72beb7cfb42c3952826b789fa8f3ade40d9f3ad8298ee6ce43514ecc5cb6ce95

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72beb7cfb42c3952826b789fa8f3ade40d9f3ad8298ee6ce43514ecc5cb6ce95.exe
Size

72KB
MD5

dbef367fbe9aeb47da732c9393baf1ae
SHA1

87d7c0759f7e701604bcbde8a10536fb950638b7
SHA256

72beb7cfb42c3952826b789fa8f3ade40d9f3ad8298ee6ce43514ecc5cb6ce95
SHA512

d8833b940c12831538ac0bef720128ab7d27b91777cd602595d4c24563bbc3053594be27866953d6d8ea1f413ad18c27392364b00a8048296c58f4d76875737b
SSDEEP

1536:/bUHgjJ4TaxEzfJu9mdAcOy9PgUN3QivEtA:/4q4TIYfQex9PgU5QJA

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	72beb7cfb42c3952826b789fa8f3ade40d9f3ad8298ee6ce43514ecc5cb6ce95.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe

Executes dropped EXE 64 IoCs

pid	Process
4384	Menjdbgj.exe
1064	Mlhbal32.exe
1656	Ncbknfed.exe
4744	Nngokoej.exe
2736	Npfkgjdn.exe
1876	Ngpccdlj.exe
3960	Nebdoa32.exe
5088	Nlmllkja.exe
2700	Ndcdmikd.exe
3320	Neeqea32.exe
3092	Njqmepik.exe
4916	Nloiakho.exe
2868	Ndfqbhia.exe
2192	Njciko32.exe
3412	Nlaegk32.exe
3696	Nckndeni.exe
876	Nggjdc32.exe
1580	Olcbmj32.exe
3672	Ogifjcdp.exe
2292	Opakbi32.exe
1752	Ogkcpbam.exe
3364	Ojjolnaq.exe
3920	Odocigqg.exe
5104	Ofqpqo32.exe
3420	Olkhmi32.exe
2644	Oqfdnhfk.exe
4344	Ofcmfodb.exe
1012	Olmeci32.exe
4484	Ocgmpccl.exe
4104	Ojaelm32.exe
3664	Pmoahijl.exe
5068	Pcijeb32.exe
4412	Pgefeajb.exe
3244	Pnonbk32.exe
3776	Pdifoehl.exe
2024	Pfjcgn32.exe
1452	Pmdkch32.exe
3068	Pcncpbmd.exe
4272	Pjhlml32.exe
3836	Pqbdjfln.exe
3028	Pcppfaka.exe
3192	Pjjhbl32.exe
5100	Pnfdcjkg.exe
4508	Pdpmpdbd.exe
1884	Pfaigm32.exe
4640	Qnhahj32.exe
4364	Qdbiedpa.exe
1112	Qfcfml32.exe
3988	Qmmnjfnl.exe
4324	Qqijje32.exe
3752	Qgcbgo32.exe
3616	Ajanck32.exe
1232	Aqkgpedc.exe
1052	Acjclpcf.exe
4780	Afhohlbj.exe
3556	Anogiicl.exe
368	Aqncedbp.exe
4512	Aclpap32.exe
4976	Afjlnk32.exe
3708	Amddjegd.exe
4052	Aeklkchg.exe
224	Acnlgp32.exe
812	Afmhck32.exe
1104	Andqdh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ndfqbhia.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6328	6224	WerFault.exe	226

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 4384	4680	72beb7cfb42c3952826b789fa8f3ade40d9f3ad8298ee6ce43514ecc5cb6ce95.exe	84
PID 4680 wrote to memory of 4384	4680	72beb7cfb42c3952826b789fa8f3ade40d9f3ad8298ee6ce43514ecc5cb6ce95.exe	84
PID 4680 wrote to memory of 4384	4680	72beb7cfb42c3952826b789fa8f3ade40d9f3ad8298ee6ce43514ecc5cb6ce95.exe	84
PID 4384 wrote to memory of 1064	4384	Menjdbgj.exe	85
PID 4384 wrote to memory of 1064	4384	Menjdbgj.exe	85
PID 4384 wrote to memory of 1064	4384	Menjdbgj.exe	85
PID 1064 wrote to memory of 1656	1064	Mlhbal32.exe	86
PID 1064 wrote to memory of 1656	1064	Mlhbal32.exe	86
PID 1064 wrote to memory of 1656	1064	Mlhbal32.exe	86
PID 1656 wrote to memory of 4744	1656	Ncbknfed.exe	87
PID 1656 wrote to memory of 4744	1656	Ncbknfed.exe	87
PID 1656 wrote to memory of 4744	1656	Ncbknfed.exe	87
PID 4744 wrote to memory of 2736	4744	Nngokoej.exe	88
PID 4744 wrote to memory of 2736	4744	Nngokoej.exe	88
PID 4744 wrote to memory of 2736	4744	Nngokoej.exe	88
PID 2736 wrote to memory of 1876	2736	Npfkgjdn.exe	89
PID 2736 wrote to memory of 1876	2736	Npfkgjdn.exe	89
PID 2736 wrote to memory of 1876	2736	Npfkgjdn.exe	89
PID 1876 wrote to memory of 3960	1876	Ngpccdlj.exe	90
PID 1876 wrote to memory of 3960	1876	Ngpccdlj.exe	90
PID 1876 wrote to memory of 3960	1876	Ngpccdlj.exe	90
PID 3960 wrote to memory of 5088	3960	Nebdoa32.exe	91
PID 3960 wrote to memory of 5088	3960	Nebdoa32.exe	91
PID 3960 wrote to memory of 5088	3960	Nebdoa32.exe	91
PID 5088 wrote to memory of 2700	5088	Nlmllkja.exe	92
PID 5088 wrote to memory of 2700	5088	Nlmllkja.exe	92
PID 5088 wrote to memory of 2700	5088	Nlmllkja.exe	92
PID 2700 wrote to memory of 3320	2700	Ndcdmikd.exe	93
PID 2700 wrote to memory of 3320	2700	Ndcdmikd.exe	93
PID 2700 wrote to memory of 3320	2700	Ndcdmikd.exe	93
PID 3320 wrote to memory of 3092	3320	Neeqea32.exe	94
PID 3320 wrote to memory of 3092	3320	Neeqea32.exe	94
PID 3320 wrote to memory of 3092	3320	Neeqea32.exe	94
PID 3092 wrote to memory of 4916	3092	Njqmepik.exe	95
PID 3092 wrote to memory of 4916	3092	Njqmepik.exe	95
PID 3092 wrote to memory of 4916	3092	Njqmepik.exe	95
PID 4916 wrote to memory of 2868	4916	Nloiakho.exe	96
PID 4916 wrote to memory of 2868	4916	Nloiakho.exe	96
PID 4916 wrote to memory of 2868	4916	Nloiakho.exe	96
PID 2868 wrote to memory of 2192	2868	Ndfqbhia.exe	97
PID 2868 wrote to memory of 2192	2868	Ndfqbhia.exe	97
PID 2868 wrote to memory of 2192	2868	Ndfqbhia.exe	97
PID 2192 wrote to memory of 3412	2192	Njciko32.exe	98
PID 2192 wrote to memory of 3412	2192	Njciko32.exe	98
PID 2192 wrote to memory of 3412	2192	Njciko32.exe	98
PID 3412 wrote to memory of 3696	3412	Nlaegk32.exe	99
PID 3412 wrote to memory of 3696	3412	Nlaegk32.exe	99
PID 3412 wrote to memory of 3696	3412	Nlaegk32.exe	99
PID 3696 wrote to memory of 876	3696	Nckndeni.exe	101
PID 3696 wrote to memory of 876	3696	Nckndeni.exe	101
PID 3696 wrote to memory of 876	3696	Nckndeni.exe	101
PID 876 wrote to memory of 1580	876	Nggjdc32.exe	102
PID 876 wrote to memory of 1580	876	Nggjdc32.exe	102
PID 876 wrote to memory of 1580	876	Nggjdc32.exe	102
PID 1580 wrote to memory of 3672	1580	Olcbmj32.exe	104
PID 1580 wrote to memory of 3672	1580	Olcbmj32.exe	104
PID 1580 wrote to memory of 3672	1580	Olcbmj32.exe	104
PID 3672 wrote to memory of 2292	3672	Ogifjcdp.exe	106
PID 3672 wrote to memory of 2292	3672	Ogifjcdp.exe	106
PID 3672 wrote to memory of 2292	3672	Ogifjcdp.exe	106
PID 2292 wrote to memory of 1752	2292	Opakbi32.exe	107
PID 2292 wrote to memory of 1752	2292	Opakbi32.exe	107
PID 2292 wrote to memory of 1752	2292	Opakbi32.exe	107
PID 1752 wrote to memory of 3364	1752	Ogkcpbam.exe	108

C:\Users\Admin\AppData\Local\Temp\72beb7cfb42c3952826b789fa8f3ade40d9f3ad8298ee6ce43514ecc5cb6ce95.exe
"C:\Users\Admin\AppData\Local\Temp\72beb7cfb42c3952826b789fa8f3ade40d9f3ad8298ee6ce43514ecc5cb6ce95.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\SysWOW64\Menjdbgj.exe
  C:\Windows\system32\Menjdbgj.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\Mlhbal32.exe
    C:\Windows\system32\Mlhbal32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\SysWOW64\Ncbknfed.exe
      C:\Windows\system32\Ncbknfed.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3420
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        35⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        36⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        58⤵
        Executes dropped EXE
        
        PID:368
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3708
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2652
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2388
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        83⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        93⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        94⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        96⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        101⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        102⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        103⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        108⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        115⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5960
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        119⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        124⤵
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5792
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        127⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        130⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        131⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4124
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:6180
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        137⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6224 -s 396
        138⤵
        Program crash
        
        PID:6328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6224 -ip 6224
1⤵
PID:6292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
72KB

MD5
dced77291654f5f2015e98fd31ad71e6

SHA1
d5f4ce0e42fdbb12aa2354663e210fcc6523dc2b

SHA256
74488206849fc5eb7fc5a586ca9634dede1f4d351d6eb40af6953ad1f0dfeb77

SHA512
d0e91e2b866eaebd210b45b4ca43b4de429ad7b76e4c440228793a51fcd92b4f2c370d8a3965bc8acf7271872a4b574ede5872484012ca0890cc0e17a3769e02

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
72KB

MD5
8f62cbb2532c792baa88f9fb535cb188

SHA1
71ea5ec08b259bdf8b5070a20815ac16a5e15b45

SHA256
8023ef8b890040de9692d7a60aa53411c3515c3a06bcfd73950679be5bd6e320

SHA512
d48ad0a36f9ff61547bcae8541fb0dd594b4356f033813eec15fa5db86bbe738efd3fb1258a30faa490d34889f5d244115d894f5c6278302e1334b4d5755bfb1

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
64KB

MD5
daca5190e81a55a4db304c784fef2f94

SHA1
6a6b375d0ef51181e846bc9aa8b945187ba9de49

SHA256
e846f62022a2f1bcb363aeb7f505009814794343cd8af13866291892be620f9d

SHA512
c4209c9073a072753137f1e2bf4576cf815d4f20a4d3e722046970890fb05cc250c7bd596bcef163543ea5b644a9a37b98bc0460fc373a74d5d7ccf8e76ac989

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
72KB

MD5
aa2cdda2b79d235b6c63c23857631015

SHA1
9b29218d3ffeb61ce3cd74f7e21d60d064c58006

SHA256
8155c7d9139242512eb81a214ddaf65f96280510123365adde6e4a98ad917f70

SHA512
5cb2407a78d35b81815eebc0ec9b889139e1813a0af95917063785ed49b1c6427db7aad6d87fba3cbf50040f6ee2dbc8aa69e6e10fabcadb15d22258116ceb9e

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
72KB

MD5
f6ce34214dae300bb4c0abe5a4b253c7

SHA1
e432fcbce16931cc090d5d4e02e766ce5e8618db

SHA256
f3f6fdb729162a58669880ae14b91e9379e567e4c06aeaaa55607ba541af3b5a

SHA512
2d184764200096692eb32fccabf38daf07730f99703c205a2e5092a9c7bdc3e257e91c3228e52ca404afe03b923e6ba6207dfc7910942434ef41023b9ef42397

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
72KB

MD5
1d9019eb2ca9e8211925a48a6e0ac4b3

SHA1
64a2a47b56dedbf46e7bdf4f5c61e3b18aad39b6

SHA256
6338155d940aec1fd63a5cda1f46fb758d93ed33fd08e2349e800ed3d98b5d4f

SHA512
2f8daa187dc2d00d0c35edface08edf50884e241ef5706e21772589216c1acbdef00b17e527dc35e741be58e96b5d490d9453e8bb09caa48846e620adb1db8e4

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
72KB

MD5
8a3f07cbac0099ab14d6566ca92c79eb

SHA1
8eb0df7e43839b63be2210f13b0c32f850d14120

SHA256
8a012fe7a1f81e021e61d2a1e85a0ad3d70a9d06baca83c7f0e900a870f70efb

SHA512
44a4cab1aba9e75839e00c3fbb290a6a03d78c2e675abe620358858ce29ee5e863ab3b1c9235edeac598694b41bf84155f474bc6420aa640ec4755203fa26b27

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
72KB

MD5
1a982232877b5b520f0727572b75e57b

SHA1
3ed3f2cc518464fd68c9db9586786b5fa0562422

SHA256
8cd807f8ac33fc59606922e37eb56c44a7bfd81014db4ed8d27ce24b8e6a0590

SHA512
f86e2d4ac15a8185c0a9bba390ba3ed4340c1e822b7f88785e05c0817fcec56a9a2427fb66f43ae861d8b54e7c53d3f9e3ea5b3cd9325a1ea091fe0458447b14

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
72KB

MD5
9aae66adf3e8c65f743406cb9e0f6152

SHA1
f76e8c24d9110a1600e6c360b6c9cef0d57c473a

SHA256
b6fd092ef45fbe5921b3194cc0662f2f7b96d1c313371a219864a6d29b1927f4

SHA512
fef41999082655ef9999084d27875f2ee318b78a42852f7c7e625edddee86401cfc63b8ef4f99d89943a3137145c7602d2e57cda1d2845e3df132cc5c1eeb781

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
72KB

MD5
ccb1e4cc0302d9b3ae5b94393ec2962c

SHA1
18774800e033765400df769e82f865c66678c75f

SHA256
3782271b4c4eade07106e82c71aab4ebfbf73a789b2b52fbb3ef43ce16314be6

SHA512
8da740d82c1303b11b59839617f6f786724d3d004ea2590e8ceffd9a36679c44e6c17688ce958a3c4246a7ae131d8e646eb654b2575a57405421bd6504646d8d

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
72KB

MD5
cc406543438785d9cd5977262b2dd754

SHA1
2b34951c7d70b236512907746470bdd57bf64612

SHA256
f185e1d3e656c32883515d0333f8859a3eb571afdd650c76cc4b8c7dea5a140a

SHA512
eb96873588c31dd18f7c50b47ec55142743426417ed01a3b18ce6aba11b1e001ea26c81c0c1c4e93ebd9a9322e44358156fa236dfe996f8d1c9102d62dd5cdc7

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
72KB

MD5
5c7376d52146cdb0e15e9e055b488cc7

SHA1
078cbe6790558d6da65e30430cd62cffa06e017a

SHA256
416670fa8ecd97b282f8b972b5d2a454c2e3ef4054300133d5066d8acc2c824d

SHA512
454cb280f886388a0fa9a23f063ee0a73f811fe1b21407917071bba333a4fbb4657dbc4cb6bf459f35b58941d6de855317f037997efd1e96312ab900490a481f

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
72KB

MD5
15f1f4efce7edc212b486d9dd4feaa02

SHA1
b181688a542e6803b5cc47731e3067fe8f770be7

SHA256
4a7293e30804c452d373cda08f05bf9301509aa9d25b2294a10d39820c442fe8

SHA512
2ff71fd9b22f8818e919b7d3d5b94ee48830458e76e7894b6c7633ef2916b4773980cd83adb98a3342d7f3bdf7cc091c72b8c615d3843331080c8ba0f81b54cc

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
72KB

MD5
d58baf9d7154eea74102d72cd95b0a8e

SHA1
da0d4a1d9f4fb3558f02cf5fb619ba955d7e9d60

SHA256
c04b0344abf1e878b56b7925b014d0dddf3f2e503990f11187d21bd93e8d323e

SHA512
f52a2d58c5fdea6e651bed338c59627d359bef9c1d817f5f4237338fa6542925a3e5216a7f44e93f659a7848076f92bb7939af7c47a48c1c09f870d9a49de007

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
72KB

MD5
ee44599c2392b364653ca04468ed6f10

SHA1
9a03e5f2f658b12e8f56af6db3c0d7b0027df0c7

SHA256
e92bf6b0deadb15d090ebeeac7e40ada60c2a53b6d4430706181e40843aeb106

SHA512
7afabc7b639c0278104bf0bfeb263ae7bdf09101a67f7dc18d333ba9f74b28c75ebc4aea0622036076ab339ff06cd3f75543b9b4a311d1323995fdb9424271bd

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
72KB

MD5
f344384f33a0e28cf2a0bfeeb8b72ffe

SHA1
7d6aa4a1683c097e626653eb99d51fb8d29a08cd

SHA256
f8b1968e80fc3ddfe45c10b43d3c31e270aba46b26482ad115a19827518e4547

SHA512
59fce00ffab7781f11b7ff2da97823f64cb31867d3c90de2e5360f3eb464dd92d567d019302f044dba32efd52ae882cc6cae94bfe456786cdb8a68a5043819ca

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
72KB

MD5
d6f02e3b1b966b24e099135bf4f54bec

SHA1
5728f8f415abb9664eaf09da4c7b5411a6fd293d

SHA256
da9494c45e82a6e519d69098ca5012647d4d1c215c92b87a04056621151c09d0

SHA512
1a5324db3085286e9b94b063a3f96c5633c3d27c822041117771ed27e2137044865518c593464e521ab747904d08abfc638f9f7a87e651847e14ba5edb51e131

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
72KB

MD5
c059fc805a8f272edc263107fedf551f

SHA1
92f0ad3ea915176a79363d35140a3d64b1cd41c7

SHA256
745a88e1cbe9cef5469eec506fa2fd32ace8b06f57fe2c0adfa1afdb3ec372ab

SHA512
c33587dc8074a19f0fa1d70ec784f6f5120502fb69a392d464649fb2c627c9752a23498d52486975246dcd16d60ad43b65a379f23c264721352401039ff8e1e8

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
72KB

MD5
0bdf56593b5dfda1f54ffbf9ba0bc1ae

SHA1
b4680e80358e19d9446b3f1824132ec91706b092

SHA256
8c0740f3f3a5b9e1eebe0a6717483842e9d861f79a94890c689d43a1fa2cc8d2

SHA512
d6168befcfecaced3e04ae89a5dcef78dd557ee704356c8e3c41480bdb8bdee032800568396abe3251a984682fc6060d9ca9571ce6ca9a462bae146d650168ce

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
72KB

MD5
b04368c7c9f3fc15017a5e57d6548923

SHA1
fe3046670e010a5ceac7bcf9b7f028785b571346

SHA256
2d403e7e19f220018d70ff560a03711b6a49bbca47a3a852a95c0a676fbf0f83

SHA512
37993e5d5f6873058db6b943f66f7ce04fb55f3ed9e56fd7cf1c9174bcae62e6978638b42829a6788add4724f88da3462f9c875c24f1115dbce753d25ac932a7

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
72KB

MD5
0a479a7abb7e9a690a7f1ac03412e88d

SHA1
4a6a3e4ad3e277061c721eb1e8ad1de0e1c9ef71

SHA256
637af9353a044ccf53a025ee39c8d7d39871bc5e9feeb1400a1fdc1d276aee89

SHA512
3106bed7f61dadb55f148a959cf22e088f2770916258fa8d043f6a8b6766f081e736669dfebd58210da78e085b3e603222fb7daaa46ab4a97e15d32fcc6cb7f9

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
72KB

MD5
023908d7b2f3cec4484f413b1e5ae693

SHA1
5e0f6323ac67dd2f505ceba3538b9bf63bd6ca9c

SHA256
26dc528298af75a5045dd5f1c022cb96b391005685aeb837361555dd1ce0eeaa

SHA512
1012b7588df7c999da2aeb1baadb594c31daa0c289a8492cc17170234d13c151685817f8e2753b6b651862124d37e360b0c39614a70aefe5a69f177135088692

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
72KB

MD5
f8c9c20b783dfae1c3f2be828cb76f60

SHA1
39ec9cdee93dade151cbbe35a3a9ee70deb30ad0

SHA256
a75a953e0c907e2952f52223921997066e6a667a42df744f089164c05d320dd8

SHA512
89816dc2958d5f7a217d108f59ed5d075908dfb9d0ccf8892de1f245b210494deb93437f42fd7e57fcbb44404bb7c17e2eaa62421f7546fa5e125d1d678a777e

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
72KB

MD5
b64cbaec5981c224d9a53caf1c3207ce

SHA1
42359ffd995722a27a3fc5485e9d11e976b2391c

SHA256
2f638f8a424b6028fe99a8d0d2b324fb0497157533bc6761bdaea77e1ccd2c04

SHA512
881a06ca54fa9d7cf1d46a30e0b0dbc75ea9ce13aaea1d8353c5f02c96f2bdc36b9079fc274731421a40302d769d3eb0ec46734eed061ec3441f43fd66c1e7b5

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
72KB

MD5
ced6c093cfe718206a00de8925b1479b

SHA1
e8daf2e5431437873b55318cbec8cf63c7d32fc2

SHA256
8d320215db82f93be310cf1f644bbf629dd29ac3c70877ca0ef7ffc0f8d09c1f

SHA512
28ddee151991cac88aefae4660d31949ac587100f911a4900de47a8bac0512246269f20cd76dccba66e059c4384f684bc819cf4c75eb59021135fcbb5a5bbe7c

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
72KB

MD5
1abbf709e17d1448b0507e7179c1eadd

SHA1
db1b017737bcfeee3bd6839eb31c4d6c27070562

SHA256
121793896ebd7dda4bfae2f71034d86f8b2214eb4b1a7ea9da64dab6d9f6e907

SHA512
68c12f950630894469eddcabf6937c3740bf067ae4bc0c0fbd8968bf6012033bd13e841aca2f3d9812a63e67eb91e2d1e554c2947e2df0bba9f2973308836bfd

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
72KB

MD5
3e7eb2171feaf759d69d85dd358848de

SHA1
bdd38cdfc3b310e4e0fc57c16bf150b40617ba9f

SHA256
b17c88a13b8e3b2ab7e02906aef23ffb2be53f996060d4f9ae370d3fe75031ea

SHA512
a6308fc53d25342b370be3fbcc2eaa4aed07b0f98bf9841e78a75c82aec3f9767fcd488b1b1b9c123bd7365e09ee0cdff59540cfd12f1727019b2909aefd7e68

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
72KB

MD5
732c6f56d2cee9c1bc3133ba1a458bd6

SHA1
43946bbf782e896c91e487d5df6d656491165ace

SHA256
cc80e2b4ad0737ac7d946e77b67a5a257c5edbd98ec550b840521a440fa44dbd

SHA512
4881b7c7596ea3efc8af38eb169117b094abfc7768efe3e3f53194e5cc0f710391181459232f9aeb9d9eac3c65952fc258f018f7366170a84a1602d239701edc

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
72KB

MD5
5ef0b3653075b446200caee3e9772d86

SHA1
4b7ac5b46be806f181bf9f1ec34c96026441d142

SHA256
9e524b7316ce930ad961231bef71579f564f7fde94dce9ce424bcb1dd74ac1a9

SHA512
90e37619ef086fe577dd52f2912613bd1e25798823e9392f0905056edd6673e1cb6699595962509ad2460ba86dc15e38c433dd9d84d459c8559339063f0317c4

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
72KB

MD5
5d2413bfb902d57d4f5b3c84ee9fc849

SHA1
e9c34c4912d4be5007d283c10acdd143f06aa93f

SHA256
05f8ffcfeaaccbf4e57e02a52ec38818c44b793dd7ef623b7436c61ab0ad8021

SHA512
cd85a466d932b5dc40ccf970cc4fee15945deebe369ca701ff4bf2f8168edfc540f24f4008818622bb1a76a302dd826fdfc48e9511561522f616e5530f200b6f

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
72KB

MD5
d2298894be8290e32d87fcf03bb699a4

SHA1
11d18afb913d6361c9f67872c515c9062417d6ec

SHA256
0836f76a5d1fc20fe87777f7c49b300d8d54bf52c43ec6eb48da2aa51efd0810

SHA512
c63c883b3bb00872e67efe5a10ea4c9b0077bb2d7732543e94569d5ca5d0bdc988acefa5cbd95677aeddf8f54b3bc28488150a4700feef18ad1d79d5f09e71ea

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
72KB

MD5
3843669000da0adbab628a1c46ae6f1b

SHA1
9ff6bd17716657327f3a43a842310091dd4a94d7

SHA256
350665d45f886569995bb44cd9c7345dbcd754ed04ff698ffb30c7ef0474ec99

SHA512
2a55c50239f573366ce9be0d65dec327e8fe165ee15869813aaf1db3babc730b3d6f6e9c15d79025855eb87117a18461f058402b2ee489f747b98a1eca5846af

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
72KB

MD5
de6aa0cf51626353765ba069ff28bf32

SHA1
193708f16a47972197ded5f40159100e499fc441

SHA256
e4c9bb757b42706709a10b4828053b9733dadaa7a4b7f64c535d0fc9f4fe97ed

SHA512
b1b0d2c22f6f53eb3a64061a4a54097e17b517fde5daf2f44b9f1138ed0adb66c741a0534071810fc12eac9b565e89d4e5e3fcce354328372ef407fc7ecc9301

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
72KB

MD5
4dc45e595ba7c9c3d129b477325aa458

SHA1
5bb1fd63edf873f76fd97919b24f7ab5c5fd9af4

SHA256
b0d67a6ad30b822c894487c5481830a4cf4e1f448a49c580dc6147339ebcb0fa

SHA512
b86d6bdf8ddf0ff43d9d3c2e1069153a3cf6174f81e92b1e8a30309d121d7b0c8bbd8bb22a5c43c5f51989a5272d1ae1fcad8b3dd85ba8dad158576c48236d8c

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
72KB

MD5
26872ab759c09ad711d967788db3d884

SHA1
2f36a8d7a34071158baa5d2eae31f220ca91f410

SHA256
e1e3633ccad69b37ddf9a14c1b7cc4cda3c681defb449dad9054a5a587440796

SHA512
0eb0281d632513b0dfcb2c901793c72df75a2a0f491fdfbb0466292fdd6bbe2ec668b2c456722dad55861cdb1f79baf0a3661625bc1942183ee136c59932e767

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
72KB

MD5
bd787de9af575cc826c7d2584a3089a7

SHA1
cfe3a18e4a259dcb5abc41a7c7d0420beba4a535

SHA256
275bb0486e9c211664686d9fd37bb285f90d1311ad04643302d674353c9f2509

SHA512
63cb08dfbea1ccb95d7b3820a47a5f06a0b756020e817af75efcfb7d48bd4df96ae9b50b6f6eb840e42550cabe72f353ca0447e846db81a020624451c4693f43

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
72KB

MD5
ed96d71a91d002b99e5bd5934e94b37b

SHA1
a64aa97e4ee45dd46f3ec152ab0293d1dae1b151

SHA256
4d50b7c8a8ae445eea6d9fa6ebdb764f1cee99f3bf56c63523ae1839c5d7bbb9

SHA512
2a3f3632a8f05bede486c86ad376d7f09b7c5d6f25eb20723f2f0b9fb1516411dca50c109f9a57e8f7efcb202dc432a4095f8a4f9cf6c0d19bf192126b11c6ab

Download Submit
memory/876-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/876-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1012-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1012-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1052-428-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1064-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1064-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1112-387-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1232-421-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1452-379-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1452-313-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1580-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1580-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1656-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1656-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1752-267-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1752-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1876-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1876-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1884-434-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1884-366-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2024-306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2024-372-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2192-204-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2192-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2292-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2292-263-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2644-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2644-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2700-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2700-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2736-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2736-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2868-195-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2868-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3028-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3028-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3068-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3068-386-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3092-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3192-350-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3244-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3320-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3320-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3364-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3364-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3412-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3412-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3420-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3420-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3616-414-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3664-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3664-339-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3672-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3672-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3696-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3696-222-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3752-408-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3776-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3776-365-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3836-400-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3836-333-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3920-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3920-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3960-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3960-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3988-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4104-264-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4272-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4272-393-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4324-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4344-312-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4344-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4364-380-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4384-93-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4384-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4412-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4412-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4484-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4484-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4508-359-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4508-427-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4640-373-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4680-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4680-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4744-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4744-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4916-186-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4916-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-282-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5088-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5088-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5100-420-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5100-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads