70a7ba8e436a025f1f0695f7d9b61fc2ddf0ea09e89de52d7a1170028b617089

Analysis

max time kernel
103s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 01:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

886efdaa354d5f134cd5abed4187b790N.exe
Size

72KB
MD5

886efdaa354d5f134cd5abed4187b790
SHA1

64b33a76d341f8be723660c9b36b3b1d131b2587
SHA256

70a7ba8e436a025f1f0695f7d9b61fc2ddf0ea09e89de52d7a1170028b617089
SHA512

b8d658d42df79ae374cf1482ad8714769bbcd1e742f9bfcdf772e0b4af308af88c2ae0f75b7af89c402c1da8316990b804b162d733899ac14b5e565bc2f1b440
SSDEEP

768:DsGge0vZvHf6txVDA/u1mzldkGq4KQRlA0NqLHFGMq92p/1H5dvgXdnh4xg84xl4:D/sZ/CTVizluGTfRWrh42LHa6+lWCWQ+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe

Executes dropped EXE 64 IoCs

pid	Process
4308	Neeqea32.exe
3268	Nloiakho.exe
3100	Npjebj32.exe
908	Ncianepl.exe
2636	Nfgmjqop.exe
1580	Nlaegk32.exe
3844	Ndhmhh32.exe
684	Nfjjppmm.exe
4836	Nnqbanmo.exe
4184	Oponmilc.exe
1208	Ogifjcdp.exe
1284	Ojgbfocc.exe
2040	Olfobjbg.exe
3160	Ocpgod32.exe
1624	Ofnckp32.exe
3576	Oneklm32.exe
1972	Odocigqg.exe
3196	Ojllan32.exe
1468	Oqfdnhfk.exe
1892	Ogpmjb32.exe
3784	Ojoign32.exe
4092	Olmeci32.exe
4080	Oddmdf32.exe
5052	Ofeilobp.exe
2896	Pnlaml32.exe
2332	Pdfjifjo.exe
4924	Pgefeajb.exe
4208	Pnonbk32.exe
1664	Pclgkb32.exe
4688	Pfjcgn32.exe
2492	Pjeoglgc.exe
3992	Pdkcde32.exe
4172	Pcncpbmd.exe
4516	Pflplnlg.exe
2004	Pmfhig32.exe
4280	Pqbdjfln.exe
2324	Pcppfaka.exe
4472	Pfolbmje.exe
4780	Pjjhbl32.exe
4772	Pqdqof32.exe
1268	Pdpmpdbd.exe
2424	Pgnilpah.exe
4776	Pjmehkqk.exe
1084	Qmkadgpo.exe
808	Qceiaa32.exe
2952	Qjoankoi.exe
912	Qmmnjfnl.exe
1360	Qddfkd32.exe
4792	Qffbbldm.exe
1900	Ajanck32.exe
3456	Ampkof32.exe
3364	Adgbpc32.exe
2628	Ageolo32.exe
3744	Anogiicl.exe
452	Aqncedbp.exe
3048	Aclpap32.exe
1244	Afjlnk32.exe
2928	Anadoi32.exe
2032	Aqppkd32.exe
1932	Acnlgp32.exe
4288	Ajhddjfn.exe
1868	Aabmqd32.exe
2840	Acqimo32.exe
2188	Ajkaii32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6064	5700	WerFault.exe	209

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	886efdaa354d5f134cd5abed4187b790N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	886efdaa354d5f134cd5abed4187b790N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	886efdaa354d5f134cd5abed4187b790N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 4308	3768	886efdaa354d5f134cd5abed4187b790N.exe	84
PID 3768 wrote to memory of 4308	3768	886efdaa354d5f134cd5abed4187b790N.exe	84
PID 3768 wrote to memory of 4308	3768	886efdaa354d5f134cd5abed4187b790N.exe	84
PID 4308 wrote to memory of 3268	4308	Neeqea32.exe	85
PID 4308 wrote to memory of 3268	4308	Neeqea32.exe	85
PID 4308 wrote to memory of 3268	4308	Neeqea32.exe	85
PID 3268 wrote to memory of 3100	3268	Nloiakho.exe	86
PID 3268 wrote to memory of 3100	3268	Nloiakho.exe	86
PID 3268 wrote to memory of 3100	3268	Nloiakho.exe	86
PID 3100 wrote to memory of 908	3100	Npjebj32.exe	87
PID 3100 wrote to memory of 908	3100	Npjebj32.exe	87
PID 3100 wrote to memory of 908	3100	Npjebj32.exe	87
PID 908 wrote to memory of 2636	908	Ncianepl.exe	88
PID 908 wrote to memory of 2636	908	Ncianepl.exe	88
PID 908 wrote to memory of 2636	908	Ncianepl.exe	88
PID 2636 wrote to memory of 1580	2636	Nfgmjqop.exe	89
PID 2636 wrote to memory of 1580	2636	Nfgmjqop.exe	89
PID 2636 wrote to memory of 1580	2636	Nfgmjqop.exe	89
PID 1580 wrote to memory of 3844	1580	Nlaegk32.exe	90
PID 1580 wrote to memory of 3844	1580	Nlaegk32.exe	90
PID 1580 wrote to memory of 3844	1580	Nlaegk32.exe	90
PID 3844 wrote to memory of 684	3844	Ndhmhh32.exe	91
PID 3844 wrote to memory of 684	3844	Ndhmhh32.exe	91
PID 3844 wrote to memory of 684	3844	Ndhmhh32.exe	91
PID 684 wrote to memory of 4836	684	Nfjjppmm.exe	92
PID 684 wrote to memory of 4836	684	Nfjjppmm.exe	92
PID 684 wrote to memory of 4836	684	Nfjjppmm.exe	92
PID 4836 wrote to memory of 4184	4836	Nnqbanmo.exe	93
PID 4836 wrote to memory of 4184	4836	Nnqbanmo.exe	93
PID 4836 wrote to memory of 4184	4836	Nnqbanmo.exe	93
PID 4184 wrote to memory of 1208	4184	Oponmilc.exe	95
PID 4184 wrote to memory of 1208	4184	Oponmilc.exe	95
PID 4184 wrote to memory of 1208	4184	Oponmilc.exe	95
PID 1208 wrote to memory of 1284	1208	Ogifjcdp.exe	96
PID 1208 wrote to memory of 1284	1208	Ogifjcdp.exe	96
PID 1208 wrote to memory of 1284	1208	Ogifjcdp.exe	96
PID 1284 wrote to memory of 2040	1284	Ojgbfocc.exe	97
PID 1284 wrote to memory of 2040	1284	Ojgbfocc.exe	97
PID 1284 wrote to memory of 2040	1284	Ojgbfocc.exe	97
PID 2040 wrote to memory of 3160	2040	Olfobjbg.exe	98
PID 2040 wrote to memory of 3160	2040	Olfobjbg.exe	98
PID 2040 wrote to memory of 3160	2040	Olfobjbg.exe	98
PID 3160 wrote to memory of 1624	3160	Ocpgod32.exe	99
PID 3160 wrote to memory of 1624	3160	Ocpgod32.exe	99
PID 3160 wrote to memory of 1624	3160	Ocpgod32.exe	99
PID 1624 wrote to memory of 3576	1624	Ofnckp32.exe	100
PID 1624 wrote to memory of 3576	1624	Ofnckp32.exe	100
PID 1624 wrote to memory of 3576	1624	Ofnckp32.exe	100
PID 3576 wrote to memory of 1972	3576	Oneklm32.exe	101
PID 3576 wrote to memory of 1972	3576	Oneklm32.exe	101
PID 3576 wrote to memory of 1972	3576	Oneklm32.exe	101
PID 1972 wrote to memory of 3196	1972	Odocigqg.exe	103
PID 1972 wrote to memory of 3196	1972	Odocigqg.exe	103
PID 1972 wrote to memory of 3196	1972	Odocigqg.exe	103
PID 3196 wrote to memory of 1468	3196	Ojllan32.exe	104
PID 3196 wrote to memory of 1468	3196	Ojllan32.exe	104
PID 3196 wrote to memory of 1468	3196	Ojllan32.exe	104
PID 1468 wrote to memory of 1892	1468	Oqfdnhfk.exe	105
PID 1468 wrote to memory of 1892	1468	Oqfdnhfk.exe	105
PID 1468 wrote to memory of 1892	1468	Oqfdnhfk.exe	105
PID 1892 wrote to memory of 3784	1892	Ogpmjb32.exe	106
PID 1892 wrote to memory of 3784	1892	Ogpmjb32.exe	106
PID 1892 wrote to memory of 3784	1892	Ogpmjb32.exe	106
PID 3784 wrote to memory of 4092	3784	Ojoign32.exe	107

C:\Users\Admin\AppData\Local\Temp\886efdaa354d5f134cd5abed4187b790N.exe
"C:\Users\Admin\AppData\Local\Temp\886efdaa354d5f134cd5abed4187b790N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\SysWOW64\Neeqea32.exe
  C:\Windows\system32\Neeqea32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\SysWOW64\Nloiakho.exe
    C:\Windows\system32\Nloiakho.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Windows\SysWOW64\Npjebj32.exe
      C:\Windows\system32\Npjebj32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3100
    - - C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:908
      - C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        28⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:372
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        42⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        52⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        62⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        69⤵
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        76⤵
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        79⤵
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        94⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        97⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        100⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        105⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5376
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        108⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        110⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        119⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        120⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 396
        121⤵
        Program crash
        
        PID:6064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5700 -ip 5700
1⤵
PID:5892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
72KB

MD5
78b246ff080b48b153318a436be48131

SHA1
e47f5baea7d2011fbdb4f87ba100585cc21c6b13

SHA256
5fbfdaefcc9aa5191eab399a15c64440a7a1bbce7da07134abd77033e23d97a6

SHA512
c3bddcb8726d32cf3e27b37024a31eb8adcab43f95f765c45cc66a6aff943605c6aea1720299b637d09087635cc9b579188c133408253bca3a885d2067af0a91

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
72KB

MD5
8fed95f8416a44f043c2209ed375180b

SHA1
e260764759daa37cb7ec2e93f9472c5c8005c308

SHA256
6f7878370f2b76bd88d7219e190301cc5aaef5775c16172ee73b7b8e21429e68

SHA512
09b201a6b841079725a44d0175a4530240b2b340fe7ea64aa8ae9e64fd4c6e2340533b0d1d4c9e957d36ade90c50f4286e9c02c751af33d615d95623f050a80a

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
72KB

MD5
dfd624cd209caf0d3c02d21b20c8916e

SHA1
054d6a7e11d4da246cd6ff325ce0fc2d55ccbedd

SHA256
6dcbaadc3a2a5c0fb3504e20bcdb864ba6065babbbd390e6b7e33d1041f9e5a1

SHA512
38858cf295c81596abaea6fe20f64b6d134b0b4e7b8ab21d7aeaa7a23e4d626bed163a600d72c495b8ae5cdb6ae26e0f82add8bb8ba6b72d5259df791d861363

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
72KB

MD5
8ff9c59f383fe5dd5b9bd0252efe2eb9

SHA1
d1e1275402c427ccd1ac7aea50ef2d2953fdd126

SHA256
0474a9095f598e0873692552bead9a46ded7bcbb2c0287e14eb0c9131c65ff36

SHA512
fb2ba21e4528851df659ca51097aee1de27f2f3718dda26e9bee1108acbdd3fb3667cbd8eb2e952f25faa15aa6078bf8f04f329235f577ec436b0896cfb4bac3

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
72KB

MD5
7b457221bc3fa78715ce2d6707658ebf

SHA1
ff2404bececd38df87fff2d81d9adace2c1f0ab3

SHA256
54c0521417662ca9758bc6c0ac336ea79cec0447ea771bea6f5fc582bb36231c

SHA512
c7911c44b2ab936f965fdb0e280c8518e9c2ad309f98f74e2dc87a52716649dd45c17ae63830afe75b90e6db1564604e3dfefbd9f99963834022439a7e4f5ef4

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
72KB

MD5
f910190e3da5fe3ea5ff51d0b490b0d0

SHA1
f70c7de702a1ae6ecda0d067fbd1814e5c779157

SHA256
314e7a9cce367c25b2cffa387d1fcec1b6d5b0d4b57173863e09d63255d5dd59

SHA512
802a6a8bb862a5fd678b71feea79b9fd6b364b92e6f67f10d85dd1f656e5a7ac084a56d7ab8b3c8531b782f057322eed3824f3e304b1e299b5482973d4d11629

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
72KB

MD5
21aea8c76a6ee18e451ef8a6eef74af0

SHA1
ddedda0e539065fab247cd4fc535729c4317f111

SHA256
ebe457c79e9994321f73050928c2924ed87152e3e2b91dd0ad1c95be266e83e6

SHA512
4f386958f593369691f1088ce5d40f43e6b64bc74c678b84bd1feaf5a461daa0f041dd253b468b78a86b224dc536a9a6a7f3093a06b78b6bb542a90a1b74c9cf

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
72KB

MD5
a588f538255545e3b76d3ef06169aa6d

SHA1
94bcbba832180c87b39e793913c7e673da02532c

SHA256
09eb15ebdb166083f88d6e6d7184ca31c9712d414dd9ccae1c5295248e8acc02

SHA512
411df81a655266d7342054651c2a246598e866250a14757180f61e8561172415d221ebe5f9c507c3a057f774fdd8fafa5f8c8ffd9948ed7e70c5fa6269b5a6c6

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
72KB

MD5
65f27e6a76e7a1e0d9775db0b06bf985

SHA1
ab7611858a997c30d2fcee27b1e5f92d787f736d

SHA256
d90bc244eac761c1c082988a69214b7431a07b64a9882049901749671b02aad1

SHA512
214228d15c92e21fb63e70fd0f06186458775bbada25056e5939d77c18cf3ae34dbdbe6f650ba643edb9d387b9d46f3afb8a62f6ed2bcfc24d943da8421f35cf

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
72KB

MD5
71b9aebeb7b5545bf707f61d20c17950

SHA1
fbb73eb76a79cbb854a7e5b82b939196ec337ff0

SHA256
db0aaa19c4a3996c61c0e8dd99e0030994a66c3c9306b1698572f87a8a4b00a7

SHA512
9521a164be3d620f9a23b45a605e328f267f60007adfba6d99ca5b67516d80b936dd6ccca8434329f7e58e42a609796ca4a59514c8c6f5535554eb3a9d73a3cf

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
72KB

MD5
701be01c03f3299e69d44a908b876a94

SHA1
256900f173c59a68a7c73fcac36466bb2e84251d

SHA256
28e22d9c22b5269928d562a4dfdaad3ff25cb0c66c5b7a4e8a687a0786125833

SHA512
bfc9b335a787d2fe1621ef06182342dd8815f788acc374c901c952b26692a380c796c7a6a1c6481f28cbfd4b26ac586ba36c13e3d81a1b28994eb344ae969339

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
72KB

MD5
22be63064e357591062961e293e2af8c

SHA1
ea5737746d9e09c67b29e2c0ed809e995c8f6709

SHA256
13a59524294f3f741dfe3be7aa0c42c3ae1259f9cb7538dcc46ae378d951c438

SHA512
c2c519e757ee9c4d04e90aec710dfd85664e13966b23cb3dd342fb6baf9e9c8924c579f6ea99cc7fc028afa9ec5a53261a5f4ce25a8be16910b8ef524e52fc6c

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
72KB

MD5
57ca08ac0de19da07e9af2ecb0df7db9

SHA1
f2701a31acb1d82e4712ea9bca4e6550359047b1

SHA256
5daeea8083cd10c1f82b84cb44928e5825314b64f0c9c4b67068a21a0bb77c95

SHA512
27f592e4b39c52ee4e8ed449020e53ca2618a042ab27ba13f4d8f79f9fe3ecd3d81712580751cc2595cbcd2e7e2788e6ac41cf20916a29f5e9e7aaac55af0e15

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
72KB

MD5
7764bccc5746db1c4ded59666d0b1d97

SHA1
4b344ca919ca06c2819b9d80850aff6317d16d2c

SHA256
2023260428cd0a6720dd31f0bda8358ab2044aeb64b95c3aa6b82de11b409e89

SHA512
11a6a0f05f189215daacb3d39ca498b7e4b8fa99f4910e03e4cf80e4aa27f5e76f5c0da071296fab61f0937f3b6f465a779abb4321b50d83c312c09abb6cd883

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
72KB

MD5
9d4e464c4d1cf305b69d381f617f7f9c

SHA1
a7b190f04d197ebe936ff6f88fc14d7dc8588a61

SHA256
834188b2e7a8259e820f3e5b811b6fe3a87e9d587bb4271d3fa798c369ab0f01

SHA512
4fe1ad90d8d36de5e23b18ed0c2aea38ae1517bbfaf64f106ddfa2f486ad49642bc8cd23d36f8e878220910c358264a682894cdffeda0253ffaa2abb53f7c885

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
72KB

MD5
b78138d8d1c9da53be935ce4b79ad6a7

SHA1
e0de78f137ef97bf23eb9ff24ccab5bb2da16c72

SHA256
e749e4bae5338f13831fba3f1b3bd99193a6b782346e2bdb3da701d047ebd574

SHA512
88efbd125ef1eef2093909067947e413fdc895d5a6ba34e9db978bb165b5ce9fa63df62de3bedf2c7c1e9df8df905304ab8cb6ee97d75ed883476d9f924c0cdd

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
72KB

MD5
fac604fadf43b301fb19e8c4836ec79a

SHA1
e3d09428b32ea212fcd32ccfb36cdba7cde891ea

SHA256
85d9ffe0ed6ad55a9be770d10de886c3a9523b7e7a6ec9c0c27b70f96befe076

SHA512
18c24556b7ed6d42556bc5372e81e519e4da858f033d8538fd1497d4fd19cf351f51f412638b39d876b77ae4537c822883a2f8ee295591a11c6827980a81dbed

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
72KB

MD5
769e260a8d8295ae5dd5972cfc05dfff

SHA1
ebd79f147b731b2fa9b11c35bbe2cbadefea51bd

SHA256
31503746cbf0990776cce76b24e7904fa9624d60d81eee2c776736748e93519c

SHA512
c5439fd608d4c317839806d8730f2fd587f892d8b47d0f3df40b3289c5f405810303370591a52a15c17847045124d3c5f83fbbe0937a12aee0e42adc46e81ea6

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
72KB

MD5
288a493770067722de242db7bc98ee8c

SHA1
62d53350982bafbbe5f47656f5f924cc6e76f723

SHA256
791e1dfa065e56cb15e20be488810db326cf54f6e082184cbf81eede8c9262f1

SHA512
987fa98d4a511d842b7eead2993cd91841decd30e9903d938a74e0bb5f3cf4ecdb001f3943fea8eabfb2ffa0220f081397872dd18f2163d472fb8f9f2bada3e9

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
72KB

MD5
f759d16fe3b907d44585d8b2368c43dc

SHA1
056f60a6e06123eb0a847bb929e618d9e653fa70

SHA256
5445234c686c9a4f6afa51dffca44a218788706ede305efc5a913c4204d6a923

SHA512
53de948f197d76ba4c47e847921faafd9086b2140095837d89551357f611d5a76c12ae9a57700b21c92391188f12586cca54394552c245dfb3347eca668b4757

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
72KB

MD5
7c70fcc1b10f5a934189ba468e09a5e5

SHA1
893d520c5a187ed122e893510317ebba7b2c0f5c

SHA256
dca4b9dc476b0ebdebb78eedb25eff216570e4f0c9a458d51057d6ed190ff1e0

SHA512
b70599785284bb586969017b6da43114855a3104d1162813d3b72cbf2d55fd0c8b6ecfb57aa560733779126a09f790f147bbf0555df340fffd5569e3003596a8

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
72KB

MD5
cb8bbe4400b5dea53c9466d65c52bfb9

SHA1
a2bef15913f9fa3eaa90bf1918bfaeb11be3033b

SHA256
38f78a1d23993948553e5d7666cf7b68efd9325c567d562bbae5e77e20c4e6ca

SHA512
d04ddc7a9ed71179a76cfc45e1da2bde7da80b508a58860adbf28a1535e6fbe530bd76d4ebf0f826e48a5d84e9cf1495740154208fce05a8874e5dd8371cf2e2

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
72KB

MD5
3b817376d9542b6663efe9adbf60ee81

SHA1
23ec4e6f54b24685eeb102a93cba1b51723742c5

SHA256
8b864be9b2f4da9fc76a3e18b0b1bd2635fcd71dcad292fe5abbbf7f1f6ecd38

SHA512
9d3a36fdf9650d84fbe113870a8d677e7b2fc357e608f1c54d204972c02fb59a51a46d9cd70c6bdfda2247cd417c98569fd8b5cc57569fca99d553cf18311d46

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
72KB

MD5
c68ced9bb2f74384113e16d36b5855f4

SHA1
77f7ade5526e920c1f28f0a890fc0c69251aff60

SHA256
a25311f21c0b2076a7f34dd052c708b537f0ecf4a764b618ed25a294f668da93

SHA512
8ca07c19e9f2115b5ad4e4afdac34fb9d1fd40eed6ece6879688d1c84a6359d92630bae9dbf56d73a40c02341fd694ec39b298f0c286e65cf0576264a5217b0b

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
72KB

MD5
5ef46085bf55bbf4a09c603a755b3ea5

SHA1
3d501f641b622e55a4a1da63afb1b7eb680124e3

SHA256
f8d2bc42817b141d243a57d75cb179c6dd02b2359fd24177ce2b0f5b69e48f10

SHA512
5edd35cf231365a366f4c324b31e5a472690228f05e4c7b65fa1fb18c82efac76617e57fc6d595085c23f10ccf1d294edc602be70bc6b67c8b1ad542d40e9a78

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
72KB

MD5
524c686229896a0095c625f2ef49ccf4

SHA1
853d62883fe200a1cff307fe18fba409afb4a142

SHA256
80bc8fc8c37475b165891f5745fb1440c32af919990b940cac6f52b01ec5d32a

SHA512
a546cea189ff3d0466120707a32632bac519f69eec1f15cb32a11fd13094db6ac506ff5ed8c403d4b066d06fea26fe97d0cc8e98e242aeeed70ac24238025683

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
72KB

MD5
276170e1f01b25ed084cbb813b6de1dc

SHA1
2f885f0ec147b6ab4284a98e37df08158567a073

SHA256
60c877d9c2ffc50e12959d4ee8c90bb314f0b3376a192e5d4d6cdd1f4179806a

SHA512
dd8b8983b573a41d48c136ffbbdbdc6493fd4c74d778e9c12eb0ad72da979caed4ed56b9ae7dc47b1b1dfbbd33e183488d533ee8743e173c0e04c6a39ac2f387

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
72KB

MD5
4ef20841e86f65348b14b762a1511217

SHA1
2108067c19c1c3c55e58b002c6f3a8a8c8e59704

SHA256
840f7a08db435d9239c6ea34a3b6adf4e44c2f576db972b167010772d578635d

SHA512
8d45c342ce7375806c4946d5d2d71222757975831c0189da500dfeb850311337c6e3fb2952b2c08418b938e4448907604275bad1069852d2cc095d2d369a106b

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
72KB

MD5
a6e5ddc4207b75884c21e55d460297c0

SHA1
05d4efb9acab369cdcf48e6dbcb3afd23a3ade09

SHA256
86a3f1f02ed507d2d3932fbe146cd871de3d8c870e944251eff385069322329d

SHA512
19f7173c3553e38c2bc4dd6b13c53b7af4eb28ca19084a3ca95ad5417b3621d5ca9a809684be88c6971bce58b3d1a1b24fa9e6b9c8ed27820cc6ee25b3187a7e

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
72KB

MD5
e42bf936d68d41aa03d8607de96b92cd

SHA1
57dd9e4592a480279c77f76e6e74798796eb879b

SHA256
da1983a3b9f2854afbe4f2bc3bdbfc738dc498fb745703970ea347fe0e2ce9a5

SHA512
f35bc971d67cc86f96a26dc8f161697c7319a19b8c089b72d69c006db69b715bed63e0528b7eaa1560be4aa27635de2cfa3373e10c6cbf9207b8131ffca33f1d

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
72KB

MD5
a0d2b2018dd79b68c68929e47d616c77

SHA1
f4201df95175ab3df78c9a3af2bf21d82fe97768

SHA256
afd6eeef758c80009c5c50c3b279efd13a2209c0e5bedaa5cc8c93c0fabc68e1

SHA512
ff7fd2ba234cd6fa2f92bf148603f280b1ee30194c2a59b8086378b457cd91dd2bb0fcda20f673c1fd8b9c7e21b56ecc038468e8c1e2c17cc34cd0038194165d

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
72KB

MD5
410b81fa3b978b44691932cdde68beb2

SHA1
6f0f46f420f0bd39d5cf4701b732a1700b830c0a

SHA256
5de5ad437beaa7dc55e7e1db8bc1ca30aef8e464344615930b532dfe11d7e981

SHA512
80b844a4451aa05670710ffdae1657651b33c79bfd5a39ec7dbf35906998d888616b543dbac94885de876b977a6d0e4c104539262a0c80de66f656fbef1f3fa5

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
72KB

MD5
755422f865eacc21e50ada19ed1973e3

SHA1
874d443050ef6166d400c31e462dc9ff4ff21c04

SHA256
0ff308268108f2122a062d6ea894cecce054c0bc537cb6b3f862a6f55049a0c7

SHA512
9eddd6efa001fa80e2dd9d5aab301291ef20ba8f365d368c51becbb2d6b1b0d7b293819e8449993c7ecf474584d0c3c5458f92a5b088f38818ce46494b75954b

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
72KB

MD5
54d4475bd1226a1c421e2c7adac8a6b9

SHA1
fdc869ac626f504066fc1ed92caf2a3188c95cb1

SHA256
bc7a8eaf9739e16404db589b203d222d01d175e08ecf724f691c098195e51df3

SHA512
86b99728c8c4897d85ceb45649279ee59edf2ecc5aeb54c1be898af93831c4d14eb310bccdc8553a1be9ed81668224bdd96cca050c0e76dff8397f18f2534adf

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
72KB

MD5
7945146c3c37d442bc6ab59faa6ddb78

SHA1
8d8a4fd710e78db03312ed5b1252fc973944f1af

SHA256
d0b3e0d7fb94378f489d9c81ebfbabd598fdba6402f19d95543c17c9e17b9c3d

SHA512
388986055c930499adceac84eaaf923e2c4bfad56252e6f302f5fb129ac8902f7f87820dbf2e56aa181fe7b0c826199990f46bf051918f99ba15ebdadd021c0f

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
72KB

MD5
bc86e9d706d73e2a944a47539b45ab1c

SHA1
7b4db40b1294593ac08e39c12d518c10727ecba1

SHA256
2afa4851e186e7839fa48ed34588d318c1ce03819340c7f8d861791af298b5b5

SHA512
6d680e62d88708712aa40a06f8e6afe8bd402a9527d43823ddef87b189ee63ef13b87a4f05d6f747ca6f2eaee7cd40abed1575cdfad252d338905f8e27d7e2c6

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
72KB

MD5
3e44c82cce518b3b13dddd9a26a85f72

SHA1
fd400f5418fb166ef7a3d78bd55453ffb7655317

SHA256
ab476564efaa8e989620c0685b2ada41e67e3ad2374903ac0f41b74b35323199

SHA512
152bb37df1328248f0b3346960c6c83d86bf7b97debeb20407617fd7d9be05a66ffb792bc6a2e84717d47f12e6ba360bae2172c646f344ebfd40d114fc06e43c

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
72KB

MD5
e4d62301b23a2a4904097997536f9743

SHA1
4b6e3732ca5ec009b7db339df6538af5d1c85f1c

SHA256
5785301d344c8a8f22546d055de29293f19b25443bb1de8b810d73fb243b693d

SHA512
25d3c683eae4a204516620b8d3795e2271a7860c8e257b9dbcb3e1148f7485fee91ef9b500acca476726e318b8114cef70eae66d369e86602956478ccbbd3b62

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
72KB

MD5
d5c6c7b44ca52f881d9fceb537a48410

SHA1
e95369943e5d6640b5298ad624c1382d7d9671d4

SHA256
d3de7a3c632f9eb8ef80e9e1439fdb1d6639c7c8fb703219fcf2d094598fbe56

SHA512
78ff30e4cea5b972fad4d1fbc2818b3b7b0a845b8000cc54742ce639fef5940427d67dc0356792fcbd14ca9acd19f8b8968f4c18b2f486c0a082597d899c00a2

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
72KB

MD5
ac9d558fbac71bfea33a4135f546aa5f

SHA1
29fb17344eced62d667eee0f35d2f591b8c1c011

SHA256
cf398b708b07eae62264d418919141aed05e1b793f9d62f889c711256e90b621

SHA512
0b8438e3328206bd6037631dd65d7e19a8e9f733d2da4339e2b580330571ef78aa5cc7da3fadc32638ea36f79be6032cfe8204ea124525d0ee6e33469a77bf78

Download Submit
memory/372-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3768-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5136-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5176-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5220-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5276-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5316-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5316-876-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5364-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5408-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5496-869-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads