf764d38ba2338241210371073002551c3afddb54efc8cN.exe
Size

56KB
MD5

1becd0547088c257dacb9b05a9ad7fe0
SHA1

cffea419f81698226dfdf4c5667cf502e6818934
SHA256

e897d59170f5685f1adf764d38ba2338241210371073002551c3afddb54efc8c
SHA512

f74946fc7046572928121c8bcdcd953b452f652c732cf70f000db09e7cfaef864741db3583a92ea2bb4d2e4533d0eeb97efc447e3aca74e176f8cbf99b2fbb9d
SSDEEP

1536:l44YArPgtuKEZ6NWY6rYzkb6phN8y24EXj:q4Y2KEZ6Nz6sIacyBEz

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mabdlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nalgbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omgabj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlhlleeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlhlleeh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnnoip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejdonq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mabdlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmiealgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pklkbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjaiac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlobmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgabj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pddokabk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpkppbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bndblcdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgaiffii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqbfaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djmima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnnoip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhhldc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phkaqqoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oickbjmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgodjiio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgjcfgoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbphcpog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlkiaece.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dajnol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfoac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbdano32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djpfbahm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejdonq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlmegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohmepbki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omlkmign.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opjgidfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiehhjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpmmfbfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoiqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calbnnkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nalgbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkcjjhgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnghhqdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nieoal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agnkck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Decmjjie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmiealgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohmepbki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqkigp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlmegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjnbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdklebje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglnnkid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdnkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daeddlco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dilmeida.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlkiaece.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oickbjmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calbnnkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cejjdlap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Decmjjie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlobmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppffec32.exe

Executes dropped EXE 64 IoCs

pid	Process
2188	Mfmpob32.exe
3128	Mabdlk32.exe
1684	Mfomda32.exe
2304	Mmiealgc.exe
2160	Mhoind32.exe
3088	Nipffmmg.exe
4512	Npjnbg32.exe
4016	Nfdfoala.exe
5000	Nmnnlk32.exe
3556	Nhcbidcd.exe
4068	Nieoal32.exe
4988	Nalgbi32.exe
5060	Ngipjp32.exe
1680	Nandhi32.exe
1068	Nhhldc32.exe
4248	Naqqmieo.exe
2020	Okiefn32.exe
2556	Omgabj32.exe
3080	Ohmepbki.exe
3688	Oaejhh32.exe
3736	Odcfdc32.exe
944	Ogbbqo32.exe
2120	Omlkmign.exe
4244	Opjgidfa.exe
440	Oickbjmb.exe
4632	Oajccgmd.exe
324	Oiehhjjp.exe
1456	Pdklebje.exe
1748	Pjgemi32.exe
3460	Pjjaci32.exe
2268	Phkaqqoi.exe
2404	Ppffec32.exe
32	Pklkbl32.exe
3252	Pddokabk.exe
4388	Pnlcdg32.exe
4236	Qpkppbho.exe
1736	Qpmmfbfl.exe
1332	Qkcackeb.exe
3600	Ahgamo32.exe
1600	Aqbfaa32.exe
4588	Aglnnkid.exe
3756	Agnkck32.exe
2672	Agqhik32.exe
2512	Aqilaplo.exe
4336	Agcdnjcl.exe
3748	Anmmkd32.exe
336	Bqkigp32.exe
4660	Bnoiqd32.exe
4060	Bhennm32.exe
3352	Bkcjjhgp.exe
1048	Bjfjee32.exe
4008	Bhgjcmfi.exe
3104	Bndblcdq.exe
3240	Bdnkhn32.exe
2200	Bnfoac32.exe
1116	Bgodjiio.exe
3888	Cbdhgaid.exe
4300	Cqiehnml.exe
1452	Cjaiac32.exe
2496	Calbnnkj.exe
4448	Cjdfgc32.exe
3436	Cejjdlap.exe
1820	Cbnknpqj.exe
1372	Cgjcfgoa.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nmnnlk32.exe	Nfdfoala.exe
File created	C:\Windows\SysWOW64\Pjgemi32.exe	Pdklebje.exe
File opened for modification	C:\Windows\SysWOW64\Dalkek32.exe	Dnnoip32.exe
File created	C:\Windows\SysWOW64\Bilflj32.dll	Dnnoip32.exe
File created	C:\Windows\SysWOW64\Jjqakeon.dll	Npjnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ngipjp32.exe	Nalgbi32.exe
File opened for modification	C:\Windows\SysWOW64\Qkcackeb.exe	Qpmmfbfl.exe
File created	C:\Windows\SysWOW64\Dalkek32.exe	Dnnoip32.exe
File created	C:\Windows\SysWOW64\Ngipjp32.exe	Nalgbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbbqo32.exe	Odcfdc32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjaci32.exe	Pjgemi32.exe
File created	C:\Windows\SysWOW64\Cbdhgaid.exe	Bgodjiio.exe
File created	C:\Windows\SysWOW64\Nhcbidcd.exe	Nmnnlk32.exe
File opened for modification	C:\Windows\SysWOW64\Nandhi32.exe	Ngipjp32.exe
File created	C:\Windows\SysWOW64\Bnoiqd32.exe	Bqkigp32.exe
File created	C:\Windows\SysWOW64\Dnojon32.dll	Djmima32.exe
File created	C:\Windows\SysWOW64\Ibkonk32.dll	Agnkck32.exe
File created	C:\Windows\SysWOW64\Cjaiac32.exe	Cqiehnml.exe
File opened for modification	C:\Windows\SysWOW64\Mfomda32.exe	Mabdlk32.exe
File created	C:\Windows\SysWOW64\Ljeeki32.dll	Nieoal32.exe
File created	C:\Windows\SysWOW64\Oickbjmb.exe	Opjgidfa.exe
File created	C:\Windows\SysWOW64\Olikhnjp.dll	Oiehhjjp.exe
File created	C:\Windows\SysWOW64\Agcdnjcl.exe	Aqilaplo.exe
File opened for modification	C:\Windows\SysWOW64\Nmnnlk32.exe	Nfdfoala.exe
File opened for modification	C:\Windows\SysWOW64\Nieoal32.exe	Nhcbidcd.exe
File opened for modification	C:\Windows\SysWOW64\Naqqmieo.exe	Nhhldc32.exe
File created	C:\Windows\SysWOW64\Hkheeg32.dll	Ahgamo32.exe
File opened for modification	C:\Windows\SysWOW64\Mmiealgc.exe	Mfomda32.exe
File opened for modification	C:\Windows\SysWOW64\Agnkck32.exe	Aglnnkid.exe
File created	C:\Windows\SysWOW64\Lelncp32.dll	Pklkbl32.exe
File created	C:\Windows\SysWOW64\Hkkofdlq.dll	Aglnnkid.exe
File opened for modification	C:\Windows\SysWOW64\Diafqi32.exe	Dajnol32.exe
File created	C:\Windows\SysWOW64\Llbndn32.dll	Cejjdlap.exe
File created	C:\Windows\SysWOW64\Mfmpob32.exe	e897d59170f5685f1adf764d38ba2338241210371073002551c3afddb54efc8cN.exe
File created	C:\Windows\SysWOW64\Kmbniiil.dll	Mfomda32.exe
File created	C:\Windows\SysWOW64\Eonjpqid.dll	Ppffec32.exe
File created	C:\Windows\SysWOW64\Qpmmfbfl.exe	Qpkppbho.exe
File opened for modification	C:\Windows\SysWOW64\Agcdnjcl.exe	Aqilaplo.exe
File opened for modification	C:\Windows\SysWOW64\Eldlhckj.exe	Ejdonq32.exe
File created	C:\Windows\SysWOW64\Jnbecgdc.dll	Cqiehnml.exe
File created	C:\Windows\SysWOW64\Emldnf32.dll	Dbphcpog.exe
File created	C:\Windows\SysWOW64\Dbdano32.exe	Djmima32.exe
File created	C:\Windows\SysWOW64\Bkcjjhgp.exe	Bhennm32.exe
File created	C:\Windows\SysWOW64\Hinklh32.dll	Bnfoac32.exe
File opened for modification	C:\Windows\SysWOW64\Cejjdlap.exe	Cjdfgc32.exe
File created	C:\Windows\SysWOW64\Edcijq32.dll	Dgaiffii.exe
File opened for modification	C:\Windows\SysWOW64\Pjgemi32.exe	Pdklebje.exe
File created	C:\Windows\SysWOW64\Bnfoac32.exe	Bdnkhn32.exe
File opened for modification	C:\Windows\SysWOW64\Agqhik32.exe	Agnkck32.exe
File created	C:\Windows\SysWOW64\Igalei32.dll	Anmmkd32.exe
File created	C:\Windows\SysWOW64\Bhgjcmfi.exe	Bjfjee32.exe
File created	C:\Windows\SysWOW64\Jkohjl32.dll	Bhgjcmfi.exe
File created	C:\Windows\SysWOW64\Dbphcpog.exe	Cgjcfgoa.exe
File created	C:\Windows\SysWOW64\Heckkb32.dll	Nalgbi32.exe
File created	C:\Windows\SysWOW64\Cnkdbl32.dll	Omgabj32.exe
File created	C:\Windows\SysWOW64\Ogbbqo32.exe	Odcfdc32.exe
File created	C:\Windows\SysWOW64\Ckdiqnel.dll	Bnoiqd32.exe
File created	C:\Windows\SysWOW64\Dlhlleeh.exe	Dbphcpog.exe
File created	C:\Windows\SysWOW64\Dlkiaece.exe	Dilmeida.exe
File opened for modification	C:\Windows\SysWOW64\Nalgbi32.exe	Nieoal32.exe
File created	C:\Windows\SysWOW64\Bgodjiio.exe	Bnfoac32.exe
File opened for modification	C:\Windows\SysWOW64\Cqiehnml.exe	Cbdhgaid.exe
File opened for modification	C:\Windows\SysWOW64\Cbnknpqj.exe	Cejjdlap.exe
File created	C:\Windows\SysWOW64\Nipffmmg.exe	Mhoind32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5716	5624	WerFault.exe	177

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbbqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppffec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqkigp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhgjcmfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalkek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnnlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhcbidcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okiefn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnghhqdk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbdano32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nalgbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omlkmign.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlcdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgjcfgoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfmpob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pklkbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmmkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdnkhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhhldc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naqqmieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpmmfbfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omgabj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnnoip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkcackeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfjee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlhlleeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqilaplo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daeddlco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dajnol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlmegd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e897d59170f5685f1adf764d38ba2338241210371073002551c3afddb54efc8cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odcfdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oajccgmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgodjiio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cejjdlap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nieoal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nandhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oickbjmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkcjjhgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bndblcdq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgaiffii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlobmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eldlhckj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjgemi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoiqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhennm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmima32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opjgidfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfoac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjaiac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjdfgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlkiaece.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhoind32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngipjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjaci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejdonq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfdfoala.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpkppbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgamo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calbnnkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djpfbahm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diafqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiehhjjp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mabdlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppffec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bndblcdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbnknpqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djpfbahm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlobmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e897d59170f5685f1adf764d38ba2338241210371073002551c3afddb54efc8cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknbhdmb.dll"	Ngipjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Naqqmieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdiqnel.dll"	Bnoiqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgjcfgoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dajnol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oaejhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omlkmign.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdklebje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqilaplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calbnnkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llbndn32.dll"	Cejjdlap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pklkbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnfoac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnnoip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Diafqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhhldc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odcfdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affgmbdd.dll"	Pdklebje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonjpqid.dll"	Ppffec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbecgdc.dll"	Cqiehnml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlhlleeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oajccgmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mipffl32.dll"	Mmiealgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmiealgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omgabj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglnnkid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cejjdlap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnghhqdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbphcpog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dflfoi32.dll"	Dlhlleeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmiealgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nipffmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npjnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agcdnjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igalei32.dll"	Anmmkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqkigp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlmegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inepckml.dll"	Mabdlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oajccgmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqbfaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnghhqdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlkiaece.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfmpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmnnlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Naqqmieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqkigp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hinklh32.dll"	Bnfoac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgodjiio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmjnelk.dll"	Nmnnlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohmepbki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghlbcolh.dll"	Pjgemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnojon32.dll"	Djmima32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nieoal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnoiqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbkjebd.dll"	Bhennm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Decmjjie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmdccgi.dll"	Dlobmd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 2188	4704	e897d59170f5685f1adf764d38ba2338241210371073002551c3afddb54efc8cN.exe	91
PID 4704 wrote to memory of 2188	4704	e897d59170f5685f1adf764d38ba2338241210371073002551c3afddb54efc8cN.exe	91
PID 4704 wrote to memory of 2188	4704	e897d59170f5685f1adf764d38ba2338241210371073002551c3afddb54efc8cN.exe	91
PID 2188 wrote to memory of 3128	2188	Mfmpob32.exe	92
PID 2188 wrote to memory of 3128	2188	Mfmpob32.exe	92
PID 2188 wrote to memory of 3128	2188	Mfmpob32.exe	92
PID 3128 wrote to memory of 1684	3128	Mabdlk32.exe	93
PID 3128 wrote to memory of 1684	3128	Mabdlk32.exe	93
PID 3128 wrote to memory of 1684	3128	Mabdlk32.exe	93
PID 1684 wrote to memory of 2304	1684	Mfomda32.exe	94
PID 1684 wrote to memory of 2304	1684	Mfomda32.exe	94
PID 1684 wrote to memory of 2304	1684	Mfomda32.exe	94
PID 2304 wrote to memory of 2160	2304	Mmiealgc.exe	95
PID 2304 wrote to memory of 2160	2304	Mmiealgc.exe	95
PID 2304 wrote to memory of 2160	2304	Mmiealgc.exe	95
PID 2160 wrote to memory of 3088	2160	Mhoind32.exe	96
PID 2160 wrote to memory of 3088	2160	Mhoind32.exe	96
PID 2160 wrote to memory of 3088	2160	Mhoind32.exe	96
PID 3088 wrote to memory of 4512	3088	Nipffmmg.exe	97
PID 3088 wrote to memory of 4512	3088	Nipffmmg.exe	97
PID 3088 wrote to memory of 4512	3088	Nipffmmg.exe	97
PID 4512 wrote to memory of 4016	4512	Npjnbg32.exe	98
PID 4512 wrote to memory of 4016	4512	Npjnbg32.exe	98
PID 4512 wrote to memory of 4016	4512	Npjnbg32.exe	98
PID 4016 wrote to memory of 5000	4016	Nfdfoala.exe	99
PID 4016 wrote to memory of 5000	4016	Nfdfoala.exe	99
PID 4016 wrote to memory of 5000	4016	Nfdfoala.exe	99
PID 5000 wrote to memory of 3556	5000	Nmnnlk32.exe	100
PID 5000 wrote to memory of 3556	5000	Nmnnlk32.exe	100
PID 5000 wrote to memory of 3556	5000	Nmnnlk32.exe	100
PID 3556 wrote to memory of 4068	3556	Nhcbidcd.exe	101
PID 3556 wrote to memory of 4068	3556	Nhcbidcd.exe	101
PID 3556 wrote to memory of 4068	3556	Nhcbidcd.exe	101
PID 4068 wrote to memory of 4988	4068	Nieoal32.exe	102
PID 4068 wrote to memory of 4988	4068	Nieoal32.exe	102
PID 4068 wrote to memory of 4988	4068	Nieoal32.exe	102
PID 4988 wrote to memory of 5060	4988	Nalgbi32.exe	103
PID 4988 wrote to memory of 5060	4988	Nalgbi32.exe	103
PID 4988 wrote to memory of 5060	4988	Nalgbi32.exe	103
PID 5060 wrote to memory of 1680	5060	Ngipjp32.exe	104
PID 5060 wrote to memory of 1680	5060	Ngipjp32.exe	104
PID 5060 wrote to memory of 1680	5060	Ngipjp32.exe	104
PID 1680 wrote to memory of 1068	1680	Nandhi32.exe	105
PID 1680 wrote to memory of 1068	1680	Nandhi32.exe	105
PID 1680 wrote to memory of 1068	1680	Nandhi32.exe	105
PID 1068 wrote to memory of 4248	1068	Nhhldc32.exe	106
PID 1068 wrote to memory of 4248	1068	Nhhldc32.exe	106
PID 1068 wrote to memory of 4248	1068	Nhhldc32.exe	106
PID 4248 wrote to memory of 2020	4248	Naqqmieo.exe	107
PID 4248 wrote to memory of 2020	4248	Naqqmieo.exe	107
PID 4248 wrote to memory of 2020	4248	Naqqmieo.exe	107
PID 2020 wrote to memory of 2556	2020	Okiefn32.exe	108
PID 2020 wrote to memory of 2556	2020	Okiefn32.exe	108
PID 2020 wrote to memory of 2556	2020	Okiefn32.exe	108
PID 2556 wrote to memory of 3080	2556	Omgabj32.exe	109
PID 2556 wrote to memory of 3080	2556	Omgabj32.exe	109
PID 2556 wrote to memory of 3080	2556	Omgabj32.exe	109
PID 3080 wrote to memory of 3688	3080	Ohmepbki.exe	110
PID 3080 wrote to memory of 3688	3080	Ohmepbki.exe	110
PID 3080 wrote to memory of 3688	3080	Ohmepbki.exe	110
PID 3688 wrote to memory of 3736	3688	Oaejhh32.exe	111
PID 3688 wrote to memory of 3736	3688	Oaejhh32.exe	111
PID 3688 wrote to memory of 3736	3688	Oaejhh32.exe	111
PID 3736 wrote to memory of 944	3736	Odcfdc32.exe	112

C:\Users\Admin\AppData\Local\Temp\e897d59170f5685f1adf764d38ba2338241210371073002551c3afddb54efc8cN.exe
"C:\Users\Admin\AppData\Local\Temp\e897d59170f5685f1adf764d38ba2338241210371073002551c3afddb54efc8cN.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\SysWOW64\Mfmpob32.exe
  C:\Windows\system32\Mfmpob32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\Mabdlk32.exe
    C:\Windows\system32\Mabdlk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Windows\SysWOW64\Mfomda32.exe
      C:\Windows\system32\Mfomda32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\Windows\SysWOW64\Mmiealgc.exe
        
        C:\Windows\system32\Mmiealgc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Windows\SysWOW64\Mhoind32.exe
        
        C:\Windows\system32\Mhoind32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Nipffmmg.exe
        
        C:\Windows\system32\Nipffmmg.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Npjnbg32.exe
        
        C:\Windows\system32\Npjnbg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Nfdfoala.exe
        
        C:\Windows\system32\Nfdfoala.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Nmnnlk32.exe
        
        C:\Windows\system32\Nmnnlk32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Nhcbidcd.exe
        
        C:\Windows\system32\Nhcbidcd.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Nieoal32.exe
        
        C:\Windows\system32\Nieoal32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Nalgbi32.exe
        
        C:\Windows\system32\Nalgbi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Ngipjp32.exe
        
        C:\Windows\system32\Ngipjp32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Nandhi32.exe
        
        C:\Windows\system32\Nandhi32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Nhhldc32.exe
        
        C:\Windows\system32\Nhhldc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Naqqmieo.exe
        
        C:\Windows\system32\Naqqmieo.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Okiefn32.exe
        
        C:\Windows\system32\Okiefn32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Omgabj32.exe
        
        C:\Windows\system32\Omgabj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Ohmepbki.exe
        
        C:\Windows\system32\Ohmepbki.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Oaejhh32.exe
        
        C:\Windows\system32\Oaejhh32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Odcfdc32.exe
        
        C:\Windows\system32\Odcfdc32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Ogbbqo32.exe
        
        C:\Windows\system32\Ogbbqo32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\Omlkmign.exe
        
        C:\Windows\system32\Omlkmign.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Opjgidfa.exe
        
        C:\Windows\system32\Opjgidfa.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\Oickbjmb.exe
        
        C:\Windows\system32\Oickbjmb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\Oajccgmd.exe
        
        C:\Windows\system32\Oajccgmd.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Oiehhjjp.exe
        
        C:\Windows\system32\Oiehhjjp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Windows\SysWOW64\Pdklebje.exe
        
        C:\Windows\system32\Pdklebje.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Pjgemi32.exe
        
        C:\Windows\system32\Pjgemi32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Pjjaci32.exe
        
        C:\Windows\system32\Pjjaci32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Phkaqqoi.exe
        
        C:\Windows\system32\Phkaqqoi.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\Ppffec32.exe
        
        C:\Windows\system32\Ppffec32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Pklkbl32.exe
        
        C:\Windows\system32\Pklkbl32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Pddokabk.exe
        
        C:\Windows\system32\Pddokabk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3252
        
        C:\Windows\SysWOW64\Pnlcdg32.exe
        
        C:\Windows\system32\Pnlcdg32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Qpkppbho.exe
        
        C:\Windows\system32\Qpkppbho.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\Qpmmfbfl.exe
        
        C:\Windows\system32\Qpmmfbfl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\Qkcackeb.exe
        
        C:\Windows\system32\Qkcackeb.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\Ahgamo32.exe
        
        C:\Windows\system32\Ahgamo32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\Aqbfaa32.exe
        
        C:\Windows\system32\Aqbfaa32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Aglnnkid.exe
        
        C:\Windows\system32\Aglnnkid.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Agnkck32.exe
        
        C:\Windows\system32\Agnkck32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Agqhik32.exe
        
        C:\Windows\system32\Agqhik32.exe
        44⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\Aqilaplo.exe
        
        C:\Windows\system32\Aqilaplo.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Agcdnjcl.exe
        
        C:\Windows\system32\Agcdnjcl.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Anmmkd32.exe
        
        C:\Windows\system32\Anmmkd32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Bqkigp32.exe
        
        C:\Windows\system32\Bqkigp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Bnoiqd32.exe
        
        C:\Windows\system32\Bnoiqd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Bhennm32.exe
        
        C:\Windows\system32\Bhennm32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Bkcjjhgp.exe
        
        C:\Windows\system32\Bkcjjhgp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\Bjfjee32.exe
        
        C:\Windows\system32\Bjfjee32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Bhgjcmfi.exe
        
        C:\Windows\system32\Bhgjcmfi.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Bndblcdq.exe
        
        C:\Windows\system32\Bndblcdq.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Bdnkhn32.exe
        
        C:\Windows\system32\Bdnkhn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\Bnfoac32.exe
        
        C:\Windows\system32\Bnfoac32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Bgodjiio.exe
        
        C:\Windows\system32\Bgodjiio.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Cbdhgaid.exe
        
        C:\Windows\system32\Cbdhgaid.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3888
        
        C:\Windows\SysWOW64\Cqiehnml.exe
        
        C:\Windows\system32\Cqiehnml.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Cjaiac32.exe
        
        C:\Windows\system32\Cjaiac32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\Calbnnkj.exe
        
        C:\Windows\system32\Calbnnkj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Cjdfgc32.exe
        
        C:\Windows\system32\Cjdfgc32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\Cejjdlap.exe
        
        C:\Windows\system32\Cejjdlap.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Cbnknpqj.exe
        
        C:\Windows\system32\Cbnknpqj.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Cgjcfgoa.exe
        
        C:\Windows\system32\Cgjcfgoa.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Dbphcpog.exe
        
        C:\Windows\system32\Dbphcpog.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Dlhlleeh.exe
        
        C:\Windows\system32\Dlhlleeh.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Dnghhqdk.exe
        
        C:\Windows\system32\Dnghhqdk.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Daeddlco.exe
        
        C:\Windows\system32\Daeddlco.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\Dilmeida.exe
        
        C:\Windows\system32\Dilmeida.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Dlkiaece.exe
        
        C:\Windows\system32\Dlkiaece.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Djmima32.exe
        
        C:\Windows\system32\Djmima32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Dbdano32.exe
        
        C:\Windows\system32\Dbdano32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Decmjjie.exe
        
        C:\Windows\system32\Decmjjie.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Dgaiffii.exe
        
        C:\Windows\system32\Dgaiffii.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\Dlmegd32.exe
        
        C:\Windows\system32\Dlmegd32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Djpfbahm.exe
        
        C:\Windows\system32\Djpfbahm.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Dajnol32.exe
        
        C:\Windows\system32\Dajnol32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Diafqi32.exe
        
        C:\Windows\system32\Diafqi32.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Dlobmd32.exe
        
        C:\Windows\system32\Dlobmd32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Dnnoip32.exe
        
        C:\Windows\system32\Dnnoip32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Dalkek32.exe
        
        C:\Windows\system32\Dalkek32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Ejdonq32.exe
        
        C:\Windows\system32\Ejdonq32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Eldlhckj.exe
        
        C:\Windows\system32\Eldlhckj.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5624 -s 400
        85⤵
        Program crash
        
        PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5624 -ip 5624
1⤵
PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4464 /prefetch:8
1⤵
PID:5704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cbdhgaid.exe

Filesize
56KB

MD5
3a266b8c9db3473162df23cbcfa29fab

SHA1
acdcaab1bb403eb7cc322738b1f5cd3090c5a963

SHA256
8e7324d9558dfda5d1e9b67e07587226a49dc4c9e26eb0eea0e9fb09c2fda09e

SHA512
35d363ad2c5d577422b2f6fe3dd451ac771a6fc03351079213e2f0b74fe4370547ce313f1a53d8b4f48392b8a41651dae4d7b230a931683462d770855dc34b98

Download Submit
C:\Windows\SysWOW64\Dajnol32.exe

Filesize
56KB

MD5
b0991e3cf57a72b8f04c00f5602c0736

SHA1
396951385b514baa55b27e802624f0bf5f2b40ee

SHA256
1c32af114901d9736056716c4585c83454825678441114cc6e0e5a3c1d03d821

SHA512
95718841c037051026e7bfb55be7910bfe73e82d40d240d2d6391765944d7c1424971a1c05641d292d1c14ff23ed8e3fcb23ca2cbb72f1d6daa9a1c28e1eca81

Download Submit
C:\Windows\SysWOW64\Mabdlk32.exe

Filesize
56KB

MD5
ece95ecc18eadf0c1a87c385cc19a366

SHA1
9308c7c95eec433bf530f2475f673677c09bd3ef

SHA256
d71769888a841c60519c37e49b8166c70428db8bce3ccbc2475c7a6e40258464

SHA512
666b099131f9c876bdf9f1b56f49cdefb941fdd1023540fde2b36acb41b1bbfe6e5aad8b2b160865b0c5289f19eb3bbdab562d2f679fadcd8cd3688c8a391254

Download Submit
C:\Windows\SysWOW64\Mfmpob32.exe

Filesize
56KB

MD5
d26f14bd14abff7c7fc512a7336e9e8a

SHA1
67b7cdd3b106b0f964a68e8db1724135e775b202

SHA256
46634e477f694e6d674b918f6de12a4664f0462fa68673263fd0eed8634dd02c

SHA512
73df028ad96eeabfd13831f4d4f6960bcfa26bf062ee1ff2b48774d80f20b0e2cf81b0f94329001be2f4efe2841460554ffc3811f70cf6fa43f20e872f0fe2cf

Download Submit
C:\Windows\SysWOW64\Mfomda32.exe

Filesize
56KB

MD5
66842ddc70a3ec95d0660ca92aa1c2e5

SHA1
4a6e4b1f89212821120280de480508217438c20a

SHA256
26fedfb65c670b052c47251a231667e113cd60faa688ed609583046bd39901cc

SHA512
4c8bab50d5b0f5c3119a7c3f028289b19f30c0b67e116031b44dccd4e472f6b7d0e1ebe1d4db60d52648814992657aff670c759f6d54d5250c6d485e4c589550

Download Submit
C:\Windows\SysWOW64\Mhoind32.exe

Filesize
56KB

MD5
6189bf8e5fdd69bf63f6c9ab9eb00059

SHA1
fb2d5815660caec6787665f2d33a867bdf2f5f26

SHA256
843204c302047449c5b7c296f03837d179f47ef242e256746dc2b075a08227aa

SHA512
f620f2e0bcfb1bbe06e5e47221fe6153eb3a72929f6472c5b01cbc102011a06ae1d5b77e2966d756e5f8dea17caca5840bd16dbb94437fe68239344dd7e89c26

Download Submit
C:\Windows\SysWOW64\Mmiealgc.exe

Filesize
56KB

MD5
6c67f77ef7352df327995880b21cdd43

SHA1
3fe034cb6fa7c0cede0754eefa258531f42a71da

SHA256
221e635aac7716e99b9ea65e10c1c0345dddc050ea5e8403c78feb195760ca91

SHA512
64ffd926ae668d4af59520fc7876b91dac9e06a1b31305462872096b0260d8b0646983f90cd5cd7dc588e1525e45862729d8d35896c1e2da050b4789ec4ae220

Download Submit
C:\Windows\SysWOW64\Nalgbi32.exe

Filesize
56KB

MD5
c03e6fba3550294e82fe91a22c21fff5

SHA1
2079152558e74bf67e066ad3061e79e7b537b118

SHA256
c0b72d0e63adc0ff533864f1d84802a2c41cd80f763c7a698ba70c855a739950

SHA512
b785f8c1d46ef53d9f63072985ee34db2d0bef3f44562522ebc37ccf7481c683cbbac705065e8301ca17de5db58448539d95b9f7cb489168686642119a706ac7

Download Submit
C:\Windows\SysWOW64\Nandhi32.exe

Filesize
56KB

MD5
9c44811677bd52a3fb464192bf1638be

SHA1
bb35c0f143c482542ccee80159d67a34c29524f5

SHA256
eb7594a55d2d106e7302307bbccc7d520f9a26b25ba4c8b49becddc80f72f36c

SHA512
f997bf281c1e3c9f880d12057d668a0a5de61a47ac025d95652e939f542cb0902b1150b99ad7a78d8e717f894bc652ec4db0b97e378deb8e762608a3dc5e0a29

Download Submit
C:\Windows\SysWOW64\Naqqmieo.exe

Filesize
56KB

MD5
713050b3bfbf42b49abc6c788ea12ba5

SHA1
2f244b2685a9bc04682760a1778e0e1f1c44eb8d

SHA256
650cbed8b774b4981119e7b1d6bcfbca6783b170ad4291e095f57f2b79880dad

SHA512
d9ad1fde0901e7df310f4e44f7676cb8fc030fe70488bfafb742dfa231ec9aaf824c90753b5d2ee16f46a5aee7b6d25505d7c6895cbcef5cb3a95dda5ab09bf2

Download Submit
C:\Windows\SysWOW64\Nfdfoala.exe

Filesize
56KB

MD5
9cef4ad10a44795f7804beb46ffdd2b9

SHA1
12af7e821ae691c8c7f2a6de2eae2a68c40b0829

SHA256
81d94402ed0935a3a01faa3d42039c7ca5e3cb5ee23f8f1ad732dfebafef8123

SHA512
963aa4f234ba105ec7beee442da9c37d0be3edef65faec0bb15d69cd8ca2e456aefd8493fbe412aeafa0ae9e7b5c68b3770e196cbdf417b1c7b183c56842a702

Download Submit
C:\Windows\SysWOW64\Ngipjp32.exe

Filesize
56KB

MD5
78d06925b4b345bd8363acf87437e26b

SHA1
4c70ff43c25053c647b52fdc06d129d55968f626

SHA256
30b97d153b98a65561f572746e106ec4d02f8a2cc16632f567e57f02248849fa

SHA512
277b546277b2a5c822297dec455e5eb9bce5d367d742925fd59b41332f4ade0404e92da87665b6bd52a10c700bcb985c203311298d976b1374178058c8382492

Download Submit
C:\Windows\SysWOW64\Nhcbidcd.exe

Filesize
56KB

MD5
233954310dcdb021c69baef45ae9f8d2

SHA1
f73fd1d4fa41b4681c4887742d6e3db97a403a58

SHA256
807a191c572073b8fdfe164dd27a061112614f4b6939b0922330f452330bbd62

SHA512
ead98e14765c838c3733ed4229bf5614476ceefa68dec0382d321ecf9bf313de0ea13f6ec066640a81b4fadcea01cc5cedc10eba55063dfbeb9e4be7fc061f07

Download Submit
C:\Windows\SysWOW64\Nhhldc32.exe

Filesize
56KB

MD5
55860e67b34c5eb4ac1256dc191a7821

SHA1
9a38eb283eee023280340e6c07c6b99685b5abe3

SHA256
4a2cbaf579472bc62e291e0a3a6dc7b8cb2035f582fd4970393b870c0fb55724

SHA512
4a69070fa06fb8972af8eb07b2c5e93a097527005aee49cad553606465065a26c2fe9477de27affaed6b5e69af1e2f1073b38440a4c70aa5a4e70b7ac0217a8b

Download Submit
C:\Windows\SysWOW64\Nieoal32.exe

Filesize
56KB

MD5
d979f89304ae2934e6458d841d57ff71

SHA1
e45e7bed3d1ab730a53d90ea32740c70b48ddece

SHA256
9f57317f8316864e444c0baa87b2585a1ff86c6887ed522cde26ba7a271ec155

SHA512
c3c48c93f1d0d6bfaf2b6193726272d64b58a8c82013950c4086441882fd0d5b720a435e8fc6ce4c9117c0ee4d2a4730adbc6c5a711e09c9c79c4e6281da36f6

Download Submit
C:\Windows\SysWOW64\Nipffmmg.exe

Filesize
56KB

MD5
dabfa4f4c8ab76b4e275d8a5275e02a8

SHA1
c32940de91a0a24df44ed56ca757f77d445ba25c

SHA256
af46930c0851fe2dbd3d53f3b72500280c5328bdfb64bdd2e14231d46f0759a8

SHA512
bff72ad2b1a4f465cb883b2a4326a616db2d0807e2df8d0fbc227fdf4650fd29f59442b75d0eeb891949f12ba4dddfaa01bbea13da420833998cda5034815fab

Download Submit
C:\Windows\SysWOW64\Nmnnlk32.exe

Filesize
56KB

MD5
8577be0c082187c874ebab1e12149a70

SHA1
73128478be372da11f1408c55116122c35397d6f

SHA256
e312a420227113ce4bd1b9433102188cc58699449eaf157cfef44c626e1747e2

SHA512
6785621ccb003143574798d617e0a668caf42891ddf46ea4803011448a02a49f921345d8ef1b01daef30f614fa56e2cc803721a563a9422dd8480474f3a83c61

Download Submit
C:\Windows\SysWOW64\Npjnbg32.exe

Filesize
56KB

MD5
d758c3e492967f791bfb2713c6009bba

SHA1
6707323ff056c0d67d0bcc36e967ff076691a8d6

SHA256
83dac2f8b642c8976b9aab928a6cc7490218bbc6dcc2a75173884c0a38640407

SHA512
ea201cfa7eefc30e4f4a0ddd7a0547f7965f9ddc39b32e48674dc97bf7d98e4814b38be3d3ea60149baeda78f12214058348b3704ce3d5f190d6b641cc6dc507

Download Submit
C:\Windows\SysWOW64\Oaejhh32.exe

Filesize
56KB

MD5
819a2060f85281eb2ffad3055fa30c02

SHA1
c62b78dd5de07cd602b9d57badeaa0a6ebeedd8f

SHA256
07da2d59635a4a34ca7c6efb0c3151350cbc3909daf58de3d930143001f83f9b

SHA512
3b5b48b538f8001b95ab21731b02675c609b5083afb851d62a06a219e4a1ba5b7f52a66f66cf6b632f0f2017cc39efe684c6f352103f7cc523b430768ff873a5

Download Submit
C:\Windows\SysWOW64\Oajccgmd.exe

Filesize
56KB

MD5
ade2f1f4e21bfe941f6df91cf65b6e53

SHA1
066f03929b99ce023145e4b0d2cb5d71875bcd28

SHA256
16f5c4f4757bb819bf5070451ac4697be957eb462ca8848a7e3076761cb1ce24

SHA512
a5cae8975c1718165ac2dbef6dbb773c077fb1f4aa70ca88a73b838daab8934bb9a46e30d8266c2431b8b7960d840ba9e338a5b8320e4740ca119da3c200ade6

Download Submit
C:\Windows\SysWOW64\Odcfdc32.exe

Filesize
56KB

MD5
5e00e09992a6867f355c99edb7e89705

SHA1
c7aaa222035f9a901e8d35270a7e94d0a73007a9

SHA256
cd6dc48a0eec97bba6cc424ba76028fc1755baaf0916d1f872ae3dc3f0bcca4b

SHA512
79559f6e4faf0812babf9d72322bfc8f3e2c443d6b765daeb33e054a349590886ba0a7e6fdda05208f8c893fb1b8ca166455ced64f53ee57952a252a01b8b8ea

Download Submit
C:\Windows\SysWOW64\Ogbbqo32.exe

Filesize
56KB

MD5
4a29ace87fc2a107529de64e59f067ee

SHA1
9c89bee4a16c19a19e34199ca331562f561c4d85

SHA256
5bfb4fa70c0fff5a4d4883eec3f1bc5e7fd7a446d31c2165da40370d89a6fe41

SHA512
d24a45141854495739e8e1aaf4959c9a71caf1ca1942860ebcefea00291c00b3cf5c19f81f8c2f64861e3bee8b33395a01720eaccb78ce6c6530ff92a57df8a2

Download Submit
C:\Windows\SysWOW64\Ohmepbki.exe

Filesize
56KB

MD5
a7a1764b69c6a2da77854fc4afe2a45f

SHA1
d8bb2667352a02dfac9e96f9979a784c0f6a8ec4

SHA256
03d01266597aa7763d38654336af649a07ff212fba2c0616aeaefc7e29e4e133

SHA512
523c3f39c8bcb5c0e831a45b7418290bf091eb37f43663c0b65914104b929c13e95895537e0b38b799a9969321af6f47233f157663fc685723b62c72b3dc6a04

Download Submit
C:\Windows\SysWOW64\Oickbjmb.exe

Filesize
56KB

MD5
7fe9b7e410fd5cd4dec3d12aa01b2e8b

SHA1
505914956e4ca2444f91c431052c36c6394657e2

SHA256
eb45e088826810e6a62c0469b1a70463e742c136dddb21907799765c622cf1e9

SHA512
dafe75273a75778ed67c89597c25ec9745dedbfa1f81941d7e3dd62864bac5f04b84f5094498d284e6439f9da0daf79bd0b00bbfa81d674efd7479581ff0b3a7

Download Submit
C:\Windows\SysWOW64\Oiehhjjp.exe

Filesize
56KB

MD5
1a3597aa0dbd66f3c6f5a09dd96ae157

SHA1
fe98abe2ef916d23e77eb961d10dacbf337d1342

SHA256
d80e93124560a51e94cce086b2be4bad12bb58c32681ad2483227fec23de4c56

SHA512
2d904a93ddcaa7ebfd49d3bf4c39b8a8a3540b62471958e553f772d1f07052cf6da1a5ecb3e61e59c97001d2ea22dc44766de66c8a50f70b1ec7f256c15f7fce

Download Submit
C:\Windows\SysWOW64\Okiefn32.exe

Filesize
56KB

MD5
8e997c052a9572589b07dcf0d1efc079

SHA1
0619b4876ab68c5a7fb5086034108ad7c914b845

SHA256
349c4ea287cd819ad7c8df047e38a3e0ea1990c63705faf6c8fc5bb4945a92b1

SHA512
ca36d06614c871994942b201b5b99b70c5b641541fdecdca832b96ee5aad6471a44d9210300f94fa63993c032de2e10799f6332428cdbdd53130237672a39a81

Download Submit
C:\Windows\SysWOW64\Omgabj32.exe

Filesize
56KB

MD5
231f04374f217e5b39cdcaa45193870a

SHA1
a209acd1e3b31edb6f917e7a3270040e05332652

SHA256
766d54bb1d8bcf3de5c3448604663b45c33d907883be2cabca7ffff150f575ab

SHA512
9de9efddfcf0023a98d7ef18b114c80d9d66f7f6d8b80138ba1fcb2939e42c0fabee6913b2aa0a8bfeb90ea49945af3170ce3cfb7b0206a7277e8fb155979a2c

Download Submit
C:\Windows\SysWOW64\Omlkmign.exe

Filesize
56KB

MD5
82d03bf67ede793e003587e6b8e20db0

SHA1
ac8d2f23b1c44603473593294ab48e97df3e11ad

SHA256
e99301d6d71d159cb441c28babee04dd9f8eac8f58806b806734ffce0a28a5c5

SHA512
c376031c24f0b1356aa58360b5b449cc6a0b7224db7ca0b859f127503d93d03bf3c4ed06832cbe03251b8669556829d8501157b36166d8dcc73a674ddcf7e861

Download Submit
C:\Windows\SysWOW64\Opjgidfa.exe

Filesize
56KB

MD5
197c6f3545ec6127e235615c2b14fb4a

SHA1
bed7b295b5837bb5b882901ed6db18e08922bd72

SHA256
4ddc6d1d8c72e5fd94e7fb8bdfca15e44c69258a12c5fd4ca87189f27d350733

SHA512
21764dd708055a4caae72ba6bae5b4f8e1c811eb5d290b37461c865ac75c4bd68139de49a6d7babf09597ee6e7d5e2abfaa483cf31383d3c9ba51ef4403f68e7

Download Submit
C:\Windows\SysWOW64\Pdklebje.exe

Filesize
56KB

MD5
9a4a0c46db0b691d70ccba3c2626b46f

SHA1
bbf4bb098cde8eade3a4589db5090967e2bb2d81

SHA256
4addc0ffdd6aead479382abdc5ac554ae3e68ad9aefb2c93c919b1ca3cc0061e

SHA512
08ad5b84ba0f0275dbdbcbcd1c7a19c12070683f3f6ccd9a72d3363fe8724be10e59fdb04403f77c67f357eca7b9e899d3821bd1b9a63b9197741f7105701c71

Download Submit
C:\Windows\SysWOW64\Phkaqqoi.exe

Filesize
56KB

MD5
9bb13609229a805d452d0cf135586810

SHA1
c3e1e564ec72940f1c7ae54043e10906e7c3c6bf

SHA256
9a0b69c9d8f5f783bc11d9e4d5a7431f0a592e445ec4ad7dfde2641f79294e2b

SHA512
663609715c90c82ccd14e0aa6132bd52ffcca13d4c7487e48474e36f33a1ad5944f46b54e103aac4abe9b6db32aa1ba5b9abf2e1290db656bad9396175815f6c

Download Submit
C:\Windows\SysWOW64\Pjgemi32.exe

Filesize
56KB

MD5
58c2acbcb985d97308149ce1312c19e6

SHA1
11c8439705a4940e8fe13f093fbb8b07377736c9

SHA256
338f84413345227e4f8e53913693a06733cb5d6b23807aca150fa064846c1398

SHA512
269d93d877f0bdd7dffcc7ca1bb4c0fadebae12e05c421d142bb055445cce389cb279249741e0e1f62ea6e3b1878b79170b9f8c23b41b709c91f5619fe496878

Download Submit
C:\Windows\SysWOW64\Pjjaci32.exe

Filesize
56KB

MD5
5edd0bd2b4b2ded646f1459907ba0d87

SHA1
c91e50afb43bf561c7c165001829e1ff3fbab666

SHA256
73ec27e6cc74420aaa846726bbfe3427068eac8f20977c44875d1688289597a4

SHA512
d8d1ac50b95204749cf2893454d226f346d18529d955a447acd8dcebf8e5d977b969d21a60a976e8f0b258660e0ab3bcaf4bb0536719bb26d05bf173a62a78f4

Download Submit
C:\Windows\SysWOW64\Ppffec32.exe

Filesize
56KB

MD5
2561d8757ae1a41d8a5fa09c35d02044

SHA1
1635be1d723a28ae35a8816abe83d72efd4a3c96

SHA256
fafb5d3bb176fd8bc24aa6cf85102f036969309020133420bbd00242f7019256

SHA512
d3fc22fda75047d40a6a5ebded2a7282bfd5fddec9d123f1687468899273344e984b8c67386b313024c72590b6b7b1416a5dedc290f75a35f7d1ff53aa340aed

Download Submit
memory/32-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/32-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/324-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/324-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/336-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/440-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/944-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1068-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1068-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4244-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4244-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4704-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4704-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4704-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads