fbd80b375c07f70f089a6beb6613727aabb05c4865b8f260e1a79998235c896a

Analysis

max time kernel
117s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

561659aba0ba2224e540cb23a1f56430N.exe
Size

80KB
MD5

561659aba0ba2224e540cb23a1f56430
SHA1

4c50f66edb91689da1f25e9d620fc5adf281a580
SHA256

fbd80b375c07f70f089a6beb6613727aabb05c4865b8f260e1a79998235c896a
SHA512

b099098d502cf9f98594d3df4dd22026456d33257750154e6a96748e9e490204dc5849fd2334d02d16504706c340c4235b67ea0d7f8f8dac7e7b244964020bc5
SSDEEP

1536:bhfrHN4z11XcjcPJe/Z2LfS5DUHRbPa9b6i+sIk:bdrMOjOo/SfS5DSCopsIk

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	561659aba0ba2224e540cb23a1f56430N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe

Executes dropped EXE 64 IoCs

pid	Process
3344	Nnlhfn32.exe
976	Npjebj32.exe
432	Ngdmod32.exe
1792	Njciko32.exe
2312	Nlaegk32.exe
5108	Ndhmhh32.exe
2528	Nggjdc32.exe
3264	Nnqbanmo.exe
3616	Oponmilc.exe
1728	Ogifjcdp.exe
2628	Oncofm32.exe
4212	Opakbi32.exe
1880	Ocpgod32.exe
2192	Ojjolnaq.exe
3232	Opdghh32.exe
3048	Ognpebpj.exe
1908	Olkhmi32.exe
780	Ogpmjb32.exe
3036	Olmeci32.exe
4672	Oqhacgdh.exe
3528	Ogbipa32.exe
3648	Ojaelm32.exe
4100	Pqknig32.exe
4784	Pfhfan32.exe
3544	Pnonbk32.exe
2876	Pmannhhj.exe
2652	Pdifoehl.exe
4488	Pfjcgn32.exe
4452	Pnakhkol.exe
4744	Pcncpbmd.exe
4596	Pjhlml32.exe
2892	Pqbdjfln.exe
2472	Pgllfp32.exe
3460	Pjjhbl32.exe
3292	Pmidog32.exe
3884	Pdpmpdbd.exe
1888	Pcbmka32.exe
4244	Pfaigm32.exe
568	Qmkadgpo.exe
2460	Qqfmde32.exe
4260	Qceiaa32.exe
1864	Qfcfml32.exe
2168	Qmmnjfnl.exe
4208	Qddfkd32.exe
564	Qcgffqei.exe
3900	Ajanck32.exe
2316	Ampkof32.exe
3756	Adgbpc32.exe
324	Acjclpcf.exe
4372	Afhohlbj.exe
3016	Ambgef32.exe
3284	Aeiofcji.exe
3664	Aclpap32.exe
2388	Ajfhnjhq.exe
2224	Amddjegd.exe
2272	Aeklkchg.exe
4908	Agjhgngj.exe
4272	Ajhddjfn.exe
2660	Andqdh32.exe
3028	Amgapeea.exe
4552	Acqimo32.exe
5064	Ajkaii32.exe
2984	Aepefb32.exe
1012	Accfbokl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	561659aba0ba2224e540cb23a1f56430N.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Njciko32.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5836	5688	WerFault.exe	201

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	561659aba0ba2224e540cb23a1f56430N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	561659aba0ba2224e540cb23a1f56430N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	561659aba0ba2224e540cb23a1f56430N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	561659aba0ba2224e540cb23a1f56430N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 3344	2456	561659aba0ba2224e540cb23a1f56430N.exe	84
PID 2456 wrote to memory of 3344	2456	561659aba0ba2224e540cb23a1f56430N.exe	84
PID 2456 wrote to memory of 3344	2456	561659aba0ba2224e540cb23a1f56430N.exe	84
PID 3344 wrote to memory of 976	3344	Nnlhfn32.exe	85
PID 3344 wrote to memory of 976	3344	Nnlhfn32.exe	85
PID 3344 wrote to memory of 976	3344	Nnlhfn32.exe	85
PID 976 wrote to memory of 432	976	Npjebj32.exe	86
PID 976 wrote to memory of 432	976	Npjebj32.exe	86
PID 976 wrote to memory of 432	976	Npjebj32.exe	86
PID 432 wrote to memory of 1792	432	Ngdmod32.exe	87
PID 432 wrote to memory of 1792	432	Ngdmod32.exe	87
PID 432 wrote to memory of 1792	432	Ngdmod32.exe	87
PID 1792 wrote to memory of 2312	1792	Njciko32.exe	88
PID 1792 wrote to memory of 2312	1792	Njciko32.exe	88
PID 1792 wrote to memory of 2312	1792	Njciko32.exe	88
PID 2312 wrote to memory of 5108	2312	Nlaegk32.exe	89
PID 2312 wrote to memory of 5108	2312	Nlaegk32.exe	89
PID 2312 wrote to memory of 5108	2312	Nlaegk32.exe	89
PID 5108 wrote to memory of 2528	5108	Ndhmhh32.exe	90
PID 5108 wrote to memory of 2528	5108	Ndhmhh32.exe	90
PID 5108 wrote to memory of 2528	5108	Ndhmhh32.exe	90
PID 2528 wrote to memory of 3264	2528	Nggjdc32.exe	91
PID 2528 wrote to memory of 3264	2528	Nggjdc32.exe	91
PID 2528 wrote to memory of 3264	2528	Nggjdc32.exe	91
PID 3264 wrote to memory of 3616	3264	Nnqbanmo.exe	92
PID 3264 wrote to memory of 3616	3264	Nnqbanmo.exe	92
PID 3264 wrote to memory of 3616	3264	Nnqbanmo.exe	92
PID 3616 wrote to memory of 1728	3616	Oponmilc.exe	93
PID 3616 wrote to memory of 1728	3616	Oponmilc.exe	93
PID 3616 wrote to memory of 1728	3616	Oponmilc.exe	93
PID 1728 wrote to memory of 2628	1728	Ogifjcdp.exe	94
PID 1728 wrote to memory of 2628	1728	Ogifjcdp.exe	94
PID 1728 wrote to memory of 2628	1728	Ogifjcdp.exe	94
PID 2628 wrote to memory of 4212	2628	Oncofm32.exe	95
PID 2628 wrote to memory of 4212	2628	Oncofm32.exe	95
PID 2628 wrote to memory of 4212	2628	Oncofm32.exe	95
PID 4212 wrote to memory of 1880	4212	Opakbi32.exe	96
PID 4212 wrote to memory of 1880	4212	Opakbi32.exe	96
PID 4212 wrote to memory of 1880	4212	Opakbi32.exe	96
PID 1880 wrote to memory of 2192	1880	Ocpgod32.exe	97
PID 1880 wrote to memory of 2192	1880	Ocpgod32.exe	97
PID 1880 wrote to memory of 2192	1880	Ocpgod32.exe	97
PID 2192 wrote to memory of 3232	2192	Ojjolnaq.exe	99
PID 2192 wrote to memory of 3232	2192	Ojjolnaq.exe	99
PID 2192 wrote to memory of 3232	2192	Ojjolnaq.exe	99
PID 3232 wrote to memory of 3048	3232	Opdghh32.exe	100
PID 3232 wrote to memory of 3048	3232	Opdghh32.exe	100
PID 3232 wrote to memory of 3048	3232	Opdghh32.exe	100
PID 3048 wrote to memory of 1908	3048	Ognpebpj.exe	102
PID 3048 wrote to memory of 1908	3048	Ognpebpj.exe	102
PID 3048 wrote to memory of 1908	3048	Ognpebpj.exe	102
PID 1908 wrote to memory of 780	1908	Olkhmi32.exe	103
PID 1908 wrote to memory of 780	1908	Olkhmi32.exe	103
PID 1908 wrote to memory of 780	1908	Olkhmi32.exe	103
PID 780 wrote to memory of 3036	780	Ogpmjb32.exe	104
PID 780 wrote to memory of 3036	780	Ogpmjb32.exe	104
PID 780 wrote to memory of 3036	780	Ogpmjb32.exe	104
PID 3036 wrote to memory of 4672	3036	Olmeci32.exe	106
PID 3036 wrote to memory of 4672	3036	Olmeci32.exe	106
PID 3036 wrote to memory of 4672	3036	Olmeci32.exe	106
PID 4672 wrote to memory of 3528	4672	Oqhacgdh.exe	107
PID 4672 wrote to memory of 3528	4672	Oqhacgdh.exe	107
PID 4672 wrote to memory of 3528	4672	Oqhacgdh.exe	107
PID 3528 wrote to memory of 3648	3528	Ogbipa32.exe	108

C:\Users\Admin\AppData\Local\Temp\561659aba0ba2224e540cb23a1f56430N.exe
"C:\Users\Admin\AppData\Local\Temp\561659aba0ba2224e540cb23a1f56430N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\Nnlhfn32.exe
  C:\Windows\system32\Nnlhfn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Windows\SysWOW64\Npjebj32.exe
    C:\Windows\system32\Npjebj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Windows\SysWOW64\Ngdmod32.exe
      C:\Windows\system32\Ngdmod32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
      - C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        40⤵
        Executes dropped EXE
        
        PID:568
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        45⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        47⤵
        Executes dropped EXE
        
        PID:3900
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        51⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3284
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        55⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        56⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4272
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        66⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        68⤵
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        86⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        87⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        92⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        93⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        96⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        99⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        106⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        108⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        112⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        113⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 404
        117⤵
        Program crash
        
        PID:5836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5688 -ip 5688
1⤵
PID:5808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
80KB

MD5
e84cc8ecfe6030d9d713444d78701a3c

SHA1
7d71c2515f25ed63c685661735173579f2758031

SHA256
c82f7d14152b5bb0c3b8ba18e3670cd774adab1fd4b6c7be595623c446e8c155

SHA512
70ccfe91d342f66245eca7a33b1a415193894ba63e1c6743ffdfce82569d04cb887f8a2d8c23b1ec22304486ca2633047b653cc3cc1ccbfe3f6c636258603eb9

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
80KB

MD5
d97924afe132e9962ca509cb10f02fec

SHA1
2c115acf165802c7e7e38e540b160161cb8fe9f0

SHA256
73af5b28acc61f6a33c1905034ac82b8f0d440c164753a20a93378e9705a35a7

SHA512
105f416ba5ee9ad7b5b091d999b62807cf83c13eda36ef8f8a8401e817d003e9352557615f87af5eb9b665f52a209bbeaa63b995ee5d9bb0adc61e09d1b7d945

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
80KB

MD5
6a4c2b8bb60cef0086e8c93a1b5a006c

SHA1
0980fdfb2901353508d0dff7aa5d2f374eebcc45

SHA256
1f2f83135f5a6111bdaeb54f380d5830ae1bf894b1a20947dbe690ab2e1ab27d

SHA512
311defe8518b5bad8e89908f4d678c0cc90039c7cc5313e1265dadf654cef7621bb0306dc1b373d67ea4d9a46bb2563fd361ebca49cae70ba6fb2d3346d63d39

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
80KB

MD5
2c06715a7b832c8ecdf2611cc003e9ba

SHA1
fab71b79bf74db7bd639a0fd20a8c8eef0087aa3

SHA256
b6844b4853645bab1b57fd34a758d6af9d6edeb2be459642bfd1d028db2481ba

SHA512
150ae2ca92070872ae35365b3466a17099c009c4c21ecc5ceab54acfb650a59c085645c3902dbb8efca971c16219e8efe3868a6e4440af886cc1e7637b6cace8

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
80KB

MD5
38674a2144d4c93882ff6773cc9d15dd

SHA1
315466c556b8b195ce893000823fb46cf8fbdb4e

SHA256
9c71165d69d38a7423f61662609b01af1d1bc2ede9ea5300391dd160a353e179

SHA512
f5bc5de316face925c07e1ca0c18a71e413866243173116cd297a7b7e048b240bfa80d2f2e7c7acf522af676879ea395cda3a0ed264e0589d9de270053f336d1

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
80KB

MD5
da32ea3b2bc04bdff43c2bb618e8179f

SHA1
c7f8439a547600dc6ec4ffe2b7ef784f4ca81049

SHA256
cc3518177d2781c3ebc4b744dbcfde20613d7ab07ff268bb01ae8f38b8b330ea

SHA512
8e9d0ba73c1870fba4b93d1bfb0828a05942994b6d1a2cad2865bf05905538eb0637c52a13e6025891c5055040206cb7c777eb1ec65732a4795a2dd8890bcb96

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
80KB

MD5
604cb80166c48ea15c60c4e1fb834403

SHA1
7b8110b56c8fe6e11534bdbaf8a5f14a3d3384c6

SHA256
72e1a7261a4fa4e8ecd30cb8c1a51e65ead61c9d8512452ee3caa2c311c28042

SHA512
7330631522a1a84551789fe640b88f76fe8442c513f66d3f1679ab9f247c6f35fa4dd10b47611895f0db92ce640add2cb64abc4f1853ec4c20fce796240ff27f

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
80KB

MD5
83dd025430bb0b0cf51a5f771358ef64

SHA1
cbc6326d7f74a95872ee579a11077f6c3ae9ee2f

SHA256
2d2a9316e6f2686cc052d045400f93e7c53d056448a3be4c1dbb0e69f73cd353

SHA512
42db4c173129b909b9c868a1c3e561dc41056c3ccad3c38896fc45605c8660b8237068d28380fee2138c8a420288c94f62be2dfdfc8ce15aae77891c0d9d83ac

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
80KB

MD5
421864e2a47a65ec23b89ca281b15f63

SHA1
1fab14f7c65fc1438391604535d29bffa0060835

SHA256
0d6dbe7acd2118aeda24cbc65af992a64552031cd9b316281e10299cd22b24e7

SHA512
40bc3297c7ae7893a78f35e12d0a74b4f0dbd63acf17e0833938782e9636978733178f04e07f5668efca2b8d39d14c359e188c7d9992f6c5ed4e14d71a79f537

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
80KB

MD5
a929d97a252937d1ec0431142b48e302

SHA1
7144f943b335581d3f1ca380825e9a24a5aca3e6

SHA256
64ffa1e87161ed8c9293c847ab15fa335fd990087c59092980282e176553bc16

SHA512
a7cd64ca248dc589f8afba3e3847756dff46944a2aa47c43ff34abea9ad10e697d49d79a88fceb78580de3c611ca9a590631e00b7219ca617355e5e335bd7423

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
80KB

MD5
d85d0067f406126622d21eeb6061387f

SHA1
0cf022889c7272496369a0e919e981a24dc1a7e2

SHA256
15d31230c3652e04b0d6abc6ee25a399aab4a7b3614c7a5d4604c0db1852496f

SHA512
40283693f85c279b886e1cd7f34ffb2051b02bccf1c0bc2cc01065898b7438e5afed7a6158a786091dcc3a8b8586c829ce7564b54024cec22bacbdf8ee90262a

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
80KB

MD5
e18e3050257c711cb928517c7f8a265a

SHA1
5a67f410705aa8b91e2720ccb07c2a5c311a01b6

SHA256
a9063d3d773d2a0feb9901dea19c5298cbded2e711e022f633714b764e412abb

SHA512
29138a8ec37a17c8bab6167130d46fd28b9ca9c96df177cae33d2eaf6bde60565a1e4edf3a3dad622c9de47cde5ad11b6c9f4f273b413d317073452d0ea49930

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
80KB

MD5
bd76c4765a05ee5a09dd182332049c75

SHA1
e8457b05652ed94511993bfb1cc80ba48642ee91

SHA256
647508e172753dd5b01354d0ffd373a4fd1b26c2f6e9fb622b7a58b516ab60ef

SHA512
6494bcbed35d9882b68c25e8fd3a1bd723875b2350a96163c678f83ff6988f776be17e34548cbf79a07c433a346835d8a4f7f24dc2a02f34e10636ba761f33cd

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
80KB

MD5
7514d6b6e6c2242747f672ab3e4512e1

SHA1
8fdff70ceda67a0cd0eaea872b3e32b4f81d496e

SHA256
c2f3a63d30127b19de3a984a915fcb73d5dc5fed1850ec49e35c594318e5d584

SHA512
cdcc662c21cb559853ec85ea4f87b8c419250e080d0a9fb9f59f169bf2a50ee122c3465b1841195be9133db62b29103ae6bcfa6ac32c688217ad106d82ed3f84

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
80KB

MD5
dc88b4886b903cb5d0c985d39542482f

SHA1
ac960710befed7db2620e20ff42574b31f40a141

SHA256
a2ee96edbe8f78348024827c03bfb97f9cbac3a369d537122e597dcfa021dd58

SHA512
687c93f59292365f77047985832b05d46d003ec0f4514f8b810e435da1681f17df317f2ee429cbcee6469736e12ba811aa29ad56056135f61192b65adcab4599

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
80KB

MD5
5fa841b55e4071351c95b35ca39c5ef3

SHA1
1095d3b94134371543e24a2c4f21a04587906099

SHA256
1be185495121a8987250a0b2275d4c40c3d4b5c48d6ecd2e2e05868edcfe8e7e

SHA512
88574770f2c28d1b1edad9f2e92b046ad2a86b818bd4ac2af80f0bb568d7a23940549dae7845f439631c31cd4d9969a2bf0a44628c068239442dac2d3ee10475

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
80KB

MD5
8e40fc5255841724b06e5d0caba7cf77

SHA1
773e9b9536798a7a5c8f431ad0d5919134440b38

SHA256
e3e157a841e893dd938be860f93e9f89e21dec109aa0699d3329a0233447d00c

SHA512
d6b2c3a9b294bf28e5d3c8aa786ab4c56d9505c794e17f2ea305607b37ee5dafba3f9b809953eb96e65b9245efe4d2b816e300bab5bf27b8728c2cf257758528

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
80KB

MD5
85ee6419a48fc212f4f5b8f9ee11596e

SHA1
6dd66c937859b0ac9d61e0a2b14474295e281a64

SHA256
71d021a2bf8810f924692918ca269eeb7925030bd0522b79dee996cd4b6144fc

SHA512
93665df54ada0b7f44e9dd308f03f7ea9e3238b2466118505b227df1007327a3bfe438a0d32df378dea709f47de60c84e3ecd2a0c02ebdd620e3466487049582

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
80KB

MD5
407b5dfb4da2070f3221a6d5b02eeb8a

SHA1
141ec325e2073184ef69d4778c4bb3ba72ab02e9

SHA256
78107eeb9d7f672268fbb60d14312d7d494f4ed1046401d3ea6ccd6e06cb9e86

SHA512
c2723918662a28a2c27bf7d532a8bb1633fad9a68fbcad785051b8e3dca4d6decf8b69c58d90adfb70305070ead1c7da39415e62bc9f0f22574b9dbd448e51f1

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
80KB

MD5
714c768dcb59d909e8db393f17a4195b

SHA1
2f52dbd9d72b2e25c7ffb005a6a2f89ce9c451a9

SHA256
6ffdee23b3a9904a166e56a64f6fbe89dba33bdbd3a1e4af0a67f10ba0d22380

SHA512
0364764d1d0cd057e5ff5dd674d3da7484c4ebc1e730c6e5ab4f523e1e97610d09e318da177b5feafc446284f53edb109f1a2a3aab2338867081e838de128118

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
80KB

MD5
911869a21592b72cc0cfb08cf27680dc

SHA1
08690831cbaf1939811674bdbf832757982e5226

SHA256
229e44ce6b89789ee1b1e6b7d6de3e6906f9c48dcf0f75dc8ea5a17191ed54cc

SHA512
8b75581bb1834ddffdf3067ec8e7569027a4b68f2dbe2859a9f84aadd5fb33c3c219e34a66f88d2593585128cf2d4b5b9fd52167810361e597acf66601d86fdc

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
80KB

MD5
de4bed7c6a2e91b1c7545d787403d0cc

SHA1
2ef5f6e82aa53c4631c562b19bf583ed58fdffb2

SHA256
8752feef1788351db348e2b9c5638a845b15b104c65f30f3515c634140f7b1bf

SHA512
8d3bd0135fd343724d250bf7454e3fb28261ed5815791a6966c2c214f9cae8af60fb9a29303eb48eb9e4ecd75bedd5d87a25d748147624a0da73c5e5f1be6441

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
80KB

MD5
18214bc07ef49d7b3102c8e30d9b04eb

SHA1
8f642b327cf8b0feb30fcd117342d818a408c739

SHA256
67cebb12f553c0baefbc35782f4332135fa968eff14c3d7a720de83e454fa7a6

SHA512
ac004dbe0435d634b5ad0aa31da2f498189f29689343bb7f85b8068781993f14d85ae16fcd729b2c360787bc9570f6e6fe5df10f90fe453d6bd43ecc781c4797

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
80KB

MD5
2e074b21622fe957be11d519e45f3994

SHA1
4fbc6c0074f982be084f47876878374e710fb5bb

SHA256
ab21da70fbd3262370b2b4f46510ec5c0fa6f43c6a7dee45b3bc4bf9c62e0311

SHA512
2a3f422ff3e9db544ea2115c43c4af80385fdad554dbe7c92707eec23fe051534f1b54b96f3287eb240db3f1f963cd755a058860f11e077a6ddfd2776d13743b

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
80KB

MD5
7c15953a3333a6ce80eb9a3e35a39bb1

SHA1
5b39fa2d614a530557f8b31c0260f6f39dd83120

SHA256
fefb97e5199c22ec7c03ffe0279c0a2d71a88c5013f04a132274c8de3de4e189

SHA512
7e712c20d9f5e52580c4ad8c54349f5eb109368c8221c252a1423e1779f9e63af585fea5c3b454835c0133b2995f3f0e21434efcd8a72e730d508ff3fbcf2670

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
80KB

MD5
8a11d3429c6dd0a89b7af61717ee42b3

SHA1
dcbfdc399fb9c10fbd34f262117eca6317797d68

SHA256
f5bafab9d123c1499d0771d73eac1abfe48a96ed4f9688e1050fab8fdf6d0b9e

SHA512
d755579ff4f98446272d8ed57d383b2db72ffc6d70a54b455608175284526cc0ac4bd6977cabcfd649435c0daa1f8ebe8d7d8019cd4a52e192f63b6170745651

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
80KB

MD5
ad99102daef58048e7cb1b416fa4a5b2

SHA1
e3bc2cd7b8ce6229fd173af7d11ab12d84da3067

SHA256
df3e884e9bd58b414d42e5f916ca93beed01df641eebf7cad5dc9cd9d5656a02

SHA512
24edbebbcbd48eef389e57fe88c5efa03b9d1e8bbcdecd7b2735b512c5422b61dbdc94872c89b020ef7b29e08570107d207019eefa843e18fed0d06ced80be11

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
80KB

MD5
ab53fe6a126142f0c8d9beb3a7a81d56

SHA1
c61fdf519e20d47840d09a85afc3be0377dca9b6

SHA256
0bceac819323df434be3b6e66594da16bf7a6e0997c6fb650f1ecf0ac8134d39

SHA512
21e40ba861b3d19d17a99ba5917d9041f8d027d82414dbe78f3dcd989beb63320d167d3f5c68c0bdfcd4e9fc6a225fbbebf759585e5175e0adb0109045e3ce9f

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
80KB

MD5
e3b8fa11d5ccb77445c54ce61443fb09

SHA1
b6f96a651556795385e4a40b9178b4b088599fac

SHA256
3a205bc775bfedd42775f470ffb0b742be272700d3a73c7448a11ea05cb32917

SHA512
d37d5e2bac1428ad45cb018db04112006f1509faf52a4f7b7614e4259bfe16758db359ec811bc4783437b3542c17abdaa72ba53e52bc74af17052edfd73811b8

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
80KB

MD5
eb633b6cbdab8171582e8fd61aa175f5

SHA1
338ff0fd753b841cf1191f9fc4a404e64579a737

SHA256
303d3f06bd97b1559905e6387224d0b5e478ff2c0ba29f91ad7ddf4314c3ae2f

SHA512
7f13daf21e1d84761eb039f22bb98b8c31749d55826df3b8a4cefeffb52370a459d38a391fbccd96ef38214e0311e876bd64edbc4fcd64055340345aadff2ac2

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
80KB

MD5
33ee4ba497a31a58856538f0286d944d

SHA1
7209634a79b1a64a01ab70e51a8268507a4c3039

SHA256
e0e2692c265dbbf6e117d13e3651a0f94d2674715bb728d0959f046bffb32326

SHA512
0ccee2c4bc274ef667208e15e71e5319072e7d16817f9d056beb23f11e6bbad8b82a3363056d0478fd5f0045161af9ea5ab03252acf723333382208e953c3d83

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
80KB

MD5
4ce519681ad6b8729254a0c12dd32d0a

SHA1
c7267fe0cf2bc1757fe50b725169d757d8fd2da0

SHA256
73729709a70aa9faaacaf2aedb916798a7296720228772893624dad745fc2c7e

SHA512
e045da282ab3ad80bf68044f4d9f372f23749ca74e085b99e08a8ea9288c51e8f18b16f4f31ed80b72ba5db6221a989241e4287e6d7c1f8e1107cf126ac3f14b

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
80KB

MD5
b5601b1cc7fa2136c49e675058d015f8

SHA1
16ba88cde344fa9ed73ee031ddfbadbaf643cfc2

SHA256
5985cb5bd2488b15139837d5d1eb2f5a0fba4335dc393902d5e90f0a8ac4e146

SHA512
06fcdde77756ed4905e140fdaac5047ebe61fb8c17486383a1def1d09885b02180f4f72f254a2f899f0e6e30da0217528724cacb09095c6d3c513aa095a13eaa

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
80KB

MD5
5fa9562c6b4eabbbd26b43ad814853eb

SHA1
e4feed308f5c6b8d19229fb2a0009ddb44021e9c

SHA256
43db9fbb8273865315855fe92b9590b874f3b4c50b7dc034badb79f6989a9ba4

SHA512
19d3a855879c9e92245e738eec32f81ef6c39787cbe67f8607fce536440cea425c719077e89fcdc5517d5145b4e45029fd2b3f15f9fd25282d42800073d7dcf2

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
80KB

MD5
6da8c3213f4aa17f5d5641915d4ecc90

SHA1
82312d54973bd785a5efdabc26b36631a10a6d74

SHA256
7f41c8b6e0ec1b469438ae81d4d02d8d4585dcebec418f1f5f8aa296ec17cdcf

SHA512
152f559bbb6c5727ceddc5b053fad9ed835e0b73e9b7729d5532730304c1b7da0df25d53f179d7b4e546a28fbc3273743ffe98743ffa04c4f463f9070e0afe6e

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
80KB

MD5
d430976bab8be53f5c208d6b0bfb81e0

SHA1
8251fe626a9fc28a1a577b83fef67e136fc48329

SHA256
4f990837fc3225a86c54484865602e2311fae4d1b741b9388d7a1f41194714ba

SHA512
fe77f5e81ef3965a8d1efa54af336d62ca80c31725790d267380c3266610c4ebbff3baba8169afec985fda951877392e60a43d28db884974139b65ec0aa6700f

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
80KB

MD5
7e3ce1d719c9462ef83a4d6c1154c32b

SHA1
2ace46cb2aa06c0edcaa23279f8b9ba693fb00d9

SHA256
2e2e4182830791ae0b174a425c4fce7e3e0708fdf741a2dade93c4e970af7a01

SHA512
b74a15edd8fa6afebc08a7f8d1c72f13db7edb94f7098c21c699fd8bc356bacbce97da1ff958aff90bd8355b8ff15eae745ad32954bc7dfa1e2f70703d76d8e7

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
80KB

MD5
cab1c2c197a3ebd94e6abd7f83419752

SHA1
bd49cc44a8ae0904784f56747a4a9fcfd335715d

SHA256
a8d7655947fb42fd676627f651cf805404d2deccdf96e572bd28e6bfa65dba51

SHA512
2229b84804c27d42acab341e83e19a9c98fd3b6353aed8d388566ed8df5ce0df7ce415c1828103000c249f33543ecc829b8c7f8f4bc6bef745c2a85569c54286

Download Submit
memory/324-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/432-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/432-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/564-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/568-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/736-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/780-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/976-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/976-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1012-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1112-502-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1232-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1728-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1792-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1792-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1812-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1864-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1880-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1888-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1908-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2024-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2168-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2192-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2272-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2316-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2388-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2456-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2460-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2472-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2480-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2528-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2528-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2628-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2652-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2660-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2892-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2984-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3016-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3028-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3036-157-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3048-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3108-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3192-540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3232-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3264-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3284-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3292-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3324-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3336-560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3344-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3344-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3420-495-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3452-546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3460-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3464-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3528-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3544-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3552-533-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3616-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3648-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3664-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3756-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3832-553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3884-285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3900-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4100-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4208-333-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4212-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4244-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4260-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4272-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4404-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4452-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4488-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4552-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4592-531-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4596-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4672-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4744-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4784-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4908-411-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4996-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5096-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5136-574-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5180-581-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5224-588-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads