15f487fab287ed61d0bd8c6772d35e5a7b10c9c5217fe198eefad28fc53476f7

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abd2684847a5e24d54ce09278367ddf0N.exe
Size

128KB
MD5

abd2684847a5e24d54ce09278367ddf0
SHA1

4aad35992c0813766d792dfdce52f6bbc407b90d
SHA256

15f487fab287ed61d0bd8c6772d35e5a7b10c9c5217fe198eefad28fc53476f7
SHA512

54b3bb97c92b5fe0d9576535dc5d76b5435c299f1c707fd78ea343b8f8dadb9e6e941aeb11d5694e8a8527e8b3bd7e4f4db6727d985ead849667c14f7a556d43
SSDEEP

3072:oK21zM54emzV+Gw0rjQyZ21AerDtsr3vhqhEN4MAH+mbp:fHmRrjLZ21AelhEN4Mujp

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe

Executes dropped EXE 64 IoCs

pid	Process
2132	Nphhmj32.exe
1320	Ncfdie32.exe
1028	Njqmepik.exe
4656	Nloiakho.exe
2268	Ncianepl.exe
692	Nfgmjqop.exe
3588	Nnneknob.exe
1220	Ndhmhh32.exe
4884	Njefqo32.exe
760	Oponmilc.exe
4348	Ocnjidkf.exe
3876	Ojgbfocc.exe
4780	Olfobjbg.exe
3380	Ocpgod32.exe
2824	Ojjolnaq.exe
3540	Olhlhjpd.exe
1336	Ocbddc32.exe
4768	Ofqpqo32.exe
4384	Olkhmi32.exe
1488	Odapnf32.exe
1756	Ojoign32.exe
400	Olmeci32.exe
3928	Oddmdf32.exe
4240	Ofeilobp.exe
820	Pmoahijl.exe
2900	Pdfjifjo.exe
3188	Pgefeajb.exe
2764	Pnonbk32.exe
4832	Pqmjog32.exe
4092	Pclgkb32.exe
2908	Pjeoglgc.exe
3116	Pnakhkol.exe
1260	Pdkcde32.exe
3912	Pcncpbmd.exe
3000	Pflplnlg.exe
1368	Pmfhig32.exe
5052	Pdmpje32.exe
2024	Pgllfp32.exe
4660	Pfolbmje.exe
4972	Pnfdcjkg.exe
4428	Pmidog32.exe
1540	Pdpmpdbd.exe
1492	Pgnilpah.exe
4676	Qmkadgpo.exe
2848	Qdbiedpa.exe
3932	Qfcfml32.exe
228	Qmmnjfnl.exe
4904	Qcgffqei.exe
536	Qffbbldm.exe
2120	Ampkof32.exe
4340	Afhohlbj.exe
4848	Anogiicl.exe
1604	Aeiofcji.exe
3524	Agglboim.exe
3068	Anadoi32.exe
3784	Aeklkchg.exe
1660	Ajhddjfn.exe
4172	Amgapeea.exe
3128	Aeniabfd.exe
4248	Afoeiklb.exe
4196	Aadifclh.exe
3836	Agoabn32.exe
3108	Bjmnoi32.exe
2744	Bnhjohkb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	abd2684847a5e24d54ce09278367ddf0N.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	abd2684847a5e24d54ce09278367ddf0N.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qmmnjfnl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5888	5800	WerFault.exe	187

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abd2684847a5e24d54ce09278367ddf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	abd2684847a5e24d54ce09278367ddf0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 2132	4492	abd2684847a5e24d54ce09278367ddf0N.exe	83
PID 4492 wrote to memory of 2132	4492	abd2684847a5e24d54ce09278367ddf0N.exe	83
PID 4492 wrote to memory of 2132	4492	abd2684847a5e24d54ce09278367ddf0N.exe	83
PID 2132 wrote to memory of 1320	2132	Nphhmj32.exe	84
PID 2132 wrote to memory of 1320	2132	Nphhmj32.exe	84
PID 2132 wrote to memory of 1320	2132	Nphhmj32.exe	84
PID 1320 wrote to memory of 1028	1320	Ncfdie32.exe	85
PID 1320 wrote to memory of 1028	1320	Ncfdie32.exe	85
PID 1320 wrote to memory of 1028	1320	Ncfdie32.exe	85
PID 1028 wrote to memory of 4656	1028	Njqmepik.exe	86
PID 1028 wrote to memory of 4656	1028	Njqmepik.exe	86
PID 1028 wrote to memory of 4656	1028	Njqmepik.exe	86
PID 4656 wrote to memory of 2268	4656	Nloiakho.exe	87
PID 4656 wrote to memory of 2268	4656	Nloiakho.exe	87
PID 4656 wrote to memory of 2268	4656	Nloiakho.exe	87
PID 2268 wrote to memory of 692	2268	Ncianepl.exe	88
PID 2268 wrote to memory of 692	2268	Ncianepl.exe	88
PID 2268 wrote to memory of 692	2268	Ncianepl.exe	88
PID 692 wrote to memory of 3588	692	Nfgmjqop.exe	90
PID 692 wrote to memory of 3588	692	Nfgmjqop.exe	90
PID 692 wrote to memory of 3588	692	Nfgmjqop.exe	90
PID 3588 wrote to memory of 1220	3588	Nnneknob.exe	91
PID 3588 wrote to memory of 1220	3588	Nnneknob.exe	91
PID 3588 wrote to memory of 1220	3588	Nnneknob.exe	91
PID 1220 wrote to memory of 4884	1220	Ndhmhh32.exe	93
PID 1220 wrote to memory of 4884	1220	Ndhmhh32.exe	93
PID 1220 wrote to memory of 4884	1220	Ndhmhh32.exe	93
PID 4884 wrote to memory of 760	4884	Njefqo32.exe	94
PID 4884 wrote to memory of 760	4884	Njefqo32.exe	94
PID 4884 wrote to memory of 760	4884	Njefqo32.exe	94
PID 760 wrote to memory of 4348	760	Oponmilc.exe	95
PID 760 wrote to memory of 4348	760	Oponmilc.exe	95
PID 760 wrote to memory of 4348	760	Oponmilc.exe	95
PID 4348 wrote to memory of 3876	4348	Ocnjidkf.exe	96
PID 4348 wrote to memory of 3876	4348	Ocnjidkf.exe	96
PID 4348 wrote to memory of 3876	4348	Ocnjidkf.exe	96
PID 3876 wrote to memory of 4780	3876	Ojgbfocc.exe	97
PID 3876 wrote to memory of 4780	3876	Ojgbfocc.exe	97
PID 3876 wrote to memory of 4780	3876	Ojgbfocc.exe	97
PID 4780 wrote to memory of 3380	4780	Olfobjbg.exe	98
PID 4780 wrote to memory of 3380	4780	Olfobjbg.exe	98
PID 4780 wrote to memory of 3380	4780	Olfobjbg.exe	98
PID 3380 wrote to memory of 2824	3380	Ocpgod32.exe	99
PID 3380 wrote to memory of 2824	3380	Ocpgod32.exe	99
PID 3380 wrote to memory of 2824	3380	Ocpgod32.exe	99
PID 2824 wrote to memory of 3540	2824	Ojjolnaq.exe	101
PID 2824 wrote to memory of 3540	2824	Ojjolnaq.exe	101
PID 2824 wrote to memory of 3540	2824	Ojjolnaq.exe	101
PID 3540 wrote to memory of 1336	3540	Olhlhjpd.exe	102
PID 3540 wrote to memory of 1336	3540	Olhlhjpd.exe	102
PID 3540 wrote to memory of 1336	3540	Olhlhjpd.exe	102
PID 1336 wrote to memory of 4768	1336	Ocbddc32.exe	103
PID 1336 wrote to memory of 4768	1336	Ocbddc32.exe	103
PID 1336 wrote to memory of 4768	1336	Ocbddc32.exe	103
PID 4768 wrote to memory of 4384	4768	Ofqpqo32.exe	104
PID 4768 wrote to memory of 4384	4768	Ofqpqo32.exe	104
PID 4768 wrote to memory of 4384	4768	Ofqpqo32.exe	104
PID 4384 wrote to memory of 1488	4384	Olkhmi32.exe	105
PID 4384 wrote to memory of 1488	4384	Olkhmi32.exe	105
PID 4384 wrote to memory of 1488	4384	Olkhmi32.exe	105
PID 1488 wrote to memory of 1756	1488	Odapnf32.exe	106
PID 1488 wrote to memory of 1756	1488	Odapnf32.exe	106
PID 1488 wrote to memory of 1756	1488	Odapnf32.exe	106
PID 1756 wrote to memory of 400	1756	Ojoign32.exe	107

C:\Users\Admin\AppData\Local\Temp\abd2684847a5e24d54ce09278367ddf0N.exe
"C:\Users\Admin\AppData\Local\Temp\abd2684847a5e24d54ce09278367ddf0N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\SysWOW64\Nphhmj32.exe
  C:\Windows\system32\Nphhmj32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\Ncfdie32.exe
    C:\Windows\system32\Ncfdie32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\Njqmepik.exe
      C:\Windows\system32\Njqmepik.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
      - C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1260
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        38⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:224
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        71⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        77⤵
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        78⤵
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        93⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        103⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 216
        104⤵
        Program crash
        
        PID:5888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5800 -ip 5800
1⤵
PID:5864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
128KB

MD5
0a80e97b9e1b81481b403a2daeb14cd9

SHA1
f28622fbea4ed540021cc75604b236d1f2b9b11d

SHA256
7648da70ed8e1a0053a301f79e86d917a9b3900de1418bdcefb410e528a0989b

SHA512
5f20b0ed1fabd647b69c1e24ca581771c942ecf640877ac068ce6724e3492df1bf396395b353f6b3efeee0fcc7b8d4b717b271696574c2f1d08c346883842358

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
128KB

MD5
f0ba8aa12fd2455b4de8e87f31ea183c

SHA1
0ba2f009a0884258401b8730869cf3fd112e6458

SHA256
82777097d2f5aea0158cbafae17a538b32e9eda9f1b9b5d617ba7ea16af6e693

SHA512
dc5e9fe942c34224f1499e14fed48c43f57fda4c9663ae73b3fd335c4eb9574ec6aac9865cf1fb91ffbb61c028a265710060b473fd5e235aae9e6243fc121545

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
128KB

MD5
fb85c60c98347d26d0b734a4d823150e

SHA1
2f5b349ec5fb14180741b2a4c697ae7b8dbc11bf

SHA256
da3e4c05b9e70ca36c7e7e5efa75e788ee41994894cc163ef027cc880c90aeec

SHA512
9b88b80b533e9f229d1d9196d1b4cdad1a9bf3b2a93b772b2e38826c546cb416d5e7a2e272eaba99ced4904780ff613ee9498161c3cb7f2525c5783c0d9e2c49

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
128KB

MD5
16ab8d2b83a88d990ad9b09ea0ce1f59

SHA1
fa057379d43c41afbd33b4c6bc0b6128897e653c

SHA256
330a39bf7cba78fa3081fefa2ff65cc4270006ed5d0d52ddd71a2922316ca50d

SHA512
aef847bf985164bdd933f05cd6506d5d0056c81212d39d5f855333e48333389e1e6eda25ed3a8f4463cc23989ef1a2d79c0845f3f6e9f74984179f398632a98b

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
128KB

MD5
740893cb7057b92a40b998234e306572

SHA1
9f4f0cf21548c1866b9b87b85e7b52a7ebb338d8

SHA256
8815e86bc3358cb52ae550081da98a68819a2c0ca762d815633a5e8aa5a57425

SHA512
311610ddff14bb438f6cf5f97afe9102374e1e64c86f4fca0d13c1a5bc4add175f10af8a30cc52f0523fed19a3acc9aec66657e43d59e17b840459f6968a221e

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
128KB

MD5
6f010bf20ad2cdcf67d75a88c4dd1b59

SHA1
c913e980d88e57499ce876423fda65cba491f77e

SHA256
565d6b10c6baef3204c0d1c44b963e688054be1681171bac7b411c7903bd5e72

SHA512
bff22e86b012561a2f320e4a422f4ec881ba8f8f40bad9d375863d45f3e55cfa3a88bccc6c2dd312e19c2c7d5a788d339ef1331f25292c5be28e884a403ec764

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
128KB

MD5
ab25293656e433bb000a1a3b2bcb8642

SHA1
b840719efc179d2f3db9b392bba11f0240cf19f7

SHA256
d567738d77bfb39914794bd936149181c64dcfcc1066fa29fd46f14c8002ff25

SHA512
ef1fc36003d899ad0e822c88a40fded5b81eab1d715cc01cc94a0e81bbcff3f4fb155893d547a133f8c1ba4827b664fc2392e822331ba3c2530620aa89cb50f9

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
128KB

MD5
13d300d011e29caf2878fc30959801fb

SHA1
a6844cad532ae657f185c08d6bf971ef93e5c540

SHA256
6ad707dbdeaf013346265efd3fe59b7f160f764a8e0726ea35daa61cc9e04dae

SHA512
56c26a520b28b236624adf43c292e35851fe1c48f8c33ea233824fd650ab3bdd6d2bddd8cc0fd30c2ba6e0f88bba9107eaab73a4d8c97315b852f70fdefe8a06

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
128KB

MD5
021fce98b6b4d0d2b894ec5aac8cc868

SHA1
412a4153406635cbad220b67cfd09b0553b9ec07

SHA256
bec6d701102f4082ae1425045d1ca15a51eee7e7603bae2fbb3806959ab032a7

SHA512
6fe2a61e030509d6af6b26e80a79c56d83a31b6c8ef695fe4d5d9aa74754690f15c95e2c9f9335df818f6044cf0aaf44b479f17afe19f38a79427c4c827d210c

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
128KB

MD5
573cc2e1871e9a86c9a52aa66486e7f2

SHA1
cad2a9dc28fbe751cc1e07f567ba98eec53bb79d

SHA256
f67c9b2b982a38aac0f1feb6999aa0cbde9ce315b115ca278ad31a409513f533

SHA512
a6be0508861d584883b624bca6da52dfbe5e6237d14dea11ca11780101c2e9fce18937600f932b91b8a8f7b909b77307ce22935f5ad6d0d8c3e15f14ae01b6dd

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
128KB

MD5
9ad6127903537a6f5cf409da40ae1b02

SHA1
e28010655746f1854b05a0056aaf0e95faa59cc5

SHA256
1879773e982f69624b809a59032c583b9858e750e0f5547cab3265fbdba4c671

SHA512
e5d9ffdac80fc008be13681deb0dd4ea00c9eadf178146a45abd821a51c8de264318089eeced4119c90a70a304c2a531803420cae1d70dd5caa68c125f34e427

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
128KB

MD5
494532f2a3f4728bc14a8f49a69f7edd

SHA1
092697bd95c417d2cbc3b2866045f989f0b844aa

SHA256
ec6a8d37627fd1e35192470b1938003911c437e2819d91dbd0c73e3c62b6b615

SHA512
3a29344f2ac6b39dff7a0deb5adf209701a8d819227ce6012f3d0aed92e5f0ee489930ebeb6b5cb710934561a8ff2663d566ec951e8f381a2a03ee5a389e361b

Download Submit
C:\Windows\SysWOW64\Hddeok32.dll

Filesize
7KB

MD5
d30a51174ffd63f3e52a7b1df1de4af5

SHA1
0699ee18da66174cdab0cbb9d91444240afcb2de

SHA256
6a61de951794e6f67d4603a6ff7f8419ea26fe20938c9c918a6f526acc691dbd

SHA512
1da4bc7e38ff3cb984c5d3c5755b6478c4ad70d52ee6536a5627dcbf1121361e331ad1e785255783eae7a1b10c1597f85e869fcd621b60adeefe9677b6763acf

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
128KB

MD5
985ab86056808cd40e436a982ef7da37

SHA1
b120fc8f3de0fc4349c2dbfea8579d89e408390a

SHA256
3259d2f8ee0963aeba9872065731b71a9286385e0ce4a5bc6f2151e83c308edb

SHA512
dc3c2e23e1fee81f13d4f00cde9fba2e284ac3ba8f99b21d6b1e432d255ac3739f5603254d50fa51f8efc5c3e2bf17a702c9a29fac84a8bfeeee7e65089e5772

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
128KB

MD5
f55ee31caa6b143eb440969f985f2cb0

SHA1
cc85c50a5fd7d211350eed45dcedeb332a363dfa

SHA256
43ba1e8c80a95d6bf09892a9b29af418509a5dd184bb0077b55e505cba585a83

SHA512
610d2bea71df4dd4b8cf8802c5acf2d6f830772b57be4ca18eb03d889b1f7e3dde4a6d6f85bb12eccbf32fa947b4d906ef6835a55ff4c22e9cf2a731fcf491aa

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
128KB

MD5
36a3ff81b75284a965a6c6553ee11f75

SHA1
635ffdb07bef2719660f32d9983985a8675e6365

SHA256
289159b659d5e9cc500a6784b596f8ed7bb4ddc87ae52f751f0f7b7bdf7cf45c

SHA512
ae498c4912bf16d4c162e268ec0d8af704e10ed98739c8fa731b2195318d1cb4e01ef0d94efd063bd431ce89a74df3b2ba6b6ff5834e7a23693fc91fa41fcf80

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
128KB

MD5
a2c0976a6015158f13102204c843ae61

SHA1
cd9b7a4795cc2b742d345c985fbd22bc79c32d14

SHA256
d0346c21bf7f266ea45cc43ae44d4d30f0b58b4c736fb1cea1e18668f7e2b35b

SHA512
f09d6a31e803397611f32288e622767100cbcc6bf0a30044626aaa44d63af6c3e9c174f84c1e4e9ac1c18a757e09f7ba332d7e555cfcc7a922119fedb7c424c1

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
128KB

MD5
c293c124d1dc93a08ef01f49727f1eed

SHA1
0bc489acfad2df0337e32ddc4dfe4b743234f71a

SHA256
8c971ee5f2a213ec43e50d0a5cb565ab36c3197081808a527ff5df7a1e3bdd26

SHA512
da35b91a1c00b4ed61148e1fbb0c46b33171da645e876222016e8265428669371649419ae846472171f9d458a690949b0d8cd91dac03a4e654604692a7dd6063

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
128KB

MD5
8c5dcfbac9f1ec8210c8985dae4ad123

SHA1
f297f247de2ab6f05f9864d3f76dda5794da9e2f

SHA256
a6e3fca52a14f455b6833721345d0f21af5bd6acc22cf4265fe3d29b2dcc015c

SHA512
d0186498bd3a7bbc0a8bac13f972868b91fdc46194f385e5d4f0fc5a390d57e5813be2bbd2765d79f910b8e4ed053c50bbbc740f4b519fff13a0f94cae837623

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
128KB

MD5
1a86d0eb16d5c030ef904f2f0fcd6405

SHA1
39da2654066f26ef96596c149fd43c35548d823f

SHA256
94ef5df13976b6c0aab9ab2fabfdf9a388c6967002d7d643b8729f0cbca1302d

SHA512
c6f113e5974fcc5b391d69952a084e31be349662d78e878a09c302e1a6a1f6de3c7a575967e93a5ee6bc198538fe0b43bec5048fcc82a96bc71c0e16c8aedeba

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
128KB

MD5
3aff5b817dcdd1280c7dc73a513249df

SHA1
d3ab0faef554a7a246219a6b70e5cbca16632823

SHA256
eb537ffcd4631b45a9f7483cd686dada3b317e0795ca2b9aef1ad2df3cdfa898

SHA512
2419e6178237f9cfcfd151bb9059196bb3b2381c2f048054fe2b7d1e806ccf3663a49ded7b552d63781943766c1b05565f14801699a66e3e12fe081a153a642a

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
128KB

MD5
978b31dc5ba3e3fb71e56a7735934d3e

SHA1
09b98ecf05a8b16282b04cb0d9c6e264eb578b32

SHA256
6dc7d2661c7f9569793d155ed07fd12fe11dc05549820268568f07ddb6b0d44d

SHA512
2937c06c3f5b9888ec19a8df8ef448979bc538b345641d7e84ad6c58bb3781cc1c3d5a82366143098bdb6ecff023f264f49679fd30b478e9fcd2b298e6902de0

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
128KB

MD5
c87ddbc8343894e8700fb5e331cb98bb

SHA1
14c16c750405b45d66f801288f81459ddae2b0c6

SHA256
20771a15fd88f4ab0044f7e41219c5bee6cafdb0419c93c8d048d181380229d9

SHA512
90ba2d2ec22871ffed9c70833bc66afa79286698a921ecf121c261c430ddb8aa0e0cd3b4717d74816062fd58416f820a8811c9bb2536c8576c71e8f12bcdbb7e

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
128KB

MD5
b05f639432b1b6ee7616ef39766d02f0

SHA1
40a699251621ab0e06fe0ce485d3f776c0a1ea34

SHA256
3c23fa49f55fccf77d26c22eee212347a6abeaf3c45e507f3511a44bd9c6c445

SHA512
6ad3163e139041a71e708464e7c357b0fefa9bbcfebd19be4a96a28b676418f91b3e0d81d71fc00532d7c2f66e6306de9e8d0701e42b2e1090843112f04f2f86

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
128KB

MD5
55e04573d8d99f19f5500bb8bcdc5520

SHA1
bae90059636f04913cfad1345c5178dbcb42f3ab

SHA256
6898f480da75d499c3e08fd07805469cd3151986eaee681527fe0a2814ee4279

SHA512
85152a155557be187c8758578b65c6866b883ef868167906a33a73956177beae750eb7e49f8d4a1a622ed8c39285d067ff2ce869e997325187a8647680170f00

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
128KB

MD5
834cf4b61f7b4ec863784b844abbbab1

SHA1
190ebde83c021f22c89298f44421d1a146e5d2fd

SHA256
33d4d33ea4c4993db15bc1df26c58120c027e1de4a831c284be7e556fc087e75

SHA512
4f5efc5d96432c39823634e157eebbb67103c6825e83b2a567c91c96ac46075092bed4ec59885e17da240537d46d092409223f830fada059dd624e27c5a2793a

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
128KB

MD5
4c3f75fbc8d687341e7d10a0d3ace116

SHA1
ab1e534f67a04a638951feb8bc45f877598478fa

SHA256
c62e5e074f60e08aaad9b46e94636064e68c54f59bcf173845e424fb0c7c798e

SHA512
1a1240fd973d73d394b12bf9b68c6faa8b5b25ff1f75d9bec4aaad158af9923f0af88ea47a2de1907d07fb1f75365a1721c19e5d91f81be56b76607df0444823

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
128KB

MD5
b00244eaf947cc062257b035f28132c6

SHA1
e62753521c66647314c4742567e5a8aef86c75a2

SHA256
4ca3301405f88bed6073ec2d319dce8f15caf2e90cbcccd67164dacbf423a398

SHA512
cacc9ac7870d32c0b0a0013512cc80a463f16e9822bbd21e78ed37c3af32cf910a5ea118d14318929de1ca61ac75b382356999b56f300796e98e4818da60e914

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
128KB

MD5
c2448ac9c57e31b50a36da163ecf090b

SHA1
d058272f012d2b9b5149928e75618349c4f3a612

SHA256
f8575987f797be6fbacaa925a849f4cadff9dbb25f9e7e921649026f25973a11

SHA512
011019effbedae0d6c1838d52927c67afdad3cfd4cdac5040152856a18b59f4e13e6a965979a8f9074d6efd8d1cd025d86ed447a8e3c101b5e77529dabd02963

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
128KB

MD5
8100549b777e4adc2cebc936967977d5

SHA1
485083461dc66485f056194209bdaac68b43e029

SHA256
86fbbe2e9cb75219c5b5deb347320fb5613d0e832649948a02f4a54e2acb54e5

SHA512
0496b109979dc2eca9b88a49839c651b7a5fbd5030a35e4257c948af395feeb0ad6c8846811bc3f226c20b57517872710196e872ea0d612f660b9d2fd90ac3a2

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
128KB

MD5
e7edbe47b4c5c8c168f3b16d4cb2c1a0

SHA1
0a90314e41bf77046b40bc4291167f197ecbbb79

SHA256
5e39a4260610e1d8b5d1b08e0b41f49e15f67e194e6be06813aebb3dd5af332e

SHA512
4bcce6278b125bfc5b9ce64d67fc49a28eeae62620ecfc68693d4ae02863d577e13c23b188cee4d8e57c495f92bff862dda831598fa95a407deaee2d00fc3af0

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
128KB

MD5
a976d46097f06ff664224e6d2e6eface

SHA1
97ee4542403c00e147f619876a246dd0e30feaf0

SHA256
9175da8c38664a1c3da347fe8b56dd7c2b48a0caa91afec276bb4219c8b258d9

SHA512
66be870b7addaa81eaf9b2df0d58715514be5752f92bebbcf492908dfaa9fb69ef6cff7e1214462ea6363afd2a1ffdfe4b4aaff44d1ae89fef344009d7aaca49

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
128KB

MD5
0511b0d971f0171edf3c6d995c857c62

SHA1
bb6fbe4e0158099782f8f3e33e20b9669cb24536

SHA256
21c4d1f0486a2b93e4a05b54ba2632007d71558d317ef26e28d64911fb3392e3

SHA512
c93ea56b247d532dbb9c1490135862d21909edd2a837518ed300f30b1d3a7afd76ae52342873b688afcb4e4a4826ede64ee1ab1e646b9a75eda858876ebc83b8

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
128KB

MD5
3e1531acb10a17762bb1f3f352bbbf68

SHA1
1122ede38cee70adbef45ead66ae7c2318d11316

SHA256
280bf480e1d6f33b27197a387f3d6f0a1612435ed120e6a64b162f90e1750fa0

SHA512
577ba28480b57a1172eacc324793b67466d33e6523ff02a823747a18ba0551722e043af7ee70c445b2b0579bb385697965df02b32a359255fdb5ccb751a62ca0

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
128KB

MD5
f48ddaa8feb54ed50cc5b87e7697199d

SHA1
722e812e0077aecfa0d8d59a5b74f7f28ad7817d

SHA256
06669284a753e32c596d78b1726b062e49f1717be20fcbbdbc96e98bd8e895d9

SHA512
344d4d92dc3a703f5bc980f4db38e63cdcc56ebd6010e54e78e636d6a304622b6bea485a5c1309a7728b7b2f0bd5d1d36cd4bf548a625575afd6069ab81d8ff4

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
128KB

MD5
d55c3d0de66da8e20ae98ea6ba9cf0fb

SHA1
e6f27cfbddb19ad3a758ed85b2807e282e797983

SHA256
ca26edca95024dc609699e5b36d44348faff7da07ef439b6f9ab2238031760b4

SHA512
3bc2775fa3590d11e7db9c17fda1a27f99ba87ff6174281af182a25c105267fdf4f008858474809901e281622dd79f0b602ef7e34694535de705b3a391774c3c

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
128KB

MD5
35fbed7de2ab1d0f86cf43c6f79bc3fa

SHA1
ef1044ff80208c67e5eab05d94a7f0bc940321dd

SHA256
24a4148088ba8e6efb679f039582005810882631e996bde10c760e3b66aef9f7

SHA512
f63f78053ca2caafb8a8094df7476ba18ff4ea5d422e10a83c1afe1ab274cfa37bbe6149e60870123791368343a2ae6b3aac30c56ae20fb6c57180730818610d

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
128KB

MD5
cc7751e06c5e0dc7ff3027be0c101999

SHA1
09e937dff8e184c5eece3e9292d97610c15686a9

SHA256
086b5018a2af6b45b9ff8666adf63ba739b7bc1777d33e54d56e5d4fb91029e1

SHA512
a610359ba64abbe52d4cfe1533a263d984750e3f0f340e2e0b2c9e9b288c1253fcb5776b591fedaf78c8a7a9dd097af2977e79c18e510d951f24ce6c35db5100

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
128KB

MD5
293db063be19959cd319087252a4533c

SHA1
a2bb39b853f13e9ca02112b7433bf6c1318b7450

SHA256
a953c9e6844f048522ce7de750ff9f314ab4e25bd81851c9776ca79d3fc30dd8

SHA512
84223662a0c99c4d90be9d9afb51dead86656c9f66b692c25cec7b824df366a74618b5e3358fe3bb7b6811a1643668c8f6742076d14552d88b852b9c8847dd3a

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
128KB

MD5
9f968254880e22d4f29979029e616be0

SHA1
5992d4282582d9f608ccea88779665ebe5e8a4c9

SHA256
91feaba00d37c35a46c88d780a9e8f5856a2e779dea504516bf0c9b6e4720966

SHA512
8b81071dc64e40cc1d9515ad10e266a5b726624d57ec1933699c57c6f046b446fccf5b1cfdf901706b67812a136b981f29ef6bf75db13cc004361670a0bbe60e

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
128KB

MD5
8e4da81a6c6d6557e7ac68bcbc923e74

SHA1
73188d1650c0674dc2625b01879afcf713a519a2

SHA256
3e70aec2083756a7874e8121360bd0dc1df94e6565c03ef38a120a7b8aa26410

SHA512
d9d88966dd3f09a6bffa558464140faa1e438b900268cc2d0a50564313a78a67d1326e9426df8c77f726878531aaa23dedd82ed5da98bb47ce5efb745f16d4ec

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
128KB

MD5
1e461eaf7dee4cc620f9b13332ff642e

SHA1
5bdf69b07578861885b6d364451efd4120db373b

SHA256
6ccede87f98d8424027cadab0dd5e28e0ab1f63717b6e1d3e1702b0a0701f5be

SHA512
3a3c2c1c090215467a9ebe52728d9ca3f91bc84ef11f89a2b1991c5b6a6b95b5aaa40728e2c31bd7bc8745321cc425d07e7739460b54be59700f074abf9b8abe

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
128KB

MD5
02e294fd6dc3e1a8b1674f2207b45e7d

SHA1
66df77ce35d10ab82f56eb602cd6165288062b7f

SHA256
7f5c44dcc74fb587d4aa8659540a1a6c41e2172a5ec7b6e023372dcdae86053c

SHA512
2708d85d65a2f4b7ca3d19e13498a444d0790b580f93c6d5394773b3524607e0b30faafae1a875338661e57c4b9d474e9ebc95ed986873b73c7be4d39b987f3f

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
128KB

MD5
6ab6ee6a9f7776e33970bdc4a492baf7

SHA1
e61be2de09faa7d2e1b959bacefc6eee60607faf

SHA256
693bece988cf60634f11ff71ab25ca9e01e0a041dbb72b28c35755e1b4806a2d

SHA512
ed30df8e78f314d305098919d3d82056682b4a12397ad974c57531971ce50ac2660bedeee710536f7e36bbd3d727f1419c7e58c24c17d870ef77ad6e7520de28

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
128KB

MD5
c05e3c228f42d51127b38447347deed0

SHA1
476b416f5696a537a7257aace5ce5b7bb722bbe6

SHA256
603007c7db848c664f6aa7a76c033d18ff5fd0bc8e607ba0c11c378e8ff9f70b

SHA512
344f90bf6c2bbfb24d949b5bb871b25cfb94b1aed30fd1ebc3648074330e7aa4dd57534d8dae4a5072911f1aed85c4a95a7a5fa7952962c00cece7f6c44342b8

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
128KB

MD5
c2aadb47994d26630581f044eb5797fd

SHA1
1a69cb9ec7492dd420d3b8d8604ccdb6afcdaee2

SHA256
332efd020664c387bdf796a1f8176d238becbd0284fac61fd1927027cdca7fd7

SHA512
df5de8821864f697b65ac877b9bbe15e48d6307ac16f145ec6efb06430bc6f959426b45bdef37a6456e06083e9913a035dfdb9c1456d811868f3fc616bfeb8ba

Download Submit
memory/224-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/228-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/516-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/692-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/692-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/760-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/820-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1104-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1272-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1336-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1368-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3492-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3784-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3912-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3928-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4140-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4172-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4672-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5132-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads