9e36fea67a91194406541b8c85b27183c6b5bc209575c51b4a4436e0bfea5d70

Analysis

max time kernel
102s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eec26a5c3ca511e03e18a9ed624f2040N.exe
Size

128KB
MD5

eec26a5c3ca511e03e18a9ed624f2040
SHA1

dce887f775ec8a835957f6b4f869cfab91fe3997
SHA256

9e36fea67a91194406541b8c85b27183c6b5bc209575c51b4a4436e0bfea5d70
SHA512

9fe22b5a16651bc4076606f48160e84ef7cec6a5da667704e34f2ff05227f32698757bde7b53c917c459886e8163d0da8dc308beef48facb33a1fa7ad85b2660
SSDEEP

1536:GdK2dzrnB4IfRFjj9wUBQjILQ9FKGXllUDtM60TD4ruhiZlrQIFiglF9xZ95Q:GDmIJnpYKG7UDd0pCrQIFdFtLQ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe

Executes dropped EXE 64 IoCs

pid	Process
4504	Mnebeogl.exe
1112	Ndokbi32.exe
2792	Nilcjp32.exe
4932	Nljofl32.exe
1108	Ncdgcf32.exe
5036	Njnpppkn.exe
3960	Nlmllkja.exe
2732	Ncfdie32.exe
5068	Neeqea32.exe
2708	Nloiakho.exe
4572	Ndfqbhia.exe
3464	Ngdmod32.exe
3728	Nnneknob.exe
2100	Npmagine.exe
4260	Nggjdc32.exe
1008	Njefqo32.exe
2040	Oponmilc.exe
3632	Ogifjcdp.exe
3296	Oncofm32.exe
3304	Ocpgod32.exe
5052	Ogkcpbam.exe
4032	Olhlhjpd.exe
4816	Ocbddc32.exe
3640	Ofqpqo32.exe
5020	Olkhmi32.exe
4776	Odapnf32.exe
3896	Ogpmjb32.exe
4368	Ojoign32.exe
4336	Olmeci32.exe
976	Oddmdf32.exe
4052	Ofeilobp.exe
2480	Ojaelm32.exe
2892	Pcijeb32.exe
4888	Pfhfan32.exe
5048	Pnonbk32.exe
1468	Pqmjog32.exe
1880	Pdifoehl.exe
2024	Pggbkagp.exe
1448	Pjeoglgc.exe
1788	Pmdkch32.exe
3616	Pdkcde32.exe
1004	Pgioqq32.exe
1864	Pjhlml32.exe
2600	Pmfhig32.exe
3096	Pdmpje32.exe
5100	Pgllfp32.exe
2096	Pjjhbl32.exe
1884	Pmidog32.exe
4000	Pdpmpdbd.exe
2624	Pfaigm32.exe
4992	Qnhahj32.exe
4744	Qqfmde32.exe
3988	Qgqeappe.exe
5088	Qjoankoi.exe
1432	Qmmnjfnl.exe
4896	Qcgffqei.exe
4524	Qgcbgo32.exe
1608	Anmjcieo.exe
3420	Adgbpc32.exe
4880	Ageolo32.exe
1240	Anogiicl.exe
3352	Aqncedbp.exe
232	Agglboim.exe
1684	Aqppkd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	eec26a5c3ca511e03e18a9ed624f2040N.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Oponmilc.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1808	5428	WerFault.exe	222

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eec26a5c3ca511e03e18a9ed624f2040N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 4504	892	eec26a5c3ca511e03e18a9ed624f2040N.exe	84
PID 892 wrote to memory of 4504	892	eec26a5c3ca511e03e18a9ed624f2040N.exe	84
PID 892 wrote to memory of 4504	892	eec26a5c3ca511e03e18a9ed624f2040N.exe	84
PID 4504 wrote to memory of 1112	4504	Mnebeogl.exe	85
PID 4504 wrote to memory of 1112	4504	Mnebeogl.exe	85
PID 4504 wrote to memory of 1112	4504	Mnebeogl.exe	85
PID 1112 wrote to memory of 2792	1112	Ndokbi32.exe	86
PID 1112 wrote to memory of 2792	1112	Ndokbi32.exe	86
PID 1112 wrote to memory of 2792	1112	Ndokbi32.exe	86
PID 2792 wrote to memory of 4932	2792	Nilcjp32.exe	87
PID 2792 wrote to memory of 4932	2792	Nilcjp32.exe	87
PID 2792 wrote to memory of 4932	2792	Nilcjp32.exe	87
PID 4932 wrote to memory of 1108	4932	Nljofl32.exe	88
PID 4932 wrote to memory of 1108	4932	Nljofl32.exe	88
PID 4932 wrote to memory of 1108	4932	Nljofl32.exe	88
PID 1108 wrote to memory of 5036	1108	Ncdgcf32.exe	89
PID 1108 wrote to memory of 5036	1108	Ncdgcf32.exe	89
PID 1108 wrote to memory of 5036	1108	Ncdgcf32.exe	89
PID 5036 wrote to memory of 3960	5036	Njnpppkn.exe	90
PID 5036 wrote to memory of 3960	5036	Njnpppkn.exe	90
PID 5036 wrote to memory of 3960	5036	Njnpppkn.exe	90
PID 3960 wrote to memory of 2732	3960	Nlmllkja.exe	91
PID 3960 wrote to memory of 2732	3960	Nlmllkja.exe	91
PID 3960 wrote to memory of 2732	3960	Nlmllkja.exe	91
PID 2732 wrote to memory of 5068	2732	Ncfdie32.exe	92
PID 2732 wrote to memory of 5068	2732	Ncfdie32.exe	92
PID 2732 wrote to memory of 5068	2732	Ncfdie32.exe	92
PID 5068 wrote to memory of 2708	5068	Neeqea32.exe	93
PID 5068 wrote to memory of 2708	5068	Neeqea32.exe	93
PID 5068 wrote to memory of 2708	5068	Neeqea32.exe	93
PID 2708 wrote to memory of 4572	2708	Nloiakho.exe	94
PID 2708 wrote to memory of 4572	2708	Nloiakho.exe	94
PID 2708 wrote to memory of 4572	2708	Nloiakho.exe	94
PID 4572 wrote to memory of 3464	4572	Ndfqbhia.exe	95
PID 4572 wrote to memory of 3464	4572	Ndfqbhia.exe	95
PID 4572 wrote to memory of 3464	4572	Ndfqbhia.exe	95
PID 3464 wrote to memory of 3728	3464	Ngdmod32.exe	96
PID 3464 wrote to memory of 3728	3464	Ngdmod32.exe	96
PID 3464 wrote to memory of 3728	3464	Ngdmod32.exe	96
PID 3728 wrote to memory of 2100	3728	Nnneknob.exe	98
PID 3728 wrote to memory of 2100	3728	Nnneknob.exe	98
PID 3728 wrote to memory of 2100	3728	Nnneknob.exe	98
PID 2100 wrote to memory of 4260	2100	Npmagine.exe	99
PID 2100 wrote to memory of 4260	2100	Npmagine.exe	99
PID 2100 wrote to memory of 4260	2100	Npmagine.exe	99
PID 4260 wrote to memory of 1008	4260	Nggjdc32.exe	100
PID 4260 wrote to memory of 1008	4260	Nggjdc32.exe	100
PID 4260 wrote to memory of 1008	4260	Nggjdc32.exe	100
PID 1008 wrote to memory of 2040	1008	Njefqo32.exe	101
PID 1008 wrote to memory of 2040	1008	Njefqo32.exe	101
PID 1008 wrote to memory of 2040	1008	Njefqo32.exe	101
PID 2040 wrote to memory of 3632	2040	Oponmilc.exe	103
PID 2040 wrote to memory of 3632	2040	Oponmilc.exe	103
PID 2040 wrote to memory of 3632	2040	Oponmilc.exe	103
PID 3632 wrote to memory of 3296	3632	Ogifjcdp.exe	104
PID 3632 wrote to memory of 3296	3632	Ogifjcdp.exe	104
PID 3632 wrote to memory of 3296	3632	Ogifjcdp.exe	104
PID 3296 wrote to memory of 3304	3296	Oncofm32.exe	105
PID 3296 wrote to memory of 3304	3296	Oncofm32.exe	105
PID 3296 wrote to memory of 3304	3296	Oncofm32.exe	105
PID 3304 wrote to memory of 5052	3304	Ocpgod32.exe	107
PID 3304 wrote to memory of 5052	3304	Ocpgod32.exe	107
PID 3304 wrote to memory of 5052	3304	Ocpgod32.exe	107
PID 5052 wrote to memory of 4032	5052	Ogkcpbam.exe	108

C:\Users\Admin\AppData\Local\Temp\eec26a5c3ca511e03e18a9ed624f2040N.exe
"C:\Users\Admin\AppData\Local\Temp\eec26a5c3ca511e03e18a9ed624f2040N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:892
- C:\Windows\SysWOW64\Mnebeogl.exe
  C:\Windows\system32\Mnebeogl.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\SysWOW64\Ndokbi32.exe
    C:\Windows\system32\Ndokbi32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\SysWOW64\Nilcjp32.exe
      C:\Windows\system32\Nilcjp32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
      - C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:976
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        38⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3096
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3352
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        67⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        70⤵
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        73⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        74⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3152
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        84⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        85⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        88⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5736
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        97⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        103⤵
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        104⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        105⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        113⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5640
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        125⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        128⤵
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5428 -s 220
        134⤵
        Program crash
        
        PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5428 -ip 5428
1⤵
PID:5384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bffkij32.exe

Filesize
128KB

MD5
f333ef027b98721e7f04efc551c75aef

SHA1
b85a1b2310c6a3d3e5bbf5057d009b4513896628

SHA256
83b425b254ced91d912d77254ec0c21ccf08645520021015fe15a02878c65444

SHA512
c0510f7dbe6947a86c02058169b77efa73919b50faf0ab992cc5101e86e28c796dbf1246057342d1568f6beeae11777003aa3706cde924fc254cc1692272ae29

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
128KB

MD5
0ac82c0d5114203b5d70148a6e3a6ee4

SHA1
347aacd12a994a45710c613c3dcd365564137456

SHA256
1f5dd331bd34b948f60b2ff89ff45c52c6b6a55a2292236edb6eaa59491c7c59

SHA512
a8e844d21a2fb33877b9a9288757c4dd3c1a50ad26fcfac1582b3a39ac9f4c470996b26b7315b7dd432054e60f70b9d6ecbc9b30c4313829ef8c4fdeb71c265a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
128KB

MD5
e7e9c03a3421907da1d38cd191a873d1

SHA1
3391ac85ea29c604fcae3bda972276945b21465c

SHA256
39093e6bad76f51586e9a94f461c7a1b1e2d8e117a15ce7468b0c0f03933f160

SHA512
572cd745271ebd4b44e5bc5621404b6c8a8f9e0f1a923fddaccd6b2f13aa6ff0193b5d1cf98a7721c0d1f5c35eba6c68e05302bd39d1dd3adfd7d41a76e0bdb1

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
128KB

MD5
7aa323f30667f0d21cb9e5029514cc97

SHA1
88b14af56f9a54ec5062a40f11702649a6ab2134

SHA256
155237ada2aab6a37e32be73bad9c9ccff57f1780e26664e9e929b3d3f6e9da7

SHA512
303ec1cd6b58a9bf83a5672217f78d0acf8cadaf394288b5855b86fe382777ca8fa7a18297124e6c0e8eebef206510f745c1d49aed26081a4a931784ea25f5ee

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
128KB

MD5
1bc87f70c2a70e05f0af4d3369b2ef9b

SHA1
3fee15342d27e2f7b2ab9ffd14332f07617d4016

SHA256
8154f15064c8b76124b1bb6bc54089b54f46cd58cf59917563bf0da8bb55f9d5

SHA512
b9354c271ed2c27bfeb2d006ccdef02f816a26e64144ffdc28a7c3248c0e1cb0d0989b2fd5253009127cfdf8f0dd718853228626ccd0cc70d578e5afaad5d348

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
128KB

MD5
15a621111ca97ff2cf3c80004b5733dc

SHA1
dd4bba24de74426ce902b739b2fb17a179dd2953

SHA256
1d3fbffc9acd9439a5aedc4dbeabeb103db2d38423542bf94efe9a6c5d68e684

SHA512
3a448eb63e45bc543f8fcbed4431a3c994d92a38efd9fe97a67373eed7d2222dd8e177ba2eb250841092a55acf141910b2d49263c4919a7604d730f4e4f682f9

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
128KB

MD5
12d5326ad386952acf16694bb4cd5b99

SHA1
2d99f9a29afb034a2f9a03dd6f6f874c517f491e

SHA256
4e017e744d3c2dcecfb10aabe9a73307abe10f2b52ae27ebac66dc4959a32815

SHA512
465000a9dfee8a98f0c2d3c1af3c53fcaad783e04ab6e9522a2abfae0d9c48c2ba12abd977ac36904219c8fb8c67745877836868d61a67c36bc5e2f0f4bb0058

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
128KB

MD5
10bf481d408bd85b27265abcb6ba7799

SHA1
b50cc63e29be9f8a270c3270a36ba0141dcb681a

SHA256
500fec93e7c1b79cb4ea3fcee9f12144325d8bac8012b8bfc8bc2d51b8b5fc7c

SHA512
94b285ba7495e3c6926a7103af2f648d13c1fef15747fbab5a2bdf501767893e9651c858d37f7fb3724350734b86ce0540fef38f1a7dc12ef01a9cded6b5f7c1

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
128KB

MD5
135061693a64406e6adf4da7c2db292e

SHA1
ed8b4a59d04e5cb17996d696ec2ad38356dbcdad

SHA256
49358a853b0d7a5d322932d294006dd6fa2efb5620d8d1a01388c1a69eebf49e

SHA512
c48ad09507951f181cf6b875c4b8aa1274be87c8308032767941c6b8e531fec84bd7df532f733fe113f5c2c6896241ee06b119448c065f2b3d07239191e49f94

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
128KB

MD5
995ee176bf93b4fc32c8f55a9f91c825

SHA1
be667fc9ee243e8135b696d750efe746eef9040b

SHA256
e8968ce05f637bdac223cc087cf1d4c4981eafab8d166ed72554bec1bf611837

SHA512
96309c2454116725d5089ed63f1fef4061e591442b3cf4669dc008d6a510bd1d14bdb3e06839d80fe87641fba24de60435240496c0c4d0bd83b34c7be978f1d9

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
128KB

MD5
8850a2bc3c5cafd8057cb0651af58c69

SHA1
60a25b46809c1043f39aaedb017791bda2fae87c

SHA256
13dd3b405fe6bc3a8ff6b62f21c8389c2c43d8bdba090fbcc2f5848178a1d8fe

SHA512
ae260d76801af7cc9728b49a5c806608d6e8c0314fcba8637be4a8ec53f0d464a489b3f8b0d489ebc1b9ff716717fee56ab1dec73f5ce99119e64e89bff69b59

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
128KB

MD5
32abe033dfc8f8dcb15ff37a0f562fd5

SHA1
b0a482c415dd7b18c30f7d3c65a3c308b131e871

SHA256
9eaf17297466503608b0546c277f0761b7ea9e4f8f4ecc76a43b316715182c22

SHA512
ab817067509adb02e276bfb7e7a6698846836ea9c6580a0206bd756907fb567585083b7f92bca2f9370e90c4afc55fafe65570d4e46ac11be1a25abad83d7410

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
128KB

MD5
9c1bf9648973c0850cf8e6a016161424

SHA1
7b0466d4e2ddcb8db5be7dd901c5f550c9e26128

SHA256
7670009e06163c79bd3f61a5ac93028259cb8073dde70b0c435dac54bfdd2ec5

SHA512
a0e11f0fb0525878287123c1324829e4fc6800d8d3731b5906c603e37567c203e6fff76943daee7253e9e083aacf2d6c797a3e9f4cfc13b72aecca423e76a85d

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
128KB

MD5
93930ffa5ba30e18db062cb38a0250e3

SHA1
3c79584d5f515ab7f28bb233cda79f193785de03

SHA256
1e090a7ba98c9c50e6992da9c43e7d55d9104405d1a3f4d71f6a8acce5ccb662

SHA512
f10ec9b098ea822055b2a7c50408552cd64eb271e3a2716b494a224558be670ed5a48d5dc60e4520dfe51c12cb97a675be4833a6e527d9c1b0225d07f78ed86c

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
128KB

MD5
01f455e4a2ad7f3bc79d9749c3bb80cd

SHA1
b091e220900ea600f424bf10d99862ec5f7ea5aa

SHA256
798028032130efde70fe8b88e1f7bfb80019abbe49bcbc9d16c0d6c0b67c3ed0

SHA512
1eafe9fb967f161241ecb66a876b25c00fe4650bc84d50b69304547d5979878961eb4ee371b9fec3c8d5ef145d301cddb9b1e0e1c041ff8a36aa00df36d9a52b

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
128KB

MD5
793496ffc400019868855f8bdc497d3f

SHA1
ea850b2f7a4a16b9a791c218575af2dc4c27492e

SHA256
c72820578c4663eeab50aea1665cde03f39f072e1ed66fac5a29287054ad9cef

SHA512
ae42ff28d67e69516daadabddb8dc6e95622b793b9aee859465019007534abb5a3242df374089ed79e3e7562b4aae7fdf6397c5059e9ef4eb0834aa4ef1948fb

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
128KB

MD5
2885e786c9ac68a6defc190ad04906b4

SHA1
d48efc13ba4d78c80efe45cb4fc04e0e328378e9

SHA256
b8291ae3dcb0323dc43bfca1084b17dcef3eeaca3b2491ea93bc968894a150cf

SHA512
f0cad2b51fde2971572c352876a98dc0a9cb817aabe4f7e1e03faa630a63ad0fb444b269c94215aff12b1e8745f377bef7c4b0c26e9b8ad9d3537899ac19f90d

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
128KB

MD5
d1be2c7b27832f80f115d916ad71c670

SHA1
4c0a7d17edd6278931f50871ffd1ac57ff91e5a4

SHA256
83ddcbc6af111e77a157063e9d8a4ac6b1e0bccd71cbae9cc8e36716fa0dcecd

SHA512
767cabcd2c45770e550439e8611ea624d97268923d12c0f36bbf99f5d4de86aa21df143161528057e713c9610fd06f9463c385788c55fd9251deaa2a5ab973ce

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
128KB

MD5
956a0ba67ff5990197be6ab182125c69

SHA1
b43849cbe331fadb349a6875860c4a3f540b9c1d

SHA256
f33c1b1fdf2b51c7d1f3e20cf1570b5d68f1e1a468229863db8559312bbafb1b

SHA512
e8b975a888fefb02ca5d6e70a20c6a16b2ba02610b3524c253227ec150f63b766e8b8dec872ab63b06cb16f6ae78e04964a8c40cec2d6ff6d95f4b24a7eb1ba4

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
128KB

MD5
00db603e5aa13b226cef9dbf9f05e23d

SHA1
100cdd497204dcae0d711fd9154b1a84d5050476

SHA256
5f7c066905ae06043d808eb15bc5cc33b164596b68a7dd25cd0eb3d8bc846f1f

SHA512
bb394dc4e8bfaf237dbd701e1bb5e69e655b011a4e19003762026a50ab3548066bf29e302e8130e4397be011c086f6cb8bda2ab460994f9d50460a55a03fa398

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
128KB

MD5
040a4c6778b594450b1a8903c4033464

SHA1
6624e034dd5a247a6ac720c0d16bf3ef056f5acd

SHA256
ced73a6abe37e95ccf873a0cb6c110b544f8ccde94f1106d5f3cce172861928b

SHA512
84371f04d9c525d15e8edc849b8fe8da8576a319ea7cdecdac500bf5708bc71b76d61906848ef3e0b448ef61879883fc76b1998b327e4b23174f82668e12be82

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
128KB

MD5
8adf39ceebb2edca598251d335f2f057

SHA1
78508464d55e3b4d83d24b00908f6de18c1e3a31

SHA256
1874e05054f36e8cd27a0253ea7fa32973e1b843043aae38804eee09e9d49430

SHA512
be7a78e92c01c71c22ef305a62b8212d4cb8c5483b0b55009356635aab5aab74b095842d00f9d7d23a9b43ff93a281379d3aef34360e9ce18b44a06e8a31b0e6

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
128KB

MD5
c05c5902eacf08a2e620dbc2a4396ce6

SHA1
d1beeefb5cbfcef1f68d25bbd96dbea2bd6c6d0b

SHA256
9244a52dae267e2010485c5f2bcdfcf3b0da59df2a613a9d9297f72ec6aa6191

SHA512
29d94a9d13ec7479eab062947d9cc0dadb5bdcecfc046740d7c73fb87e34ba541aec729282e3f761a7ec6ced4e25515c36a0458deba336e4fbb7c55f8f147861

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
128KB

MD5
9b27eb409c70dc4b52feea1d31b8e1e4

SHA1
bc64b5d9ce8faa505e632209fb8c1ab204ca8fda

SHA256
550813862b679dd2b060da4ec638ca8f3336307a9a83c5884fb393ed5ab1cfa2

SHA512
cf3ad2071c674c0e94cb66ba24187d452a59d30208e7e32d9b91747c47a5f15ae655536bbaae083719053a721d7a015e03a5c4c3cfa4b428dcd2f8008864eb0d

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
128KB

MD5
1bb9d2028901af4d91ac2c17f66027e7

SHA1
0b410a0ebe359055e00a11ea55463982b03f48c9

SHA256
cf0fb2e208d93e06171e6a474a23e097cf7073d159ed7eba373e0a82de229fe4

SHA512
92de5abb7797dbf02a080ec86e1abc7271fb3db68cc33855370a2e479a159953e54f969f3e91a675259deb7e3e553ab5a222583f623f39bf69b00b43ec0d920c

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
128KB

MD5
7f2b3a36c7381047d953fedf21c5179f

SHA1
7bad22bb4d0c994b4e23b830635e42badd45b3b3

SHA256
29f9bd1bdbb3d1285023dc55597445fd18b0b6a4b0008641a36722b602c9c6a5

SHA512
f526a8ddafc6cdadd830d164ed4d6e9bcb24df634d1652a1036f3e03cd28cbeda812947926a833a635cb0084a6586f407a6c68331ed265b1308f2dc5950d1a61

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
128KB

MD5
a79a0fa7dd1220d5725ad7afc770b717

SHA1
4e50c88d425a9fd5d45168cf768ffeb318274219

SHA256
c590d6a7bd6a788caf2540e1eed19dcfb08ba90b03967c2f7a74171ab0d773c1

SHA512
353b3fd888d919e5e514356f61904bc0f386feef354137bdb74c9fdd0a3f94790fccf7639f49c1c0070b6609c0720504d70f0c00fb9b17dee7807bba8a78f6bf

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
128KB

MD5
fdbea2a420e390489fe24c2d4448908f

SHA1
02f2014493e7e02cb24aba0bdf08b14bbdf81f95

SHA256
43e1ecda8f2e8dddd1bfff212533aa1ea54cc9b6b367f954abda7e05c0d6936b

SHA512
c3c7d627ad317e905f88c73c37051fbff70d27719c4646e6c429c3f42b0be0b05eb871291b4b8427c5fdfb6debe617f1d2f38c20a4c954db0f88d114b1f9d31e

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
128KB

MD5
71b220b9635aa5c3f77f86a7b9bba611

SHA1
3524a82273fe62cea91669e6840cd51edaf32d25

SHA256
3c0e033e484dc3cc8aeb0231d485ec35a399e9cb1fc8c4112eac4c435cc755d5

SHA512
d7191178df8ec665ebf293559bc5ef5cdeb6ef6316992133ba83e45819d4f1454741e3780813413d342b267b00dba112747d6f0371532bce454489014308d8aa

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
128KB

MD5
c1b05c08785e7f855fa1f47a58149a4e

SHA1
5c46474d734e4f9641deeb0ceb501dfe515566b2

SHA256
06e0f8ade9fffb2ee366e6579c08ef6dfd3028f370772d8ed9ef5298fa407ac4

SHA512
2c9666821746e26466cf6b1885775e1489ae16669013e73a15d47fb2293041114b309512be1707aa632927ba99dbf01e9cefeb7d877f6e3d0417362a663dbb70

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
128KB

MD5
32a806f6096aa878a3b0bc9831a49a86

SHA1
faa9f033b9eec75aaa73cc0b309a90d9e311211c

SHA256
a81c48ce77a326f3ec8852393bcdaa98e40fc37f475956d0226454f5e64ac737

SHA512
3bcc1752ae32b5c59942e1a06633c75b4b4b6a5c8dfb702bbf4dfd69679393664f01686f646941bf9d9c1b563bc5fe8a18790f1e239c3c07fc59209af87d32b6

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
128KB

MD5
593e617631e72ed52432fedcfff77d15

SHA1
fedd9fab6848ade37bc0bc7eac81fdc22f5f5910

SHA256
8cf08bbddb84c8f8dde3f3030bb5460f61d5f2402f21daa132a1a9a4f36deddc

SHA512
14a295f83c48ea876d1206add315df826e0617ee9abc87213d96d62a0917b275d76dc5b99c0eca9fa03d1af1619259328c11a597cdcaf2c0037db4ec26e6458a

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
128KB

MD5
eeca3500735598118305ee5f17a9a3f9

SHA1
49628246ecd70fb3e04077b5777fcf926b95774d

SHA256
bb31ec5bf59e3cd5c04e527f9ff30e04b14ae8c1671ad6fde9ce37bafaacfd85

SHA512
252a4705e6ad2408f6ec898eedf8c8f116a62054fb263dc5bd68da6087014bd5197d5abc1426d0c78d55471ff71ca85d8719d81f7b94f32cbac9c04f051e5dd1

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
128KB

MD5
afe151f3f024476af9b5fa701ecfa67a

SHA1
323c4d19b2eb23bd88cf133db1b18d4ac5fb1234

SHA256
056f10976c18fb087af155bb9cef72c7e57b8ef7198d27615afd107e5156f302

SHA512
ab537522bf55070295c46f199cd083ba5b7deb885e44333cdcc661d53f7f26f64e2756793c8d14c35164bfa120a80c597fe5a726cdfb5e5ed4780c9d5987836c

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
128KB

MD5
41246382f8d57fc2e560fa1f8f91a6ab

SHA1
d1dfe63dba954bde558d071872e81e03211bd82e

SHA256
ca1941a4d4e16ea9741743e0b3ed91ba7a9d15a636f5b958a4739d143fc37349

SHA512
38f88323fc2039810b5d63002a33e6c62b1a77e051f861ac310ae486be80dcfc8fe5731150d35972cfc2df6c0f558ce0ec895b9b9e7e2e214ba33d0da5622442

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
128KB

MD5
d7c46bf4c8d699083f20697e7a0f25be

SHA1
1c49927351f08986d0f0d9a1a4525c114f549602

SHA256
737e6917abaef7da1527d4db068fe0b6b19d0274fdfd581135b481cf72e4ba80

SHA512
d495e36a1083f2a74ae0a1028e3e9af000bceada2a6f49feaa05af1a5097e15add0521352d00cc7cc9f767c988aa31dc08b53a55526aad3a45ad564a7b9d7c2a

Download Submit
memory/232-442-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/892-544-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/892-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/976-240-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1004-316-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1008-127-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1104-478-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1108-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1108-579-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1112-558-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1112-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1240-430-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1332-460-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1432-394-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1448-298-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1468-284-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1608-412-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1684-448-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1752-538-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1788-304-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1864-322-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1880-286-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1884-354-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2024-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2040-136-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2096-346-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2100-111-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-454-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2480-256-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2600-328-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2624-364-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2708-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2732-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2792-23-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2792-565-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2796-466-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2868-484-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2892-266-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2984-490-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3096-334-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3152-511-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3240-496-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3296-151-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3304-160-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3352-436-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3420-418-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3432-552-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3456-514-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3460-545-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3464-95-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3616-314-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3632-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3640-191-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3728-103-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3896-220-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3960-593-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3960-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3988-382-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4000-358-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4016-502-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4032-176-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4052-248-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4260-119-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4324-529-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4336-236-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4368-229-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4504-551-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4504-8-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4524-406-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4572-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4744-376-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4776-207-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4816-183-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4864-472-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4880-424-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4888-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4896-400-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4932-572-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4932-32-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4952-521-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4992-370-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5020-199-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5024-532-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5036-47-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5036-586-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5048-274-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5052-167-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5068-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5088-388-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5100-340-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5128-564-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5184-566-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5244-573-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5288-580-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5332-591-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5376-594-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads