89bbfe9ae6ca95c3f831714952c6739705c83091b57dd0d0e2123b3057897da3

Analysis

max time kernel
93s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89bbfe9ae6ca95c3f831714952c6739705c83091b57dd0d0e2123b3057897da3.exe
Size

318KB
MD5

4cd79bb9ecce52b5b9d91552ef0a8dab
SHA1

9747f78cb54746900239563f67fe01ac655ded32
SHA256

89bbfe9ae6ca95c3f831714952c6739705c83091b57dd0d0e2123b3057897da3
SHA512

84c801cf263d15dc551aae02c16dc330098b31698d405dd141197e09bfc83a67ca00d6afb3eb609be200b5bd33edb8393686e031f16844c2d91b6acedfefe133
SSDEEP

6144:efi6J9rhzFmowdHoS7c5cm4FmowdHoSrNF9xRVEQHd4:6pLzwFHoS04wFHoSrZx8

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe

Executes dropped EXE 64 IoCs

pid	Process
1492	Kikame32.exe
4428	Kbceejpf.exe
3444	Kebbafoj.exe
4524	Kmkfhc32.exe
5048	Kdeoemeg.exe
536	Kdgljmcd.exe
4896	Ldjhpl32.exe
2052	Lmbmibhb.exe
396	Lfkaag32.exe
4168	Liimncmf.exe
3332	Lmgfda32.exe
2340	Lgokmgjm.exe
4548	Lllcen32.exe
2912	Mgagbf32.exe
3756	Mlopkm32.exe
880	Mdehlk32.exe
1172	Mckemg32.exe
3232	Mpoefk32.exe
1956	Mmbfpp32.exe
3084	Menjdbgj.exe
4496	Ngmgne32.exe
568	Nnjlpo32.exe
1540	Ndfqbhia.exe
1412	Ndhmhh32.exe
4484	Olcbmj32.exe
3812	Oflgep32.exe
4104	Ocpgod32.exe
1652	Odocigqg.exe
4688	Ojllan32.exe
2344	Odapnf32.exe
2388	Olmeci32.exe
4404	Pnlaml32.exe
3436	Pjcbbmif.exe
4352	Pmannhhj.exe
4268	Pfjcgn32.exe
5064	Pqpgdfnp.exe
3712	Pflplnlg.exe
4288	Pjhlml32.exe
1032	Pcppfaka.exe
3360	Pjjhbl32.exe
1384	Pmidog32.exe
3836	Pgnilpah.exe
2956	Qnhahj32.exe
4932	Qdbiedpa.exe
2848	Qnjnnj32.exe
4276	Qqijje32.exe
4568	Anmjcieo.exe
4020	Aqkgpedc.exe
3820	Ageolo32.exe
1832	Aqncedbp.exe
2624	Agglboim.exe
4292	Ajfhnjhq.exe
2212	Aqppkd32.exe
4560	Afmhck32.exe
648	Aabmqd32.exe
3692	Acqimo32.exe
4320	Anfmjhmd.exe
3408	Aminee32.exe
2412	Aepefb32.exe
3832	Agoabn32.exe
1116	Bmkjkd32.exe
3956	Bjokdipf.exe
952	Bnmcjg32.exe
2012	Beglgani.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Kmkfhc32.exe	Kebbafoj.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Kbceejpf.exe	Kikame32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Ldjhpl32.exe	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Lgokmgjm.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Lmgfda32.exe	Liimncmf.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Mckemg32.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Canidb32.dll	Kebbafoj.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Mckemg32.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Fbnkjc32.dll	89bbfe9ae6ca95c3f831714952c6739705c83091b57dd0d0e2123b3057897da3.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Ldjhpl32.exe	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Mpoefk32.exe
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	Mmbfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Mlopkm32.exe	Mgagbf32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Icpnnd32.dll	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Kdeoemeg.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4724	4620	WerFault.exe	172

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikame32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebbafoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbceejpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89bbfe9ae6ca95c3f831714952c6739705c83091b57dd0d0e2123b3057897da3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	89bbfe9ae6ca95c3f831714952c6739705c83091b57dd0d0e2123b3057897da3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdkcl32.dll"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kikame32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kikame32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liimncmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 1492	3824	89bbfe9ae6ca95c3f831714952c6739705c83091b57dd0d0e2123b3057897da3.exe	82
PID 3824 wrote to memory of 1492	3824	89bbfe9ae6ca95c3f831714952c6739705c83091b57dd0d0e2123b3057897da3.exe	82
PID 3824 wrote to memory of 1492	3824	89bbfe9ae6ca95c3f831714952c6739705c83091b57dd0d0e2123b3057897da3.exe	82
PID 1492 wrote to memory of 4428	1492	Kikame32.exe	83
PID 1492 wrote to memory of 4428	1492	Kikame32.exe	83
PID 1492 wrote to memory of 4428	1492	Kikame32.exe	83
PID 4428 wrote to memory of 3444	4428	Kbceejpf.exe	84
PID 4428 wrote to memory of 3444	4428	Kbceejpf.exe	84
PID 4428 wrote to memory of 3444	4428	Kbceejpf.exe	84
PID 3444 wrote to memory of 4524	3444	Kebbafoj.exe	85
PID 3444 wrote to memory of 4524	3444	Kebbafoj.exe	85
PID 3444 wrote to memory of 4524	3444	Kebbafoj.exe	85
PID 4524 wrote to memory of 5048	4524	Kmkfhc32.exe	86
PID 4524 wrote to memory of 5048	4524	Kmkfhc32.exe	86
PID 4524 wrote to memory of 5048	4524	Kmkfhc32.exe	86
PID 5048 wrote to memory of 536	5048	Kdeoemeg.exe	87
PID 5048 wrote to memory of 536	5048	Kdeoemeg.exe	87
PID 5048 wrote to memory of 536	5048	Kdeoemeg.exe	87
PID 536 wrote to memory of 4896	536	Kdgljmcd.exe	88
PID 536 wrote to memory of 4896	536	Kdgljmcd.exe	88
PID 536 wrote to memory of 4896	536	Kdgljmcd.exe	88
PID 4896 wrote to memory of 2052	4896	Ldjhpl32.exe	89
PID 4896 wrote to memory of 2052	4896	Ldjhpl32.exe	89
PID 4896 wrote to memory of 2052	4896	Ldjhpl32.exe	89
PID 2052 wrote to memory of 396	2052	Lmbmibhb.exe	90
PID 2052 wrote to memory of 396	2052	Lmbmibhb.exe	90
PID 2052 wrote to memory of 396	2052	Lmbmibhb.exe	90
PID 396 wrote to memory of 4168	396	Lfkaag32.exe	91
PID 396 wrote to memory of 4168	396	Lfkaag32.exe	91
PID 396 wrote to memory of 4168	396	Lfkaag32.exe	91
PID 4168 wrote to memory of 3332	4168	Liimncmf.exe	92
PID 4168 wrote to memory of 3332	4168	Liimncmf.exe	92
PID 4168 wrote to memory of 3332	4168	Liimncmf.exe	92
PID 3332 wrote to memory of 2340	3332	Lmgfda32.exe	93
PID 3332 wrote to memory of 2340	3332	Lmgfda32.exe	93
PID 3332 wrote to memory of 2340	3332	Lmgfda32.exe	93
PID 2340 wrote to memory of 4548	2340	Lgokmgjm.exe	94
PID 2340 wrote to memory of 4548	2340	Lgokmgjm.exe	94
PID 2340 wrote to memory of 4548	2340	Lgokmgjm.exe	94
PID 4548 wrote to memory of 2912	4548	Lllcen32.exe	95
PID 4548 wrote to memory of 2912	4548	Lllcen32.exe	95
PID 4548 wrote to memory of 2912	4548	Lllcen32.exe	95
PID 2912 wrote to memory of 3756	2912	Mgagbf32.exe	96
PID 2912 wrote to memory of 3756	2912	Mgagbf32.exe	96
PID 2912 wrote to memory of 3756	2912	Mgagbf32.exe	96
PID 3756 wrote to memory of 880	3756	Mlopkm32.exe	97
PID 3756 wrote to memory of 880	3756	Mlopkm32.exe	97
PID 3756 wrote to memory of 880	3756	Mlopkm32.exe	97
PID 880 wrote to memory of 1172	880	Mdehlk32.exe	98
PID 880 wrote to memory of 1172	880	Mdehlk32.exe	98
PID 880 wrote to memory of 1172	880	Mdehlk32.exe	98
PID 1172 wrote to memory of 3232	1172	Mckemg32.exe	99
PID 1172 wrote to memory of 3232	1172	Mckemg32.exe	99
PID 1172 wrote to memory of 3232	1172	Mckemg32.exe	99
PID 3232 wrote to memory of 1956	3232	Mpoefk32.exe	100
PID 3232 wrote to memory of 1956	3232	Mpoefk32.exe	100
PID 3232 wrote to memory of 1956	3232	Mpoefk32.exe	100
PID 1956 wrote to memory of 3084	1956	Mmbfpp32.exe	101
PID 1956 wrote to memory of 3084	1956	Mmbfpp32.exe	101
PID 1956 wrote to memory of 3084	1956	Mmbfpp32.exe	101
PID 3084 wrote to memory of 4496	3084	Menjdbgj.exe	102
PID 3084 wrote to memory of 4496	3084	Menjdbgj.exe	102
PID 3084 wrote to memory of 4496	3084	Menjdbgj.exe	102
PID 4496 wrote to memory of 568	4496	Ngmgne32.exe	103

C:\Users\Admin\AppData\Local\Temp\89bbfe9ae6ca95c3f831714952c6739705c83091b57dd0d0e2123b3057897da3.exe
"C:\Users\Admin\AppData\Local\Temp\89bbfe9ae6ca95c3f831714952c6739705c83091b57dd0d0e2123b3057897da3.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Windows\SysWOW64\Kikame32.exe
  C:\Windows\system32\Kikame32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\Kbceejpf.exe
    C:\Windows\system32\Kbceejpf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\SysWOW64\Kebbafoj.exe
      C:\Windows\system32\Kebbafoj.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3444
    - - C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        54⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        64⤵
        Executes dropped EXE
        
        PID:952
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        70⤵
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        76⤵
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        87⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 216
        89⤵
        Program crash
        
        PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4620 -ip 4620
1⤵
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
318KB

MD5
23420b2654cf094222247f1c539529aa

SHA1
5e436d271de41087a9ee14295d68790a03c061b8

SHA256
033250053d9acdc5e5a05bfc2740d9db6c07571d681f69fe9794cb2844a1109e

SHA512
5317aa9950b2b163014566464edcb43099a4229fdd3370297023236cc4c1e0983454e5e849b5b48bd3f4cf3a3f1b2b4a11753e1ba7fdc3300ab9bf834e7ae94c

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
318KB

MD5
fcb4dcf76a02a2cdb29669b9d736b3e4

SHA1
b58961999b7ae8082cb2058c8e69b7aa3533eb16

SHA256
9bbe9470e33102cf5dc0030b881293cf22c4ae0a070e33dfe141519fd4d4768c

SHA512
5d8d4c8e97dec641216ec0d7d7d7ea845fcc7562616ec2f91c5a8cd08fabc0e010ff6b4ad4a52a7a118f56ee49b99ea94fd0fc7e6827929ed5dec8ce6c3d5815

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
318KB

MD5
4ba8decfa2db1d040bfbd282fb34d869

SHA1
bcc029aacb24db144b243993b7ff941c153e8465

SHA256
bdf603a8e7ba1f3e9e3f80203aabaee27bb1905e959c038111d702a62d1418df

SHA512
fb0e4060748c6f98692e24140febcfa3c75bcfe1fdd2b117e35f45ff10e0b7cc341f2700d9b983d8a5c7c8ca3babcc5c31cd9febfa9df3d7320b2b96bb99f020

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
318KB

MD5
a4749dcefd65f4c22b070f43a0fbc02f

SHA1
017a8c963e5be1db9e525ba2438284834dfd1adc

SHA256
065a6358e2dd78a21bf0e5ac1a9e65b340adee6fac75a5efe6b8227ebb113b96

SHA512
cde97446bd347941122a79cd79fc4bce604893b212720e3b5a71b95f1eb3a418414edab47ec1fc43723f56b7d0c9807192efef11fbfc84495f5da50d889f71a5

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
318KB

MD5
e4cccaaa28290515d09a9c3047f22226

SHA1
83663c316034774fc8b4341312153aaddd7eeef5

SHA256
a0d75ff8f37e528afbe711ada6587fda226b9e7dab0fb85dd061f1b7c3c367d1

SHA512
586da4a81b0245c8ffca2ec501e2969f7a0c277925de9d5cae3ffffba41ce9702db1e6575a0732544a7c3a9e0a5919fdb788e9383813ecc2c977efeb933765fa

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
318KB

MD5
f5e1a3fe440e2b98eaaf7fb74ee986b8

SHA1
2944b0ac7fa37555e103c99ff6e5811353c2d315

SHA256
0a3deb9cbc80149727418b2169a8b7afcebbd5e2aab99f6fc431bba919c802d2

SHA512
c277ac74dc0943047046c008c22084ecde319b219be17bc86021a4b9865374dc8c36d37f051648d7055b146d88f38142b70b0a1506185f12c4cbac91fc8fe2df

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
318KB

MD5
9bcc8713ae4315e131999ffe72918703

SHA1
146f16adebacc6f3405e5a21cdcde58601f2d739

SHA256
bf4b61034e037eac6510e9ea01f6a16e1fd5b8d65c0ab54266848a55b40f49fd

SHA512
f1e8c99319d70c8838ba940ccebcf75afb5320fe061e6e6902a537b80b73f8c859f7867597fa0d836bbd8b90d282535e61c940ed0d4c4cee010cf29e1481f5d4

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
318KB

MD5
28a2f8e45e281b74a58d8ea921451276

SHA1
5d70d88b308edddda1e7163883142e049bab2761

SHA256
a08ac1b93069b9f2af6976f467a1d66667f33c3a0042529f89f8baafe917e378

SHA512
3eeaf24f8fb03c7b9ecb031b36c320fa172ee7fc58e43482237e70ae3b7e917214a280fdc5d01441cbd7f7f8f21d7b941b697055a9abc5ce4af4af2d830ac258

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
318KB

MD5
5b2d44cba1b78e8135e7bf34142ca204

SHA1
c3280d8362680dbea50843e2772579bdf816c72e

SHA256
67e980a09977ab97f206f4740ae5b98e558bd077ca9a10c106a8de2c41dc2b90

SHA512
a5461b76c41e5991a75755aeb3e06ec5a1c5cdfb94be4adb4971403604f225bfffff464b45286180d49edba3869b5929bd5fca935bf6fd604def648ea79a183f

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
318KB

MD5
14086abd1fa6988848ce97b7cb7e2a8f

SHA1
b75e2b354f72928ca6492ce7be7aa1530499e820

SHA256
e34673da8545dff04ed7db5ea7dd83740f194ea0c15001f0e608f08d3588a987

SHA512
e073c66ec53134d0ffc2396105a614b85e27e68ac481ffdc087c1d539246cc02ef4739e53d9ebf255f45546c8c41eb3cb07b45d30e402029738f2e97957ceadd

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
318KB

MD5
8b8c8081f96b94df1cdf23278bf5c79d

SHA1
70956a51f1f8ed9d60ec88aa83c0b64e50ca53cc

SHA256
668e570a8bca3d0c873f029c7db29df1a7aa60d2ecaddbb0f6084d77a9c035e1

SHA512
09c44c21641017c57f659b1b1c0565cc64c9a32439b229d02d1642bc72b90633e5025def938e519c9b73d8b772d1ce8092b73f1c4d8badf669dfc3dcb5be13c6

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
318KB

MD5
85ef0c309e41d162c7d4ea262d99c7a2

SHA1
23124236d16c573e57641eae6934ed90aa74309a

SHA256
d5be32bcfe066dc1f1eedb0bbebf102e79626526d3a4d020d3f406d01f4ed8b4

SHA512
54759b0e0d8b5438904013a905022660492b2336d295dd9da9df83b80b434d889fcaf09210aadc05ab99fcdedfd7aabb40a726488929c47ecb94bd205f33e702

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
318KB

MD5
4cdfd79366d633d2c42aa04b71f583ef

SHA1
7648fdd8c3e8cb3866de495be7c111ccf5352ec3

SHA256
f220725f552b23939171a0d9468ec5ff8bea91a16a16f650e43a662a98859d33

SHA512
7cf42eb931ec5fd506e4872135bccd184a0a3d6920e5dda602789c2769760011b0e9c0acb8f46520168688cc7dafc01b8b3959c633752c969287344309f2af0c

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
318KB

MD5
0e8b7a3f9c60786ef3ace30a2cba911d

SHA1
47b6fd30b4f7e27f28ce9ee5e764a3b980c204f6

SHA256
309a50dc01b48939669207033f65a8ba905d6ff1ab30e9bf793f0c674aa6f86d

SHA512
2c2615255764f52a7c85680222b94e7e9d5ef60f9c7d21eeff49371ddf3a50efb5ec55c941a244e114505153707ec58254623487b573b85623308e22e83e633f

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
318KB

MD5
01789326bab212769a7d678cfc227253

SHA1
2030a708e6c7ba8667cce7c2a8c3955d994d0821

SHA256
bfe64710bbbe260b288eb1c290d307a0a99f1dc847c0f52a6e0f8a09b0f59cc7

SHA512
c595d4921580a42e9e550cc68ff4c4684c709b120fe82d35a4b74ea297a31dc240ab85da6b6c13bab0bcdf01c8f4e227c0cc6979472b2886764ef4995caecfa4

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
318KB

MD5
71ce663715c73b5f2e1c312308af903b

SHA1
0604abec82460252783f8733af2ad22810b2761a

SHA256
02d182917347d0e13f6cbe3d5c7de5081b9b364f10c60d53c98dd74c25f528c0

SHA512
82b3c2854757c508f6843a6bc36c904ae089c2751ca476cf1557699627997d60199f67c793756ae845357b4e59b017276f1ce3dd0aa8195fa02b11bb2a55ea10

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
318KB

MD5
7ca2a90f7a51bff9300d90c5041bce19

SHA1
39489525f22d300da0a575f6c23f93d3321802cc

SHA256
a8b9d971752e95d1c2e811ebfca32bb7664298e0ad8d42177a266bba3971cf81

SHA512
d45ad06fce4e4f41f03ff802f553db13387705fe7b3c2064120d83a48dec580cb87c21165a84fca4fa96086b232697b9ad599cceb06c328f454bf95fd3bc29b4

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
318KB

MD5
7c0af17ee8a5b16770c3faebd8b2d1d7

SHA1
c8ebbc1b884f1a1bbdd437eb9bc821b65738d33b

SHA256
c50d13fc35c83ae402950e647db57eb0fe91895294615c2b1ea0ed28bd6c38c1

SHA512
b417cba4ce384f9c59c7f977fa0376a7a01fc4b491fd391cd7997c233d2c6b04d88297ecac5798fe15c222d031d91e6121f905d64a71b0eb1fb5f683ce2ff97b

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
318KB

MD5
6864a1f1646e5044b2c15c5151a42470

SHA1
643f916dadafe360a8648312070c591e1143b7cd

SHA256
8caa4433cba9aece38f1cdbb92f6af748c4c2b4acd30184c8b0cb0269143ed4d

SHA512
3ae1d279187f6ddde7be299d9efcad34e16bdb71d25a8ffc689aa2094810fa60bfbf02c297a9dd2ce15049e0e215bb9418eb0934cd9d2ed952c10f1f171bb229

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
318KB

MD5
b75d6077668d97e52f0c14c57e58019a

SHA1
72c2772a6a8e7dfacd480025ee1002059fbf7ad9

SHA256
7a2f992515849676c1ffe5788f3c2f1634b3f5d5c69071cca5bf4e31d583bfa6

SHA512
93fab2fe1ea2a82ce6019dd9a43c4d259a11168fc3590562dc43725f5cbe3c0726f1c3bea93b2d1478644774e5102402dca5074cff536c1c6324060a02a57ba1

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
318KB

MD5
8b4b60dce45c61b8e671acf3da0b0ce2

SHA1
db3a93f5895043919f5c329320cf7654bece9038

SHA256
19aeb55314fef6b3c7907104086eb8ab42b4d516aecd35c352ce8df0ea47e79c

SHA512
eab69a9888fab16ea5170bbb0bea4d0045b62dd93b176be45c04f166210a4a54fc54699fcd3e1f4ee9c783e0d6d14cc7d443ebaee1d9f38e754c2e5d27d3a553

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
318KB

MD5
712d63d61433c71d8b9ad9309debc9f5

SHA1
5121ffe720e3eedf16817d3897c114215c167dbe

SHA256
47d3150c5afedbea705f6675df19ece170e4bac9811e20be431abb86857c293d

SHA512
402cf68e262890158493c4054513132cf4c9c8fa5ff6133da23fba3e364dbfc69cb5e61365a0b028a56b4858542c4640b3db3cc8a6d52b8da66d8a9fcabe2506

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
318KB

MD5
8893e676c9f4b195e0cb594c9fa7c888

SHA1
27e05befa0bb521ae96240982655a479a4f007fc

SHA256
bdaadf9e75e8504bc833e2da06a39f0c019c7fefbe4f7491db21ffcec580aa8d

SHA512
0fdfc8889beb714100e186a6f739c673b1b47d03f2a0abe9295dbe61ae95dcaed84d93b1f7a331e3648aea9ab2f42aec2070d0efe25f01dec145dc7543396563

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
318KB

MD5
0320248c75c94fb7bc4cd90680f8a2b4

SHA1
4e03d7851977ff671a2c521c253a6a22789da05c

SHA256
9fc1be6656d9933c6c9c01317ed5388c8a653c6beacb1ffd3d92cdb9c838f247

SHA512
6541db5ee3fcac4bbd38a0717f27d1968a42138e2ad05a621c0e1c8814f33b708aa869f8e449f81e59e1ce6046899c39fc66323901217e60edb23de29c7ecd1a

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
318KB

MD5
3160218ab5cc3f47d89bf3d0df662451

SHA1
410d51b3b30e618de5a7e3da28ecc020b849ca40

SHA256
53a0f438927309bba85642d204b416557aaa6e997c533a8bde4dcf9a376937e0

SHA512
5bb33712417b7fe753055db398d2441b4687e9826f0cdf68e9966f1373f12847bd82dfbc48bea308c61b8f581fbd59629b1c9fb15f3abbd637af0419fe1fc152

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
318KB

MD5
80929332157a38b8c6714098cb250cf7

SHA1
119f3867de411043d88ac539a193977be745512c

SHA256
30d2200d85251587f06e0099656490a43996bbd8095f0ad75a9133bda009c875

SHA512
288bec03cf9ffba0beeb897a1ea0ddc47ee6d802b6ed67078369de788888f0e4419a6c45bc11346393331fd80e6065769e19bec8572157cc1eaf69b9c4f681cd

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
318KB

MD5
19f1b51d307121c7abeee6f2820a98a3

SHA1
2df759906ff11d5d9e99d91ffdbecb12f3cb0ab0

SHA256
388dc0c65d970b01232e38add33607cd9ca172d06d7d022d27b726971a529647

SHA512
0817a83b14859e48892f0dd1a0ad60d072500b606ffe69395599f38bea59f81d42dc8729e34b78e9aa247f39c6de552219cee05f8581142bf9e39fb94727595b

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
318KB

MD5
e3b7352ebe84e6a7ccf4df1ce7d863ab

SHA1
db2a6eeca4a2cd8582d1e258b55dd7c8fb431902

SHA256
ac15a121c8853ae0f2d41adc5fe6430e2e740b8f0f59fb0ff132fc35c5f266c2

SHA512
d18f84cb4c8ae94d41b3911a9fd1822225af87b974c40de8223e7b27f5925276f3913416c2dea0aaee9ebefec5aefd8907c1111672d72b1cd70aeeb03879d26d

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
318KB

MD5
9e9b0f79ef92c03f472b4cc2cfeef029

SHA1
b2716e61b504930fc7b7f2286866e16f5b8e00ec

SHA256
99b5b29ab7857c349a26db2199c4d401eebb78722193710ab52e8062881fa5f5

SHA512
667f4be54e8965ba54fe69a0b1456c0cb4429384c2dcd925a2d1cc494b56a5feb64a0dceb20565f0b35472ad0af2b4d739cc848a982317474348bb30f1332d73

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
318KB

MD5
4d9f70131d420b68ff150a02d760fb61

SHA1
daadaca7e1386a160de53b3a6d9b50afc795c02e

SHA256
1f258126d19764fe6c0a8d1cff6632d90daa323e00a61bfd3a75b56420b3723a

SHA512
93297898a758c63f191ea052c83956912c4320ba40ccfca12a974940708f117d8a0c3c0ab2e4ea180d036774cd2bedb00a4331ffb57823aaee8e9cf248c28907

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
318KB

MD5
1a7d5be58e602a6107f3070ab47693e0

SHA1
5453f6b411610b57b2313db9de4699e9816c21a5

SHA256
4690f004a3753e78caa480c64f8c226e016f62f9a78d73e8aa87a7a0b2f3b191

SHA512
73ef4e2e2ec09b9db921b5a69ddc4aa2b68062d5ddec272c727cb067a0ed108ad694f6b226f62f31505f9210c6a6d2341f95b25aab1a4afa75efa356ba929964

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
318KB

MD5
a7c8e3365bb7dce362ade57da5579ff7

SHA1
63784e0afcbd8ac79921a36b23a7a823828cafcb

SHA256
6bddb213cbc53a81ef3b3343d576314bc6557bc8636388b96c3fbe2a2253b1a1

SHA512
4ddd5ae57200f0c2128806a0af2678511875ceb94a670774cebc32d3add0af7407673fb12e749df49aa1e386b53f17b38e322417a638272f4d18d253ad91b3be

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
318KB

MD5
e4d4457b5f850f10d21e74c1930e8378

SHA1
5ff8478f873d2c901c6aa2946760e4be522e90ef

SHA256
010aeab297bdfeca0b5e7dc05cbbe1c5fa1b1e11fefb2fdf7365c66f7af42cbb

SHA512
32d949110c5e3375648244a9037a9e13f9912ce79d559d4a0e2ecab93d09ac7034411178a3284b159b4e55a923c7b5c4732695e48f1f939336d180faccec29d3

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
318KB

MD5
d9fdd0d365629ef952f8a0a5fe34f31e

SHA1
523603c1671d082d3579deb159e5f7ddb6d2a6b6

SHA256
f10ec2f0b8e13de54cf0189b4c74a8c532e2ff5ba1def86e088c155113903f5d

SHA512
180930e7153e8a2ee556a836a488b9b6e69277f8ea376797f20fe09c7f07a7db3300ab5b705f88cf22c8614dce8efb77e6fca1c9901be1e15e3d2e10f7fe2a12

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
318KB

MD5
f6535e4cc70c4bab9df58e556fd28fe1

SHA1
5ecf2525f03d815f2a4d428e7b40e7930e6779e6

SHA256
27c8dbac27fbdb8c4c4c1eea8176310d1bbfd754823ffa06a880df5af6cc3dba

SHA512
64926b11a2b41a3e6077b3d42b3d24c7f0185b1982021ca584cbde62bcd8919ce8a97e925b7d7f37becbc60fba0a59eaa0fa5830323648fa609d553ab371fd25

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
318KB

MD5
9101d3f88ecf92b3e05fa70ffd1d3f3a

SHA1
30979446d15444c94d3f86b608cb0918e7bb5e45

SHA256
3ed5e0a2a60796eb4b34beba7c524dcc6dc864b6de202ed11487aec6942c4c67

SHA512
b99d8764cff9d0f30391ce0d50b6512262fb55c5c0f0921da06098ee95a9c8f8833e98c83bb1f057f0b2fb604fb5b4bd3a46c9bf91f9f352c659fcd906c63092

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
318KB

MD5
c6f59c812668796106c4104d8773439a

SHA1
964f028de549e10bca41ffa95264b3977fba8c1c

SHA256
22cb2b8bed2a147f34b953625dfadf7f79f35df18958b3cc0066cc47594b72fd

SHA512
88f7df766c48b9597a3891a2130d51a991a23836ae1742ec1c2a372021ad293dfe25b084fef3f8d38443ae3853c1435f90b7795ad6e19477421712230773f0e8

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
318KB

MD5
06ceba2b087aee06f57645ec04429759

SHA1
4825169e13d7254734d1fc6f265c6f9be3ae193e

SHA256
deac5ab6c45038f1a883586c0e1876510b968241f81aa7d6aa62b477f98d88bd

SHA512
d1145693c40f06df418bc37da696476f9e52b17aa1ceb888085b9a64fe2bf8de9732655f40d115904df38a021bbf5151c60cf4cc356937013d4713f976d68bd8

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
318KB

MD5
a8f294da815eb8fe43425685ccd4fe54

SHA1
9d39fd52b29e3d0217a31a5fccdc3e65fe117be3

SHA256
768ea103497f77dd00ddc17edc907f25536bde02346fd13a931611e4347db6fd

SHA512
fbc0a874aad7ba67cbdc87aa47f8b5e6be248f0bd52a66f8a5b4d90b653e49eeea05bc13f39d295cb754ef23c8fb948cb06335c0d765ce20647783ae06b6f901

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
318KB

MD5
1afe707cc813cc5001ef4fd7873ffb51

SHA1
fd79529a6964a2fce810a31a7337a623edf645b2

SHA256
e78e35a30040ce2593f36be8e12442a6fd41e34eefb47d0f54c0089eae337bec

SHA512
84f40f042371c7cb477eb95ac7663ec742fdee889d429a497858a8f01337f6c674e367ca72d6367e00bd50ef300bb1bf6873bf7da75234f7f42a6ba4ce8191ad

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
318KB

MD5
14f8945d0a1316271217fc1d54b8d1eb

SHA1
8f2854eb067cfc8546dfa6d403a6c0ef0539a083

SHA256
632288aca091251f84f3c04c0487fe53054924f027334a127a463f35508b71eb

SHA512
8e718e5ee428a24d3a0653d22d45dd74c8f66d30e9d7dba98ecb41a095ee0858bf1fd560e2bb5e1074dc5714a8cc1e37e1e07aac461ba2d074c0752c89bc2430

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
318KB

MD5
45148f2478cf270218014a2c692bf50c

SHA1
9041180853a155112cb8ad8f21e6c5a5052d35c9

SHA256
448e92dd4c201a48b19519840a35fa432b7a9d153e107c732ff5ed692fc36f25

SHA512
12bbda9aa37e047c4aa33578130c7f2f151cbd1790cf49260c6554c96a07fa262f325695fa2f7cbbbec8c103ba866e3cce2821321202a7a8b87082095ceca2ef

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
318KB

MD5
821a9c340cb0c2e6cb9b8bf91a2633ad

SHA1
a6cb786df44c4eb115888a2153b5fc6269a9b2f7

SHA256
54031d599d8273133ff85f830bba2e6c0149478bc2bad21a8f8a37e1648676ee

SHA512
9ad47ebe8db0ab2b3ff0bdcbc7fedc62d827285fa57a14a0bedc9783ca2cc65601c49581e3cbe57da73556985b1894ec0e5f5299c8d2851923f2d9528e36846a

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
318KB

MD5
53607445d70d4ac1c481fdf41c555801

SHA1
89fc155637ba024b94f520b6e301e50e34312093

SHA256
4cf6324a7767844b4a1dbaeee71f66d5f586b68a32099b46fdfa66477fb08102

SHA512
f0784c23cae37133f5cd9481573747a130f7d17473c78ffbf4c4adcaaddb8cfed4c7e1b75f0f95f3ca43260dd42a00f5fb4ed70cd29a9eeac16e225d4fa99a15

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
318KB

MD5
21a425a95728c3d71b1470c32f77eb1b

SHA1
f7df7930d663a388041c94cf075f29f9ae340c27

SHA256
ce1469efb12907486337e28bc9a5a24c9a5aba2c5d0df97a6a2a3fd22b5dd97c

SHA512
6af9503624b6c44664aa082d19becd0bd9d743169e75df95a853155774ba8f7a4d35e3bdacfab2f6f1ed183456042f0a6fa4e6cf8dc1070ce7fcc2236dbc3b48

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
318KB

MD5
6c788e18fd12d9feeba41bd8e6fb691a

SHA1
b7a10feb8abb8104d10b9294a2d03ddb70616a98

SHA256
2231eb91f68806d3295c05b27a1a09b4ad0e1f7ebee681d991541f3734d80f87

SHA512
39e9a05454cf12d2a1299226e504b6290e642208e8106c76218d1a9eb6807b04a83673b0c7aa5f6ffd9796d27f94ef56bd035bde85b98ff128bd8ae890d36c0a

Download Submit
memory/396-76-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/448-568-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/448-597-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/536-47-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/536-581-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/568-175-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/648-394-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/880-127-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/936-518-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/952-441-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1032-299-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1116-429-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1172-135-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1200-477-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1384-314-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1412-191-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1492-7-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1492-547-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1520-488-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1540-183-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1652-223-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1832-364-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1956-152-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2012-447-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2032-600-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2032-555-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2052-63-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2084-453-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2212-382-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2340-95-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2344-239-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2388-247-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2624-370-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2848-334-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2892-459-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2912-111-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2916-592-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2956-326-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3084-159-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3232-143-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3332-88-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3360-307-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3408-416-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3436-266-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3444-24-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3444-561-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3624-533-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3644-548-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3652-598-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3692-400-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3712-286-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3716-471-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3756-119-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3812-207-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3820-358-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3824-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3824-541-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3832-423-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3836-316-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3868-489-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3936-516-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3956-435-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3988-595-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3988-575-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4020-352-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4104-215-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4168-79-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4268-274-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4276-340-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4288-292-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4292-376-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4320-411-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4352-268-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4380-465-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4404-255-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4428-554-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4428-16-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4484-199-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4496-167-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4520-506-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4524-32-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4524-567-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4548-103-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4560-388-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4568-346-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4620-588-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4620-591-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4688-232-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4892-499-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4896-587-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4896-55-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4932-328-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5048-574-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5048-39-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5064-280-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5068-535-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads