80a4f33c0786c9367659d221d408ffcfdcc54edb2bbf51027c5446c3983dfbb6

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80a4f33c0786c9367659d221d408ffcfdcc54edb2bbf51027c5446c3983dfbb6.exe
Size

128KB
MD5

c373c589d1cbf8733d60a0966070224a
SHA1

96ec4f5130884bdae8eb2f69163fb51b3f51e63c
SHA256

80a4f33c0786c9367659d221d408ffcfdcc54edb2bbf51027c5446c3983dfbb6
SHA512

4356c257cac17de97c24c97331f75b83a120d1928a293fd6da43999a98a942787ebc933f56ddf124afcf5dee12015e8b337c89b778a69ea6bcc9f2bc43c869eb
SSDEEP

3072:oGaiqbECzE8O/+XG5ZdokRycoBmdzbzdH13+EE+RaZ6r+GDZnr:5aPbC8HXWdokRycrbzd5IF6rfBr

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	80a4f33c0786c9367659d221d408ffcfdcc54edb2bbf51027c5446c3983dfbb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe

Executes dropped EXE 64 IoCs

pid	Process
3044	Mlhbal32.exe
2996	Ncbknfed.exe
4388	Nepgjaeg.exe
1412	Nljofl32.exe
1752	Ndaggimg.exe
2816	Njnpppkn.exe
3844	Ndcdmikd.exe
3968	Ngbpidjh.exe
1680	Nnlhfn32.exe
2092	Ncianepl.exe
3248	Nfgmjqop.exe
2396	Nnneknob.exe
3896	Nggjdc32.exe
4760	Olcbmj32.exe
2088	Ogifjcdp.exe
1916	Olfobjbg.exe
4864	Ogkcpbam.exe
2016	Opdghh32.exe
3904	Ocbddc32.exe
4552	Ojllan32.exe
1656	Odapnf32.exe
2216	Ogpmjb32.exe
2516	Ojoign32.exe
3740	Ocgmpccl.exe
4608	Ofeilobp.exe
764	Pdfjifjo.exe
728	Pnonbk32.exe
4168	Pdifoehl.exe
2844	Pfjcgn32.exe
4228	Pflplnlg.exe
1548	Pdmpje32.exe
4444	Pnfdcjkg.exe
1608	Pqdqof32.exe
2352	Pfaigm32.exe
5092	Qmkadgpo.exe
4796	Qgqeappe.exe
1800	Qnjnnj32.exe
1712	Qddfkd32.exe
4740	Qffbbldm.exe
2824	Aqkgpedc.exe
3192	Afhohlbj.exe
2856	Ambgef32.exe
3580	Agglboim.exe
1600	Ajfhnjhq.exe
980	Aqppkd32.exe
1948	Agjhgngj.exe
388	Ajhddjfn.exe
1592	Aabmqd32.exe
5016	Afoeiklb.exe
2944	Anfmjhmd.exe
4624	Aepefb32.exe
2248	Agoabn32.exe
5084	Bnhjohkb.exe
1984	Bebblb32.exe
2116	Bganhm32.exe
3624	Bnkgeg32.exe
2900	Baicac32.exe
1344	Bgcknmop.exe
4572	Bnmcjg32.exe
4556	Balpgb32.exe
4084	Bgehcmmm.exe
4828	Bjddphlq.exe
3224	Banllbdn.exe
3544	Bhhdil32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhbal32.exe	80a4f33c0786c9367659d221d408ffcfdcc54edb2bbf51027c5446c3983dfbb6.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	80a4f33c0786c9367659d221d408ffcfdcc54edb2bbf51027c5446c3983dfbb6.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Nljofl32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Olfobjbg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5912	5736	WerFault.exe	180

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80a4f33c0786c9367659d221d408ffcfdcc54edb2bbf51027c5446c3983dfbb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	80a4f33c0786c9367659d221d408ffcfdcc54edb2bbf51027c5446c3983dfbb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Qffbbldm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 3044	2428	80a4f33c0786c9367659d221d408ffcfdcc54edb2bbf51027c5446c3983dfbb6.exe	84
PID 2428 wrote to memory of 3044	2428	80a4f33c0786c9367659d221d408ffcfdcc54edb2bbf51027c5446c3983dfbb6.exe	84
PID 2428 wrote to memory of 3044	2428	80a4f33c0786c9367659d221d408ffcfdcc54edb2bbf51027c5446c3983dfbb6.exe	84
PID 3044 wrote to memory of 2996	3044	Mlhbal32.exe	85
PID 3044 wrote to memory of 2996	3044	Mlhbal32.exe	85
PID 3044 wrote to memory of 2996	3044	Mlhbal32.exe	85
PID 2996 wrote to memory of 4388	2996	Ncbknfed.exe	86
PID 2996 wrote to memory of 4388	2996	Ncbknfed.exe	86
PID 2996 wrote to memory of 4388	2996	Ncbknfed.exe	86
PID 4388 wrote to memory of 1412	4388	Nepgjaeg.exe	87
PID 4388 wrote to memory of 1412	4388	Nepgjaeg.exe	87
PID 4388 wrote to memory of 1412	4388	Nepgjaeg.exe	87
PID 1412 wrote to memory of 1752	1412	Nljofl32.exe	88
PID 1412 wrote to memory of 1752	1412	Nljofl32.exe	88
PID 1412 wrote to memory of 1752	1412	Nljofl32.exe	88
PID 1752 wrote to memory of 2816	1752	Ndaggimg.exe	89
PID 1752 wrote to memory of 2816	1752	Ndaggimg.exe	89
PID 1752 wrote to memory of 2816	1752	Ndaggimg.exe	89
PID 2816 wrote to memory of 3844	2816	Njnpppkn.exe	90
PID 2816 wrote to memory of 3844	2816	Njnpppkn.exe	90
PID 2816 wrote to memory of 3844	2816	Njnpppkn.exe	90
PID 3844 wrote to memory of 3968	3844	Ndcdmikd.exe	91
PID 3844 wrote to memory of 3968	3844	Ndcdmikd.exe	91
PID 3844 wrote to memory of 3968	3844	Ndcdmikd.exe	91
PID 3968 wrote to memory of 1680	3968	Ngbpidjh.exe	92
PID 3968 wrote to memory of 1680	3968	Ngbpidjh.exe	92
PID 3968 wrote to memory of 1680	3968	Ngbpidjh.exe	92
PID 1680 wrote to memory of 2092	1680	Nnlhfn32.exe	93
PID 1680 wrote to memory of 2092	1680	Nnlhfn32.exe	93
PID 1680 wrote to memory of 2092	1680	Nnlhfn32.exe	93
PID 2092 wrote to memory of 3248	2092	Ncianepl.exe	94
PID 2092 wrote to memory of 3248	2092	Ncianepl.exe	94
PID 2092 wrote to memory of 3248	2092	Ncianepl.exe	94
PID 3248 wrote to memory of 2396	3248	Nfgmjqop.exe	95
PID 3248 wrote to memory of 2396	3248	Nfgmjqop.exe	95
PID 3248 wrote to memory of 2396	3248	Nfgmjqop.exe	95
PID 2396 wrote to memory of 3896	2396	Nnneknob.exe	96
PID 2396 wrote to memory of 3896	2396	Nnneknob.exe	96
PID 2396 wrote to memory of 3896	2396	Nnneknob.exe	96
PID 3896 wrote to memory of 4760	3896	Nggjdc32.exe	97
PID 3896 wrote to memory of 4760	3896	Nggjdc32.exe	97
PID 3896 wrote to memory of 4760	3896	Nggjdc32.exe	97
PID 4760 wrote to memory of 2088	4760	Olcbmj32.exe	98
PID 4760 wrote to memory of 2088	4760	Olcbmj32.exe	98
PID 4760 wrote to memory of 2088	4760	Olcbmj32.exe	98
PID 2088 wrote to memory of 1916	2088	Ogifjcdp.exe	99
PID 2088 wrote to memory of 1916	2088	Ogifjcdp.exe	99
PID 2088 wrote to memory of 1916	2088	Ogifjcdp.exe	99
PID 1916 wrote to memory of 4864	1916	Olfobjbg.exe	100
PID 1916 wrote to memory of 4864	1916	Olfobjbg.exe	100
PID 1916 wrote to memory of 4864	1916	Olfobjbg.exe	100
PID 4864 wrote to memory of 2016	4864	Ogkcpbam.exe	101
PID 4864 wrote to memory of 2016	4864	Ogkcpbam.exe	101
PID 4864 wrote to memory of 2016	4864	Ogkcpbam.exe	101
PID 2016 wrote to memory of 3904	2016	Opdghh32.exe	103
PID 2016 wrote to memory of 3904	2016	Opdghh32.exe	103
PID 2016 wrote to memory of 3904	2016	Opdghh32.exe	103
PID 3904 wrote to memory of 4552	3904	Ocbddc32.exe	104
PID 3904 wrote to memory of 4552	3904	Ocbddc32.exe	104
PID 3904 wrote to memory of 4552	3904	Ocbddc32.exe	104
PID 4552 wrote to memory of 1656	4552	Ojllan32.exe	105
PID 4552 wrote to memory of 1656	4552	Ojllan32.exe	105
PID 4552 wrote to memory of 1656	4552	Ojllan32.exe	105
PID 1656 wrote to memory of 2216	1656	Odapnf32.exe	106

C:\Users\Admin\AppData\Local\Temp\80a4f33c0786c9367659d221d408ffcfdcc54edb2bbf51027c5446c3983dfbb6.exe
"C:\Users\Admin\AppData\Local\Temp\80a4f33c0786c9367659d221d408ffcfdcc54edb2bbf51027c5446c3983dfbb6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\Mlhbal32.exe
  C:\Windows\system32\Mlhbal32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\Ncbknfed.exe
    C:\Windows\system32\Ncbknfed.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\Nepgjaeg.exe
      C:\Windows\system32\Nepgjaeg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4388
    - - C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
      - C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:728
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        65⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        71⤵
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        72⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4460
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        81⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 416
        93⤵
        Program crash
        
        PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5736 -ip 5736
1⤵
PID:5864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agoabn32.exe

Filesize
128KB

MD5
25fd9e1eff7ccd3a0470ebcac571edd7

SHA1
5fbe7affa585d5d233d66fd82da8da220aef413c

SHA256
e94068ec6470160fbe353b805353e872d6b4627a10a734184413106d4d286ede

SHA512
0ca8feffa63e5b375920f52025f9126cf2de25df51e443e94ae482e541cb09e882fdfa24750df19eb3e479a33ca7fb9286c4f24a7a99f5d158b63af5ff15b414

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
128KB

MD5
38382bae30eef3d49c80840971afa837

SHA1
c872eeafa22cbdad8a6018ec16d6c5e25f8b80aa

SHA256
e651201e09273f9e9966efc097047c528b5a0abaf30acd88e0f95f4fbb889fe8

SHA512
c7d59a8973893adddb960e7a4288256597c7b76cab53100a59355a835d9571081c5ea07b8652617bb53cea1dcf70b466391df801abfc82c4a54907c48d9f6ecf

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
128KB

MD5
5258477ec7315c5dcee3c4aff8959bbf

SHA1
4de058c7a82893ff469683760bc862eb7a80582e

SHA256
48dab27827b86d704369823d5dbc773dcb9c915563e9c3bbe7331d7c50eafbee

SHA512
76f61a51844094eaf183bdcc47cd370128327bd0177c456861332d60367b2cfa8d8df217f581216b1acc0df9c1e0b5f0edf44a7e4c45bf5e9dc98606a73f443e

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
128KB

MD5
2f1bf03c99e8c52c528a64dbccb4d602

SHA1
7bbc00717892d4b98f79cf494c4e9b125831c229

SHA256
43a9656e90024cf6ca050e61338e0facbc37ef36d71818863556c3f972806e19

SHA512
62641d91c134d83e929efbb0436f3461f492633fc9debfbe77e760c3559dbf712090573cfd69225c2e43012f3edc2bc5ec9ee66541432324de25a96085da330d

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
128KB

MD5
f47acd5602b22cb7268b91348a02fb9d

SHA1
c6f06079c64bd71f865bdbed9919d6fa2843fab2

SHA256
838a6f94c251db6628cb84b1966074509247249d061d5936f7b46a26d1260b84

SHA512
db9f979b9f535044bae6f4d9bc91c00146624126d904c6bf8f86df501edf1ba5fe7dc51a8192a349323d327ef4b8acb16db1c138df30d4f7e83ca5504a7e2c2c

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
128KB

MD5
9b30441b46fda64ded0a0633b923d27b

SHA1
a2c10316156f17d122c703d762704bc8204f508a

SHA256
f54f1c6996c77e699deba2cf160c038aa03a79c7550f74bc6feb74576c1febdb

SHA512
b04a942b7be10715fd8506705bb715c94ca9fdb8906f288c673546f61f8049a9a46dff91bf4e401dbb1e267407416822e3dd7a70536a3853a61e7f603f90a64a

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
128KB

MD5
ea5af3a567b9c463028d230fb8ec3cc3

SHA1
a12e7d392cc70f52ae2660b21ced19331804c556

SHA256
f35acf1de20563620f671412ac0f7f69554fc287fec74df2e2b98194414f3f08

SHA512
4cf58258d3dcde4bdb4d14a6ded9bc7dea8faa3c87133da1142ff1e984b87cc5db4032091b38760852b6038ffdb74deb94a1e360085514241dcd07067093fdb4

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
128KB

MD5
ba0ba609b0fc0efc211d3c721d4879b5

SHA1
abb0fd40d6854cd683f6647b56e4178967d0606f

SHA256
ce9582855f005a4a6068b0ec2927d524b9ee060ae51eafd431f839a41b3b7dce

SHA512
03a6d7f8f01a408be97cbe95e5489d20ef35a649ac30ce1b57a409aa63d90fe1fc80a799cb2d4cfc1548b82dcf742d63493d338fc1a252e90371af3ba7269f74

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
128KB

MD5
1e95c9f893659f4e4834b692465b30fe

SHA1
f8010f7c2643f9fd28807cd718ee9d4b428b1ac0

SHA256
4e51767c62537f8f24137f8c848b434791c93d30a07a80577ce42269ab0559df

SHA512
e3473d597b6049d32c257de01d6131c939a1d224c32b7828203fa566a431a95cdc06a427ff8109abfa7997905786024106a562f1ab45b982ff9a643105591ae0

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
128KB

MD5
32e5eae4283a24f5cd9e01c764fe4c51

SHA1
1dc3998fdbba90f2778feddf2ec93baaa23ef6d4

SHA256
8724686f0c43908e584b41194aa1ec221068fa0ef4ee726ea7f2a76497d85e3d

SHA512
9cff305b688ca1afd907600f2811d07138750a56b6174226f74d12d963e57951e2422250cac7931822a7a3338524ac1ae46cb1785584cff0f8d51d580ee42464

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
128KB

MD5
98808a474e2ecd127ffb9a857a5e7e2c

SHA1
0fea1ad32e9d59cc09cd021367e79b27e243c994

SHA256
1d57233b2884f1085d6630f53128f6415c1cbc1f9bfaf04070e976cb62b37614

SHA512
c7d114a25c60bd3fed9b3352dd9dab4b9ea738a8ac228c51c549c261f4807c02b4a6dec5f4abca4376f774e40df91aa9a9772ae6c8f37864238e4471be49e3ed

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
128KB

MD5
9af4145440ddc00fa94eb0b9ce7a18b4

SHA1
e13704a924c40ed64caa37a4a4cfa507dfd82130

SHA256
8324e4e2eb022f167220b47adc069abd157bfadd44af17507ef1de749ec53252

SHA512
05fab3bef9c421f783d6a4f6b115b197dfc09309d874b16c47affcb98e19b943aef39f954a47cc8cd264932465ceda033a94f847cf08f9b3cf1d9428961c4d90

Download Submit
C:\Windows\SysWOW64\Nenqea32.dll

Filesize
7KB

MD5
c53f514d39d20896eff481556b5f0e79

SHA1
dc2e6ee28f2b34d29a477dd537625ee4b3b7fb03

SHA256
bdc949dad255990cc4513b4a3fe90cca4189698695ef03d370379573a60ba5f6

SHA512
04060447dfe7ac1f672b27f31f4eb846a3b0d9f7cc926bfe4fc69a2bfc839f935172a968956328ea40dbdf373b0439e65d8792fc6926f8cdb76d38497e78c725

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
128KB

MD5
9c097bb29141dd0e5b962e7e2ea8cb70

SHA1
50c202a98a21db5140c801ea051c06e333666c29

SHA256
cbec7ea5b36138937747e1406da03e34a2e80149b1008773e8b169252296f231

SHA512
52c7ab639c1a1ac936ab7e8610c1494f691c4afc958d62f129450ed0909b47ed7705836e96371e53b77705eef18d460e8c6893deaffd2297ee442f8a1f87c284

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
128KB

MD5
7fd619a1ad0827c7b2002af39268e46f

SHA1
982b0b2f0a7ad7196e75a7180d8249ac61951d66

SHA256
9d1694f3c1bc0f77b22dbe63306e03db7404a64aab36c8c4fbd10326386b08ac

SHA512
f202240240252ac5797d1b4d36e227f9092bec4171b63b7e7d583813a8f9383512cf6f210875dcb3cd00a388390c8a022a6acd4009b5dc56e1e459149e386f56

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
128KB

MD5
fe171338b4880b75e06ace66732777d3

SHA1
916b9676124a712df39f5dbb93d23f31c13bb8c3

SHA256
56af02ff94315d74e19815ee82db375df9be9a55953f51853343859d3c9b6c11

SHA512
95be5ce79d7328c56b8d3e1ce6556a2ad0f760d185686e98aaf4b5ebda81b2ba032143487755b85afe24ba322dc2a84d7af352212ab0bf2b5b3dd727ef1aaf1c

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
128KB

MD5
f0b9c0297c93884a1e1b9aef9ff77ccd

SHA1
3385bb8eb73bbebe825fffb5e83733b3d5505723

SHA256
65bfd4788de5a22a0125fe9ad2b7481622250192baee0dfc47e030389b5a216d

SHA512
1598b9303c3ab45fbc3fccc045b4f56b6d8172a957513a8a6fffa3440213c1373bc9feefd6f8e92ebe517f16476b8a755e5972d5687ea1e0e1e92d448a84d2c7

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
128KB

MD5
ddda862ab880f4ff078f60fa87bb145e

SHA1
9d37ebfc65f406531611a76026c226ba0fc0f168

SHA256
4b4a25bb8e07402bde0d92e57caaee28b1d87b9d6038e7cdc06cced4d33939a7

SHA512
d09bab833916d999a7896d191b92f03575c83a61e64ddd83b80c8012d916d0303bf15c32b547ba3e261318c4e710d5196557694eb8d0dacef61aa3519a965f89

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
128KB

MD5
b157ae95e9440098925aea45ed578a17

SHA1
6ded3c761b3b2a1cac3370912a96f584be2f214a

SHA256
16b596c76dbfac0eaa6c09c4a62d1f7a823ae317dd6671035be0a1f35a8cea77

SHA512
84bbcb18947a352882caae7621b06f3e0123f95be938f181c7f067f73f8d0b68ceef458cdf687d054cee8313b0f22ab0d52bfb9ab534497a3099f3e6089e3476

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
128KB

MD5
8e9150d5a33842817c530c343883a47f

SHA1
853f4335c45e100150d5850d43a12574aeb45fa8

SHA256
3e5621fc01e200faf0b7954c4bdb06e121ceae234c0a23557e99a0c9a709f49f

SHA512
1b9d57cca1d8020c22761e17138197ea7f98ed91d2ebd9bd004fbb01eab56e5cc083c0067095d4866145c28d8cbb8ae90a0bc8032115aee399d957c72dfca89c

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
128KB

MD5
fbee173e3434eb328d4f817e565ea49f

SHA1
cc2966b2d8bfca854f6a690d117f0b205111fb65

SHA256
a9d69c3c7ab24e594a931f4bac889946ebf6ca36a1493f101e7a2c5a25783f93

SHA512
0d054679368849b42c71581f7ec0d2953f2730f0051bc47a981d420b4dda23d2668adec24fce260d34867351862746445b34a2124c78b3597116b2ffb71f46bf

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
128KB

MD5
c27ad40bb4d296246dd16d88ae681b48

SHA1
eab8bca4d184ce3f59afc6dec1035a3297c4c2fc

SHA256
8a5f053e1be4db7ed2c7e9ba6ba189f4959293dfac629209d0d7b6e1d60fe2d7

SHA512
1b85c5785892f9f32c676b753d31b73fe72502f55cf235dd36e93bd260784026dd455df595eeb58aaef9c5c3d5c507fb62300569b071e13d07c0c28cf41ed898

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
128KB

MD5
eb64da7b578afd6de1d9a73ea04615ec

SHA1
1ce648eacb933553a43f5a552a5c64e3b7ee01b9

SHA256
67a6d7f3fcefc6be0558d47c816340b41821fa940c4f906ed2004127ba66855d

SHA512
22a41a70de13db331605e5fee5711874f7a0fa77c0db564fd0dde709f6e15fcce71d7919cbd4221268ae76b02516cba5e673747da426566b49cccc67aebf0de1

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
128KB

MD5
0e3a2a9a9e1614437a3757915f2795cf

SHA1
941f6cca08b9eb50cd4dfdf7f815aec817c1e827

SHA256
a0768b60050473b1fcbc4106897e2747c82025371f2d74ba09c63189fbe113ff

SHA512
cb009abee070805484bdde51e6aca8c6535b795cd7d6a557c962e620e39802f964a710276a319cad737089e23263273aa15b5e192ec8a1ec5b54b26a17370b91

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
128KB

MD5
49ab37e0152542b04c79ef7630ec8ec5

SHA1
1064b4eb200c0771effbc32bb42ee16e89cee768

SHA256
f3f309ad763b317177b42db28d6f876a606aa5417b9066e7c149dbd85b7d2563

SHA512
06aba7c12bf6c9f20963b1c96ebaf768635a297a3c545a312236a84fc80a52581ac30686fa45d4497f985ce6932f7a4bca4334fcb988008ec04ef138f9e50745

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
128KB

MD5
be5d2ca2c0a28ccabda839f603afb758

SHA1
4843bac8a12e05531b0a8ab659e981a9501c550f

SHA256
1840cea85839f9eeec15061da91feaa4e72e271c18b34957c41b1c8f4d9abe2c

SHA512
48cfb32b0dd4922e74e5e7d18cb2041b4447a8e025dd5d8e0f1806ab2865119eb84130949b4e825b92682b2764a633ea3bd03dda4cf44b8e9842a1a323da9024

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
128KB

MD5
f0d01a5f7fe34a79d2038219ce3c3068

SHA1
be19e4f0eef5149ca58d79098b2858f36b14c084

SHA256
1ff3812951a769ba9f86b01363b2cee851a3d80fdc4e66afb4837367c9ce4747

SHA512
d4bdd9d1495351d81d9caae20cec94c909a9e844198321a04f7f31f399fdacfb1d0afcc8b968a6ab7e83ac08fa1b4d69cff3360b07be25876bc93c37cf08a976

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
128KB

MD5
dcc7635ed49be9280a17a15167f4364e

SHA1
df3ff5e5f74b23ce8cfc446c17b7b17fe5b552ce

SHA256
0ab4d02575db382a76c912ec4c2b876c1f91826de063eeb78de12bbd0d2f36a8

SHA512
841ac31978f90311a641a74a8c0d205183c86d425ab9b981c7f740a44db2beb33bacf18a6f31ad7599565cabf5a94d81c985314c57453b492ddce72568f866c8

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
128KB

MD5
a3614c92ae1ee15936dfe11487324089

SHA1
1aa84ddcf81b78b38ef99c5e2243a8b8c66a3a69

SHA256
b989d4fa8353e3bb74b01c1b0a65a85ca4975b7a4556969581973fa3320802de

SHA512
d0ab39c1b1054836c8baab694ceddcffa404756ea8627d38ba22294be885e9abe960448c9c7a1dc943a12584cbdc5e5f48111d48c896e6cdf172834137c6727c

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
128KB

MD5
efeb0b77b558a6bb703fcdd34b6583e9

SHA1
573bdf73ccddf5fcf9bd2be8b9226bcc9d3fc911

SHA256
0197694e7895cedae8d6067d9fa67b5c6e27b676b2e2108def8244edb19f1a28

SHA512
5d9a212dbfe1ad50b852a8c5aa4bee3a0bbe502c6079521c877045b49cadeb5b9989e96fda210cb9620feb4d57f869bbfa9bf0e3ff0d6464ba0dd101c485905b

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
128KB

MD5
6c146bd7d7093d41ba8e9377a6908013

SHA1
5d56535a362dcf582c8556a2e52c6efd0123e3d5

SHA256
56fd0e22a41eee7462f14dc93d27ec062b7181b4618accae6fe7ef4d6047a991

SHA512
49097d93e54d0a800f77478136ed23f3e8a1139782880fa6a4fdf1fb6d98a9e2f5893c76ff6988170b50c7970a4816eea7ed5f6a9cbe612612333d12a54a4e3d

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
128KB

MD5
a59c0f146cfdf9a03e035aa4b746744b

SHA1
c2e14272b3f5808f7acaee47795efe81c3a5b96e

SHA256
95a3f82292925f776e4b70bf58d6a02258a39d3fb4f061ddcc899edae43d9473

SHA512
e8a6b437056664d081c9b29ec2b392f2a15a42e8abc87f46a2ff04c6cae83dedda57c49d07b841e0a674612d68a84e141488717be6fc6543b90960445b92e775

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
128KB

MD5
134b42186669664ed1dc788fad095a1a

SHA1
309cf971cb69434fc76994c96bf81c551b052180

SHA256
9cc27e0bcb37547c934883911975f6dcac629a7336e971bc06903e7ff7e3e072

SHA512
b7ed8e018d4f2b406c3dcf99f59a79447eaa4532b83d37978f015b4848fe466b64170b5d3b3426f130a535c1b4e2434ff1d0a48836b12df745776ef6afeef49f

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
128KB

MD5
a76f7dfca30d1a8b56f02e0b5607b497

SHA1
d02d34e5595c35fa2b69a1d063393d1e2e7ed338

SHA256
855a91fc86158974eadb6cb78d533109613012469d081520198ff896d244a9b2

SHA512
75bcbcdb97f13b46c5373219558bd71365cc6c65d153fc1327b24b6743e8630643b7426e97fa412916566fc525a989c35fdfca47c8e803fca1acfd1fc7b6c509

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
128KB

MD5
3d080361d5c5c9c978aea9fb6cffbd2f

SHA1
575f511e7b6f96c2ab7e4af8816217ab2b927d04

SHA256
7e82d978ba453f300c4deeb74ade48a945c010e2211758562d022f0edb297084

SHA512
f6cc2289173962a2a2df7c041dda139a7f157bf168c0e905ba51b00995eaf91179f8567979d9e71c83812c17726992044286bdfe69ec5e6cffc0482be42cd15c

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
128KB

MD5
87b9bee38704a3b3f46c333b9125ffc5

SHA1
87cba30544cd61ac405abf7ce286445e0cac395d

SHA256
48f4eae6481ecaaf03668b9261dd554c460bdbd0d7c807c5f767d0044da2a0bb

SHA512
d00df448f9ea11c08851e4206f3ba0b8f2c0a3adf60d5546d25dc937d5c2b2f7c977ecd74807ecae7ea411c9891dd7800f2addb6207da9f7d1c7546e089e417c

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
128KB

MD5
2ed7de9b314e52bb41594a50b1748fd8

SHA1
cb98b139c8a8baeda150afdef858d9b2176a8176

SHA256
f3b57df8027b162200d5eed3448ffa9239df1befdc98e0b9f1b092ee9dcbceb3

SHA512
e5b12ef57ebd64e40d1a7538b6789ad88d260a400d49b34ddd4c78295d25e9c51ce73bf5275cbc44eed9de0e463f93e84cd0ffa36b5d0bdfe080101748fe580c

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
128KB

MD5
02a142fda13cc848a46229d484cecb23

SHA1
97c162551fd91d70816023d3de20dc9a3db6b6fa

SHA256
055cf04a2167e042e6562839759f0b00d39cf729a37095239c54e5efd6d861fd

SHA512
b6ec8553931cc2420eece780ba77cea5347ef9e0a3f6c9a13f05c7117b0b182fdebe5e8e88fd02c1e477bd70e45ba13c2c222b9f983be27096d301be06820640

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
128KB

MD5
06e3ea5a22b5dfbaf77e7fe50df8013f

SHA1
7012b8110060339abc617c1f4ddb9a966ae44cd6

SHA256
75c0d85735ef7b2340d91e7d739077b35e35dcb15f27d4b8b0d6532cf5f530c9

SHA512
2aec52f614c9479f09a5f8ca29b54627c93ab5afba0dd3491b6a3d1e662afbeceee69772b55c5d8076b290f334bfd13c66da1e68e22e03c59494d59a7409dd9a

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
128KB

MD5
01deb4313828634067b0c6b19787e92b

SHA1
ce1c300ed24ec1912777bac901abca6c0ffc8645

SHA256
ef6882ab244ae8f5d4b0b40d22ff6429ae0943caf916fba9a34e70afd4197450

SHA512
d40d5a7b77b9cbcf85b2d7dfd8c0a4149ab837f4d42f724fada6b8cda8d240132ed2cf66710888c85de41ce0622bc2ff64fa8421be7685fdbb200533b9ebda4b

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
128KB

MD5
fa5a42f6f9d3d94a31d974a4d1ef925f

SHA1
30508eab87bf825857877f1f53c002b1ba61d1c5

SHA256
f36574fe0e5f28d9eb40eff7eebc4dab3190a0ae84fb2a993a0add851e563213

SHA512
3a2f91773ffbe20e66f7dee40899d7b3e4b8540458caf4d18852d533771fbc1e28998de090a7ad2cd9ef5263bd3cba9a46a21559d762a0a65290e48a7d5a1dc8

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
128KB

MD5
c4d309747231e964fe69197c81fc863e

SHA1
ae085fcef8322390ddeeadb968f6a8a4be97a1a2

SHA256
12f895eb8d0ffc29c4564f636ed536b4e83f5cf1962e2c48d2affd0931efe821

SHA512
4ef6cc5d6a96f1b8db649bef78c428e66834a52055b1a36dbc394476a9d025382ea9159f52783833b8e95046c8622f0010eb15558f4540a0a6ff621e2c964c86

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
128KB

MD5
5daf2a8da4636c86f549f84f3b52ac82

SHA1
d18e76b739fba0f5f25e325c563fbdc7340ce10c

SHA256
ef7bdd7956f53b8e30bcbb84f35117453ee3cbd800768ff8ea11b99fde540ac3

SHA512
d8b76029dc6c28fbf2dafe20739c0f231b07a328fe225a6dd942a70fb08639a0cb06da785872f76d97cd959f8a47595572e5209045b241480e3a62728bb0a5e0

Download Submit
memory/388-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/728-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/808-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/980-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1344-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-720-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3248-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3844-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3844-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4084-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4168-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4172-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4624-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5128-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5172-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5216-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5256-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5296-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5332-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5332-625-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5384-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5444-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5488-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5564-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5564-620-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads