8f75cd0891f84463e838d2fcc4af34957a21ac67ca073245a5166e83f4ee90c3

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f75cd0891f84463e838d2fcc4af34957a21ac67ca073245a5166e83f4ee90c3.exe
Size

74KB
MD5

5db82891c2a7352b3143ba5021749d2a
SHA1

da142f58c72a85c188af705206219ac6ef23bbc0
SHA256

8f75cd0891f84463e838d2fcc4af34957a21ac67ca073245a5166e83f4ee90c3
SHA512

320b223cd9c85719b9bef47d8c22bd2e566d2999fa6e325b21248077f4e12c997f9090be88fff98158c6adba249fc97b81f45dafb103bb16e60f6173e7d5821e
SSDEEP

768:BFGipiJQbXn3h8IBYyJODE+UuEnNIqTknafXRmf9lUEjzhygirRMhzQsjyqVUVFj:BFSJ4Xn2IBYyb2qTNQl36EUCKpo9rBC

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe

Executes dropped EXE 64 IoCs

pid	Process
1768	Nnlhfn32.exe
2908	Npjebj32.exe
5004	Ndfqbhia.exe
2792	Nfgmjqop.exe
3696	Nnneknob.exe
2488	Npmagine.exe
2032	Nggjdc32.exe
4988	Njefqo32.exe
1412	Oponmilc.exe
2772	Ocnjidkf.exe
4892	Ogifjcdp.exe
2024	Oncofm32.exe
3396	Opakbi32.exe
4732	Ocpgod32.exe
4008	Ojjolnaq.exe
1608	Olhlhjpd.exe
2280	Odocigqg.exe
4304	Ofqpqo32.exe
4384	Olkhmi32.exe
1488	Odapnf32.exe
4404	Ojoign32.exe
3984	Oqhacgdh.exe
4668	Ocgmpccl.exe
3388	Ojaelm32.exe
4572	Pdfjifjo.exe
5068	Pgefeajb.exe
4228	Pjcbbmif.exe
4848	Pqmjog32.exe
4992	Pclgkb32.exe
1896	Pjeoglgc.exe
4500	Pqpgdfnp.exe
4236	Pcncpbmd.exe
2316	Pjhlml32.exe
1396	Pmfhig32.exe
1368	Pdmpje32.exe
5112	Pgllfp32.exe
2576	Pjjhbl32.exe
1948	Pqdqof32.exe
2288	Pcbmka32.exe
4196	Pfaigm32.exe
1036	Qmkadgpo.exe
4680	Qdbiedpa.exe
2572	Qgqeappe.exe
4800	Qnjnnj32.exe
2184	Qqijje32.exe
3500	Qddfkd32.exe
3492	Qgcbgo32.exe
4036	Anmjcieo.exe
892	Aqkgpedc.exe
2812	Ageolo32.exe
4536	Ajckij32.exe
2196	Ambgef32.exe
4688	Aeiofcji.exe
3976	Agglboim.exe
2712	Ajfhnjhq.exe
1988	Amddjegd.exe
4860	Aeklkchg.exe
4200	Agjhgngj.exe
2452	Andqdh32.exe
2744	Aabmqd32.exe
1384	Aglemn32.exe
4844	Afoeiklb.exe
4372	Aminee32.exe
3784	Agoabn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	8f75cd0891f84463e838d2fcc4af34957a21ac67ca073245a5166e83f4ee90c3.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5404	5188	WerFault.exe	209

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	8f75cd0891f84463e838d2fcc4af34957a21ac67ca073245a5166e83f4ee90c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aminee32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1768	1212	8f75cd0891f84463e838d2fcc4af34957a21ac67ca073245a5166e83f4ee90c3.exe	85
PID 1212 wrote to memory of 1768	1212	8f75cd0891f84463e838d2fcc4af34957a21ac67ca073245a5166e83f4ee90c3.exe	85
PID 1212 wrote to memory of 1768	1212	8f75cd0891f84463e838d2fcc4af34957a21ac67ca073245a5166e83f4ee90c3.exe	85
PID 1768 wrote to memory of 2908	1768	Nnlhfn32.exe	86
PID 1768 wrote to memory of 2908	1768	Nnlhfn32.exe	86
PID 1768 wrote to memory of 2908	1768	Nnlhfn32.exe	86
PID 2908 wrote to memory of 5004	2908	Npjebj32.exe	87
PID 2908 wrote to memory of 5004	2908	Npjebj32.exe	87
PID 2908 wrote to memory of 5004	2908	Npjebj32.exe	87
PID 5004 wrote to memory of 2792	5004	Ndfqbhia.exe	88
PID 5004 wrote to memory of 2792	5004	Ndfqbhia.exe	88
PID 5004 wrote to memory of 2792	5004	Ndfqbhia.exe	88
PID 2792 wrote to memory of 3696	2792	Nfgmjqop.exe	89
PID 2792 wrote to memory of 3696	2792	Nfgmjqop.exe	89
PID 2792 wrote to memory of 3696	2792	Nfgmjqop.exe	89
PID 3696 wrote to memory of 2488	3696	Nnneknob.exe	90
PID 3696 wrote to memory of 2488	3696	Nnneknob.exe	90
PID 3696 wrote to memory of 2488	3696	Nnneknob.exe	90
PID 2488 wrote to memory of 2032	2488	Npmagine.exe	91
PID 2488 wrote to memory of 2032	2488	Npmagine.exe	91
PID 2488 wrote to memory of 2032	2488	Npmagine.exe	91
PID 2032 wrote to memory of 4988	2032	Nggjdc32.exe	92
PID 2032 wrote to memory of 4988	2032	Nggjdc32.exe	92
PID 2032 wrote to memory of 4988	2032	Nggjdc32.exe	92
PID 4988 wrote to memory of 1412	4988	Njefqo32.exe	93
PID 4988 wrote to memory of 1412	4988	Njefqo32.exe	93
PID 4988 wrote to memory of 1412	4988	Njefqo32.exe	93
PID 1412 wrote to memory of 2772	1412	Oponmilc.exe	94
PID 1412 wrote to memory of 2772	1412	Oponmilc.exe	94
PID 1412 wrote to memory of 2772	1412	Oponmilc.exe	94
PID 2772 wrote to memory of 4892	2772	Ocnjidkf.exe	95
PID 2772 wrote to memory of 4892	2772	Ocnjidkf.exe	95
PID 2772 wrote to memory of 4892	2772	Ocnjidkf.exe	95
PID 4892 wrote to memory of 2024	4892	Ogifjcdp.exe	96
PID 4892 wrote to memory of 2024	4892	Ogifjcdp.exe	96
PID 4892 wrote to memory of 2024	4892	Ogifjcdp.exe	96
PID 2024 wrote to memory of 3396	2024	Oncofm32.exe	97
PID 2024 wrote to memory of 3396	2024	Oncofm32.exe	97
PID 2024 wrote to memory of 3396	2024	Oncofm32.exe	97
PID 3396 wrote to memory of 4732	3396	Opakbi32.exe	98
PID 3396 wrote to memory of 4732	3396	Opakbi32.exe	98
PID 3396 wrote to memory of 4732	3396	Opakbi32.exe	98
PID 4732 wrote to memory of 4008	4732	Ocpgod32.exe	99
PID 4732 wrote to memory of 4008	4732	Ocpgod32.exe	99
PID 4732 wrote to memory of 4008	4732	Ocpgod32.exe	99
PID 4008 wrote to memory of 1608	4008	Ojjolnaq.exe	100
PID 4008 wrote to memory of 1608	4008	Ojjolnaq.exe	100
PID 4008 wrote to memory of 1608	4008	Ojjolnaq.exe	100
PID 1608 wrote to memory of 2280	1608	Olhlhjpd.exe	102
PID 1608 wrote to memory of 2280	1608	Olhlhjpd.exe	102
PID 1608 wrote to memory of 2280	1608	Olhlhjpd.exe	102
PID 2280 wrote to memory of 4304	2280	Odocigqg.exe	103
PID 2280 wrote to memory of 4304	2280	Odocigqg.exe	103
PID 2280 wrote to memory of 4304	2280	Odocigqg.exe	103
PID 4304 wrote to memory of 4384	4304	Ofqpqo32.exe	104
PID 4304 wrote to memory of 4384	4304	Ofqpqo32.exe	104
PID 4304 wrote to memory of 4384	4304	Ofqpqo32.exe	104
PID 4384 wrote to memory of 1488	4384	Olkhmi32.exe	105
PID 4384 wrote to memory of 1488	4384	Olkhmi32.exe	105
PID 4384 wrote to memory of 1488	4384	Olkhmi32.exe	105
PID 1488 wrote to memory of 4404	1488	Odapnf32.exe	107
PID 1488 wrote to memory of 4404	1488	Odapnf32.exe	107
PID 1488 wrote to memory of 4404	1488	Odapnf32.exe	107
PID 4404 wrote to memory of 3984	4404	Ojoign32.exe	108

C:\Users\Admin\AppData\Local\Temp\8f75cd0891f84463e838d2fcc4af34957a21ac67ca073245a5166e83f4ee90c3.exe
"C:\Users\Admin\AppData\Local\Temp\8f75cd0891f84463e838d2fcc4af34957a21ac67ca073245a5166e83f4ee90c3.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\Nnlhfn32.exe
  C:\Windows\system32\Nnlhfn32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\Npjebj32.exe
    C:\Windows\system32\Npjebj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\Ndfqbhia.exe
      C:\Windows\system32\Ndfqbhia.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        34⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        46⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        57⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        61⤵
        Executes dropped EXE
        
        PID:2744
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3760
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3228
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        81⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        82⤵
        Drops file in System32 directory
        
        PID:652
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        88⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        90⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        97⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        113⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        114⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:6064
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        121⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 408
        122⤵
        Program crash
        
        PID:5404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5188 -ip 5188
1⤵
PID:5356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
64KB

MD5
8b49537b52ebdbb9f505dbd9b26d2b22

SHA1
b07c1ccc7256c2a12225c2442b3d36d29dbd766c

SHA256
e0d5868c1ade2344d8f6d7d79f95f55df45b3de04354164542fcd89f5c4b9688

SHA512
f22de865da94f1d3fc6bb2c29877535320465059f73de274f2d1350bff5835ae9e6ad7422252423277ad242f4d38f594abb14d001ddb91e6762fdff1455b25cb

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
74KB

MD5
783f7e24956b6807f30b0e68e978d0d5

SHA1
10ce6687770ce49660d2b600e8d46446ecfcf963

SHA256
201b9a7f0f257d78a74e144d718706c1ec4172eb797208f3c76d7f4ab2bae772

SHA512
0057f18e536668ed262d242a0e0106e692e62687b0e02b26f7d5bd512da3b5c848a74f43d6a37d0fd04988d130ceb2f5062c076673d13551823e0102dad1b5dd

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
74KB

MD5
079e24eed32ba08680d00c2e2e8b7fb9

SHA1
57c436ed076b336db12ed4924c5031f70e553987

SHA256
9359c62d1e0c4010b36dd4312b8acae817acefdc10356c803741547bbfd07289

SHA512
d4210ce5e9d61fc5ae9cd64031dc1056ee1a7ede7dc7ecdb7e06f862aae4041b9cbc0380636c3e857fb1caea84c616de1df5ef345943be5b909fd2f06c362d95

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
74KB

MD5
dfccb990bffeb1e316cf06dbd8a90e15

SHA1
de040b8ac0bd14294f484e6ea0cd84772e730164

SHA256
8bee9118ec3ce2a76eeda146502611e950b10312faf600ac29d2b8a8ecdff629

SHA512
4fa578b06172c4e2aa92e300e2e8880441b6f33a39c3d898af12a6214a06360443cdcbe1ef2e1812119407f7899333d1dce109ff14893caefd607859617efefb

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
74KB

MD5
cb9cc25ec11ecfdefa15826df164f109

SHA1
a35c4de9361763a36cb60936c23488a261fc115f

SHA256
4c2c9c52baeebdfd1f8fac6a4344dcc894d988c1f455673ad507efcd3b21511d

SHA512
8a2f9f0b58a1efe360c99b9c4104d0b95f1c5004c3440580d22d9380932d62a90c55568df37b94e532785c942bece08dacedd9f70446e75c136f3b8be7439580

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
74KB

MD5
5048b639b58ff7bdbda664a4234718af

SHA1
323f1ab629241f21714496aecefe7898641fd53d

SHA256
5f1904dadccd269ddff305b0320297de0eb9eb92e924ce10de2fb8fb669711ae

SHA512
35825ead6b3d88b681c819d75df7c7892dfc5d3ac836d8b971a5e8ceb460e72be17f0b022dd6d2e52b8fd680641a3a40abc757198dbe4901b62276dbe74c5b79

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
74KB

MD5
b44e27a2d0a765499b9b6b38218f4f3e

SHA1
9d92117bf9a30218ef5f9a6d0dd377e7f5ff0452

SHA256
94c35fbe4c78270333e016f5926384756190d87e5bb894145b4d6ec204980285

SHA512
fe5577e7f034ad6a7e80a96c00d5f0d732a28a07d55c59774090983a50d599f627323e35b5aa02c2afa24f107dbfe8b2063d5a0baa8992a66ceb596a64341f04

Download Submit
C:\Windows\SysWOW64\Empblm32.dll

Filesize
7KB

MD5
97b0ad362b42eb4a3ae0b9c65df07d94

SHA1
8bcae8942feebc92700c262c01831338d1dddc72

SHA256
694faecd9e9ff3e5629215004f492ef6ba4a8e80353d5038414ec05d185d7384

SHA512
ff228aeb161b4cd2d760497e9b253ef96fa77fd4520a2bf4556e29b9d80292d29261b22272ed7d5cd671f77f14b4f25576d85e2955a03d6e5079358897f3d635

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
74KB

MD5
94c543385d432c412b2caf3b652c8301

SHA1
cefbed8916243d7ce223a2f181361e26f6cc6217

SHA256
301a49c7a154ae602ba2e10e7fcdab893bd099690ad5f3c82ecd8b88aace2bc4

SHA512
17129446f663b23ff7665a04dbee06787fca201078a26709487638a395ac7bb07c5df17625cc6e7fa5f8a22224ed7967cfe83f637ed7e2ba6fe8b7c745ebe9e4

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
74KB

MD5
85d5eaee07444cbc3152ee8084a8708c

SHA1
9cb9e47ede2cf6509a429c27ebbbafe297879cdb

SHA256
4de605fb8951d603a288eaa2869b1c13fbec205d4c2ad59f4a15adca3a6d5de6

SHA512
6cd573bb2233bddd6e82007fe3682da61ceeaa25a0e00b8d763c78e4fa0ed8765c6bad185408a633d116a7e5bc55241c28f0098791110265685d24812efd0167

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
74KB

MD5
f09f586e3e40d818dcfa634d74b07081

SHA1
3069bbb4d449fdaac8eadce3b504181ecbc6fff7

SHA256
9e2576a32be985efac9063460de9f1f7dcb54d1a8bee72b8fd3fb96ab0ae6a66

SHA512
b15368b05a3e4ae8991dc85cd4fe222e142706838ef74ed96b8b2f0a05fc261cf07800c2efae8cefc686f34009a2d946cb4486cf9dcc29a5e5ae0616e3b5d83b

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
74KB

MD5
6ee958c6a9162c2615172cffa877b33a

SHA1
e705e331003ea8ebe0110dd750803b3ded758a32

SHA256
476558a1d8eaa870f6db533f7d5454220ffd638a192dd3441e6e8b0004b8116b

SHA512
c4c9030f56a06c5371e66bd024a1f2b1258d340805138acc1eb72a0c6c73eb9846332f9eb841450936b4e96ec7b2a3c7b01b445500c761bf06174eae70f60744

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
74KB

MD5
1a19a358e16576e00c4f17b8b86c7299

SHA1
87ea621bc23c3f77ba04b57d9801db8a9d332602

SHA256
b8fe7441feb82e065cb771bd058def15acdfe09fbd6eab530ecce0e824d11326

SHA512
162168104db160e7fa148bf3e8a3c801a0b5599f09092bd92d0fdba7c6dd66aa67db4338464065c121ec542b25fc561ecda1016e28d98bc1c6428c343e1bf5b0

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
74KB

MD5
e71f9702b0ff3d4c45fa53c24ebb2fa2

SHA1
b9d0f0aa854e2639eaa596dafca99fedbfe26f4c

SHA256
b1acc85afb75a13ac543ca0466f1272d4a9a2be96d6e77ca27284a39ee12c814

SHA512
2c14a88a562fa2f72f6defb6ae38b6fa61697ffbe1dc8fe06940b89b055727e97f73750d398af4264be3875cb67915f72d66d497b6113f18e7e329b7b56c36cc

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
74KB

MD5
941d05f7603102e8dd38c91aceb4aaae

SHA1
6ef58969797b21438ad4e3b9e93176d98a6d762f

SHA256
bf4513968dabd023da5ae9277bab2e20bccc6fdee3cd8684e2aca5011d9f0b6c

SHA512
99b9a10b31b626c1d43a92f08e7b046f39f88a9229a28b7e0de07012890e16917915cd70e9fc909c6e244baf9a5681e218301f2de8e0700347da7f96fe985e0b

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
74KB

MD5
0d31e2e2d9946e10d4ea1922106938c5

SHA1
9cb747d6fe66e6565a0d6c9c6083e6054f8e6de6

SHA256
c469bc5c1005c61574efb231fc3d9e6e2d8145cd3a4c61597e7a33691cf9b546

SHA512
bec194609bd43a8fea2e720f95accb3952232a44278ca0d9211c768bef0b89d27722677c8c8085529b7347f14d2a412ab9ef15da05a99f7be224e661fe1fc3fc

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
74KB

MD5
456f1813ffc2fa4e3e449a0bda228abd

SHA1
efd24a665c7b2a5aa73ce1acde7228bd69901535

SHA256
f8bd1937530648224e8a26b09a4d2e876beedeada6ede48f0905588ca9913383

SHA512
4bc9ab980e2fb8051b95d45ebf32515b919b09c4ed5e08a6cf8ff3f99875caf9e6ab447f4b61d34efe2720b67e17cdfe35088fcbc62d1ee6120479180bbea66e

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
74KB

MD5
ee1d052cc150bbc364f92deeeb916402

SHA1
7163f55cea31a9d86b9d859d8041589fcb75009a

SHA256
27e0582472f89c51e15cfd58600ccb97c2b8c8088ae6bdded69a5fb3c6bd1447

SHA512
dc26b48b937955b5a4abe46fb7084082af84e2babbe15a4e4c60dba7d9957cc2979c67e0ea5ee1a7c31ee1a839f7149c5bda85c7d548540c918c80f0b2fb7383

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
74KB

MD5
fbc7490a27032d1fe8316fd42903dab7

SHA1
7060975c3e33cdf45f1e6d63b33084c992ccb544

SHA256
ab111486f2311a0c60a865ab637877a569512448e95a378bb441f620bf15002c

SHA512
6a14b9943233f08da8dc3dff150b114e3ccf071b37733eed29f970c39ae1e675223b573d9e661513f13dc198271e14db58dd34e9fcf81600fcad3cd52f5e4020

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
74KB

MD5
fad1fb0c0958446fabb8eb925e2a53a5

SHA1
a51708976d467e680b50a25eabc687ce4057523b

SHA256
4b33d76a56b33af2c1e0db839037c499e0e9a8e366219ceae42089c9716681a5

SHA512
c2e5f63cef074ecd08b6b8e9de60c5756154df51d4a5e05c148e78c9b46133c56b773a9066015fac037c9fa71bdd347409c9fe7ab8c37d9cd70f2ce57d7eefcb

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
74KB

MD5
ffff51dbcd8f97340b96f13df08d6811

SHA1
8585326431bda84875655a0d746cb0f9240660c6

SHA256
5ac76f560521a3375acd382e6e69ce8bef9f72a7870e4736d5ced535088a6411

SHA512
eaa40f61c68431290735843ca28ffb15f72af4889626ff53cd3c0cf43165d08fa03f22ab88be64fe4475f3299693355729e927c16dff1998da8cae9d5e0a1143

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
74KB

MD5
09c569b3206cf2742dacd8a6765f7c03

SHA1
b9ee64e6046118bfa4b3f7d2bfcbb7bc4641d3e7

SHA256
66388c933ea928965a9b623da2d35b8d51262ffedc09428fec3fe2e30901b1b3

SHA512
151e625c5696bd6216cc991d853eb55d13b1997ac42ff16304c0521dd0af8d3b1700af3c9ab81d9db75d236fe565fff75043c383dc0d5a4d6401341eea60b016

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
74KB

MD5
bd53961b24177d635d9655c27df0b359

SHA1
7ebfcc23b9da4c3571ec44fa146829dcee407c58

SHA256
8aeed01eaa64c9d2a1e5e554344ef178c458352dee1bfbce2ef239b90ecc0663

SHA512
a2bb19c9f42fe34084c5d3564557e3c472b4133fdc9671c12d0e66793295ad052f1514c7cfee3dd7f4a537df8a52e5dcc0c3ec102ee14135b3fa23d4bcd74565

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
74KB

MD5
a605252086cfb06886d6cf175bc2afb3

SHA1
3ad1dfe50a90d1f5c64389efd60cb67f8acec432

SHA256
fd859b5320457123241eb802d08dc3de038231b140135a631d84ce569c6205c0

SHA512
a70d2b7d32667f84af433e9f2371524d4bceac2997a8af4b5342443fda42e9ca35e805cef4233e051ef696a28d12baae8f23dd09f68823924a8da4434bc087fb

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
74KB

MD5
3013135fbbc387c7f93c6527826905f3

SHA1
19c629e30dfb257692c7af1975fd30251db03b45

SHA256
0efe008e24c108f3c49efbf0c909e1add0266f90fc4b7d09b2695fa283d485d3

SHA512
178eef14ac8700eac7c7285b242cac982e29217c874f9f3c6e630aea16f9ec1db4795c4ce4c2efb9133fd97415eaa57f728c40190d74e71433e112a6764414c3

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
74KB

MD5
4f9fea6899b181cc4e918c3e90a31982

SHA1
841249ea28a957db2ce70d5051e191e809a781b9

SHA256
c03f09c4293e16033bfa612a993b5bb451179dc78381750f963bb4bcb27004b9

SHA512
26ab8a60e5ab006b20438d18b643cdad68bb91fe05ba170a5bafb4c3c435f4171c2acd6feb2325c003bef2e42a6b2fd0898d4c53f9b710a2a31382917ff4b31b

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
74KB

MD5
5a1f853eed9ff4958e73f9350c454651

SHA1
c4ee98e71401535cdf7f9c1721e754b076077d42

SHA256
457d30be9885c2c135869a21789a8f1c72ec7b6be4b996bd9e55976be36c04f2

SHA512
a496e31ec685208e5f89249bc39a723f2c0a36c4fa518ee44131ffbd93783109b1fa12e776710b80baf9e2ccf2c027e6f9ea7ac38449459ab413f314c8187d9b

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
74KB

MD5
748f9dfa91cea27900b9f326f82e1525

SHA1
b24c2f236ac35f6939aa20cbc01390e8bbca303b

SHA256
b1943e416c000a21dfb9f50b39eede9043544226d5e79aa043666ef631880071

SHA512
3f6ba54c8cbf97ddf30e6e6c638c50c9d520f6d077cddbd0e208c873c3483dc5227fc5200fba195bc059eaebf14c59926c853d64e82900938a0bf701a383e68f

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
74KB

MD5
3e5b30b097429351c0013aceeb183d00

SHA1
b6d47ad677b6c748207f2919b3ddb076adcb78be

SHA256
5188b919c22c472fdf9b4460d2e203e293d5749bf169dbb781c41a70eb57ddb7

SHA512
5535684e9d018433893bb68e7aa4d536d73aa16c009c8567c36fa67339781a6f6d4aab36da84aed5a6d5a87bdc9a22df0c4557229659c40509204e1deae8fcd3

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
74KB

MD5
1f34d8f4ce06fc15aec34a7efed2de1c

SHA1
e159a5799757ba7db69eeb119d0b59150215aee7

SHA256
d743c17193a22120dd843d138928c3c5c5d269c7c07c6915f85a11d66f2b50e5

SHA512
9c94f26c114ae8af95352662e8eddf82b47756d311ae6eceb7bbd46305a6b37114a73e15da968265a509107a30b58998da3e4739967450de01f91f813692ce28

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
74KB

MD5
9e528f213e0218f99be658b6f772b978

SHA1
ac8406bae8749f8e0dffd896dbb3a888314d3934

SHA256
dc81f074b6772ca8763ae1133fd3d6f6e6e1e68c4ceb5e05fbc56dff18afd323

SHA512
af0ec17c2feee7239788b14de56926666fee145aa3d3e4e1f610710c7297e79c721739df78296890fca1989480827480c44ce6925a701fc55094a222b4db9c2e

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
74KB

MD5
b0e23acdee897aaa8e94876cffd8abb3

SHA1
6e174fa93acb706a1393830e65b31d7165e58622

SHA256
f16bbb2c0b5c4539870d504caad9abf46d49e5bca607b04ccebbec7625b9d816

SHA512
c07ecbac89541365b5b713014aed368f59330d27969588a72fa08ba6432d2ccafa9efac542351f263410979e63782462f1b82df1a7659f6bf183572297a0f228

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
74KB

MD5
82ae6be9d3949f42ddeb0836b73e8e81

SHA1
9b41d3d49a27fcc799ff24619bd79fcd57f652cd

SHA256
3712ea97ae61c70b1d2a34b50164dee99b079fcd1ec0a950d958ba791195ee60

SHA512
d5419430e2952d15e77eec41e4eb9da3d0f4a1d10473b68ab216fd525f2ba2ab50ac1638857df8973edca59d6b72f99059e318e35dc152e8d23a70197ee2aee4

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
74KB

MD5
c02ec01ae4a23de9fac27ab11de9b42b

SHA1
a6673d37977a036d688e9c8bcf69e26eba57d609

SHA256
9da87a505d8155057d03c2585e8990db9bdd9c77a15ba3ca8da8c0bf234bb9ab

SHA512
9de189d126730b488b2a34762bdc9c8407f83ce761a91470e8705f38d00dd434955b0a5aa7bf18e983782776c520f4b76fd058fe1711c73ba2cb37afba06d89c

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
74KB

MD5
eb632e92356eaf6738a898c77c638432

SHA1
0645c8b6b53098597a512b5e1af76feaa8e8aef6

SHA256
29f1f362b6b26ad73d5c0fa3cd1de9d93600439873752c5edb3d07d164055f68

SHA512
7bfac0e0b6955ab77c356f5a366d109d2f07b9b6a41000c65501bb3b513d2decc596b25af7c0330fe5f181f6bfbcb0165843f2e03b62733ae33270961271dbd2

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
74KB

MD5
ca73f43756cdff0e1a3d21f5d79bea45

SHA1
7309da8711cca641e61012843a03add44386979c

SHA256
c0f756db8766fa5e043ecc4c73dd84ddd0af120c131fc757cf50d4d306c85124

SHA512
d005abfcbeee1820b69d816446bb96edf2c03466950079bd2158d42e19be13c324e521fbbb205b6c5dce28b6d7139913f6c79bd9f8c3dd09805174e31211d9d4

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
74KB

MD5
9362ab6d89717d062685d939d1ee8a0e

SHA1
77510f6b75198623cc600d11c11ccfe15ac1a579

SHA256
a0a1a17477bcd0ad48cd05603f29001d71884dde1fda80d64ac7b6802e94eeb3

SHA512
4fb773e655987443c7e35d87f2ee2eaaa2a200e903d438ecfd59fcf48738974002a4a0e408510c577b22a4da5feb773715fde48119e7f08f1cb1218b88645ea4

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
74KB

MD5
c3708d7454bed59b0c3636b75d640f37

SHA1
fb8eeb2f2b6300506a231e6f8f17fd2dcb7f6778

SHA256
062305dbe90c4580c9ca112878083cb45182cd2ac5da115048115b148870136d

SHA512
5e185e3a1a9121e4289a7b8670fb2a9d0e0c8f5bf9409e9c136330833ae6c5f3cb04fcc41170d745d5b62e16a0e2c7f68f1db6665b8a2bedbabe28e57624669d

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
74KB

MD5
b57fd8a6c86b7482ea5169046c62d3e9

SHA1
3c1fafa6a6315af3b0fdc8756362a67f09c8eefa

SHA256
c53c6af9a3590f3e224557ba955706fe69df7ea8a70e8251d31718e6e99f4841

SHA512
a441157e63fd63a94c6a79f33b52425c19df36b80c97e0eb983554560e7a55b0f3665d9db821f66b3caa8c1af36f769cc5dcd0dbe1053cd4c4647f738570c975

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
74KB

MD5
f3ee1945578c9b622e27b7e09d5de5ea

SHA1
4b69472a06b4ef91eee50a8c48fddcd48f56f785

SHA256
fd0be76c9898838a8044a1421e1fad72310213fc4001a365cd4ce69e4c77cc5c

SHA512
b023505b131dbaff10364afe140f955ac3cbd87f0e9e2ed01a56b8d4fbf7d66b9f211906e59ca109094f4b021d2fc1e67c788924ad45fb8f682f3ea2fc57f22c

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
74KB

MD5
9ad07d454e9fdf86e0214b4301abef5f

SHA1
3ba1696271c3f35dc9d27965fd55aaaf643ce4c2

SHA256
4c4acda232d73e9769bd5365cabb1734146f7987060c90624e4178182eefa01d

SHA512
c99386ab35400432086002511ae31927cc5733f49d8d62004fb4268df4d9893918fbbe7111b836aa055449da69abb3ed73757bd94bfdb1f8da885143aeb25f6f

Download Submit
memory/640-526-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/652-552-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/892-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1036-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1180-496-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1212-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1212-544-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1336-484-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1368-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1384-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1396-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1412-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1488-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1540-559-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1608-128-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1644-472-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1740-532-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1756-478-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1768-551-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1768-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1896-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1948-296-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1988-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2024-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2032-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2032-598-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2184-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2196-376-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2280-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2288-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2316-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2452-418-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2488-586-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2488-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2572-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2576-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2712-398-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2740-550-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2744-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2772-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2792-572-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2792-32-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2812-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2908-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2908-558-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2920-454-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3000-502-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3228-508-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3292-490-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3388-192-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3396-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3492-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3500-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3696-579-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3696-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3760-466-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3784-448-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3824-520-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3884-514-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3976-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3984-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4008-120-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4036-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4196-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4200-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4228-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4236-255-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4304-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4372-442-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4384-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4396-460-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4404-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4500-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4536-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4540-538-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4572-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4668-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4680-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4688-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4732-112-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4800-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4844-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4848-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4860-406-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4892-88-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4988-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4992-231-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5004-565-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5004-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5068-207-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5112-284-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5132-566-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5176-573-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5220-580-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5264-587-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5308-599-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads