ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5

Analysis

max time kernel
133s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe
Size

407KB
MD5

75bb4d662d2b02f5dc3b432aa33a534f
SHA1

1972e49098f076e70ef7291b54ad4539b5ce694b
SHA256

ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5
SHA512

43b2da73e65021efddf48f91dc2b57a8729f71b5caf281b1b181c7528ea4845295fa63f19155b5b5c3d95dafbd9974d6dc412b416801bb615a63a301df792757
SSDEEP

6144:fUhuRQTpui6yYPaIGcjDpui6yYPaIGckSU05836pui6yYPaIGckN:DRGpV6yYP3pV6yYPg058KpV6yYPS

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe

Executes dropped EXE 64 IoCs

pid	Process
3332	Nphhmj32.exe
4844	Ncfdie32.exe
3508	Ncianepl.exe
2400	Nnneknob.exe
4672	Npmagine.exe
4124	Nnqbanmo.exe
1212	Ocnjidkf.exe
3132	Ojgbfocc.exe
1384	Ocpgod32.exe
2172	Ojjolnaq.exe
2812	Ocbddc32.exe
3728	Olkhmi32.exe
348	Ogpmjb32.exe
3180	Olmeci32.exe
3932	Ogbipa32.exe
2448	Ojaelm32.exe
2396	Pcijeb32.exe
2252	Pnonbk32.exe
5000	Pqmjog32.exe
1120	Pfjcgn32.exe
2912	Pmdkch32.exe
2784	Pflplnlg.exe
2212	Pmfhig32.exe
3080	Pgllfp32.exe
4568	Pnfdcjkg.exe
448	Pcbmka32.exe
4348	Pfaigm32.exe
1736	Qqfmde32.exe
1464	Qjoankoi.exe
2428	Qnjnnj32.exe
2352	Qgcbgo32.exe
4752	Anmjcieo.exe
4964	Ageolo32.exe
4552	Ajckij32.exe
1224	Aqncedbp.exe
440	Aclpap32.exe
2908	Ajfhnjhq.exe
2528	Aqppkd32.exe
2552	Acnlgp32.exe
2820	Andqdh32.exe
3428	Amgapeea.exe
4424	Acqimo32.exe
2532	Ajkaii32.exe
2688	Aminee32.exe
1800	Accfbokl.exe
3416	Bfabnjjp.exe
4516	Bnhjohkb.exe
556	Bebblb32.exe
2648	Bganhm32.exe
4492	Bmngqdpj.exe
1780	Beeoaapl.exe
4868	Bgcknmop.exe
4872	Bnmcjg32.exe
3140	Beglgani.exe
4864	Bgehcmmm.exe
1288	Bjddphlq.exe
4020	Bmbplc32.exe
2068	Bclhhnca.exe
3536	Bjfaeh32.exe
5104	Bmemac32.exe
1244	Cfmajipb.exe
4600	Cmgjgcgo.exe
2976	Cenahpha.exe
2596	Chmndlge.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5728	5632	WerFault.exe	178

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogbipa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 3332	2904	ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe	84
PID 2904 wrote to memory of 3332	2904	ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe	84
PID 2904 wrote to memory of 3332	2904	ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe	84
PID 3332 wrote to memory of 4844	3332	Nphhmj32.exe	85
PID 3332 wrote to memory of 4844	3332	Nphhmj32.exe	85
PID 3332 wrote to memory of 4844	3332	Nphhmj32.exe	85
PID 4844 wrote to memory of 3508	4844	Ncfdie32.exe	86
PID 4844 wrote to memory of 3508	4844	Ncfdie32.exe	86
PID 4844 wrote to memory of 3508	4844	Ncfdie32.exe	86
PID 3508 wrote to memory of 2400	3508	Ncianepl.exe	87
PID 3508 wrote to memory of 2400	3508	Ncianepl.exe	87
PID 3508 wrote to memory of 2400	3508	Ncianepl.exe	87
PID 2400 wrote to memory of 4672	2400	Nnneknob.exe	88
PID 2400 wrote to memory of 4672	2400	Nnneknob.exe	88
PID 2400 wrote to memory of 4672	2400	Nnneknob.exe	88
PID 4672 wrote to memory of 4124	4672	Npmagine.exe	89
PID 4672 wrote to memory of 4124	4672	Npmagine.exe	89
PID 4672 wrote to memory of 4124	4672	Npmagine.exe	89
PID 4124 wrote to memory of 1212	4124	Nnqbanmo.exe	90
PID 4124 wrote to memory of 1212	4124	Nnqbanmo.exe	90
PID 4124 wrote to memory of 1212	4124	Nnqbanmo.exe	90
PID 1212 wrote to memory of 3132	1212	Ocnjidkf.exe	91
PID 1212 wrote to memory of 3132	1212	Ocnjidkf.exe	91
PID 1212 wrote to memory of 3132	1212	Ocnjidkf.exe	91
PID 3132 wrote to memory of 1384	3132	Ojgbfocc.exe	92
PID 3132 wrote to memory of 1384	3132	Ojgbfocc.exe	92
PID 3132 wrote to memory of 1384	3132	Ojgbfocc.exe	92
PID 1384 wrote to memory of 2172	1384	Ocpgod32.exe	93
PID 1384 wrote to memory of 2172	1384	Ocpgod32.exe	93
PID 1384 wrote to memory of 2172	1384	Ocpgod32.exe	93
PID 2172 wrote to memory of 2812	2172	Ojjolnaq.exe	95
PID 2172 wrote to memory of 2812	2172	Ojjolnaq.exe	95
PID 2172 wrote to memory of 2812	2172	Ojjolnaq.exe	95
PID 2812 wrote to memory of 3728	2812	Ocbddc32.exe	96
PID 2812 wrote to memory of 3728	2812	Ocbddc32.exe	96
PID 2812 wrote to memory of 3728	2812	Ocbddc32.exe	96
PID 3728 wrote to memory of 348	3728	Olkhmi32.exe	98
PID 3728 wrote to memory of 348	3728	Olkhmi32.exe	98
PID 3728 wrote to memory of 348	3728	Olkhmi32.exe	98
PID 348 wrote to memory of 3180	348	Ogpmjb32.exe	99
PID 348 wrote to memory of 3180	348	Ogpmjb32.exe	99
PID 348 wrote to memory of 3180	348	Ogpmjb32.exe	99
PID 3180 wrote to memory of 3932	3180	Olmeci32.exe	100
PID 3180 wrote to memory of 3932	3180	Olmeci32.exe	100
PID 3180 wrote to memory of 3932	3180	Olmeci32.exe	100
PID 3932 wrote to memory of 2448	3932	Ogbipa32.exe	102
PID 3932 wrote to memory of 2448	3932	Ogbipa32.exe	102
PID 3932 wrote to memory of 2448	3932	Ogbipa32.exe	102
PID 2448 wrote to memory of 2396	2448	Ojaelm32.exe	103
PID 2448 wrote to memory of 2396	2448	Ojaelm32.exe	103
PID 2448 wrote to memory of 2396	2448	Ojaelm32.exe	103
PID 2396 wrote to memory of 2252	2396	Pcijeb32.exe	104
PID 2396 wrote to memory of 2252	2396	Pcijeb32.exe	104
PID 2396 wrote to memory of 2252	2396	Pcijeb32.exe	104
PID 2252 wrote to memory of 5000	2252	Pnonbk32.exe	105
PID 2252 wrote to memory of 5000	2252	Pnonbk32.exe	105
PID 2252 wrote to memory of 5000	2252	Pnonbk32.exe	105
PID 5000 wrote to memory of 1120	5000	Pqmjog32.exe	106
PID 5000 wrote to memory of 1120	5000	Pqmjog32.exe	106
PID 5000 wrote to memory of 1120	5000	Pqmjog32.exe	106
PID 1120 wrote to memory of 2912	1120	Pfjcgn32.exe	107
PID 1120 wrote to memory of 2912	1120	Pfjcgn32.exe	107
PID 1120 wrote to memory of 2912	1120	Pfjcgn32.exe	107
PID 2912 wrote to memory of 2784	2912	Pmdkch32.exe	108

C:\Users\Admin\AppData\Local\Temp\ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe
"C:\Users\Admin\AppData\Local\Temp\ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\Nphhmj32.exe
  C:\Windows\system32\Nphhmj32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\SysWOW64\Ncfdie32.exe
    C:\Windows\system32\Ncfdie32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\Ncianepl.exe
      C:\Windows\system32\Ncianepl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2400
      - C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:440
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        49⤵
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        75⤵
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3372
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 408
        92⤵
        Program crash
        
        PID:5728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5632 -ip 5632
1⤵
PID:5700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
407KB

MD5
3ba3c6c9db0e071de09c1f3204382008

SHA1
8e999f8b643919f69d943871bd80a8fb99abafd4

SHA256
73e7e96cf55d6ba49fcd0a19d4d2c874d7c7e73480126a73099598b0ae18dd98

SHA512
695fcd72401f4f5834091fe9e51b0e0ff094f7e945de97947b1754394f65bb94347744a35a6c29f7a511c02cba42005d78d21616a57a92d5f10391b12bf22e98

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
407KB

MD5
bc9f34b9938ecb7f6bb5197a42638e04

SHA1
ebbd273d7fd8ea11d402b09074845da8136a74ef

SHA256
0a5229954b9c2ed2acd6f0645e678602e4a18bd857262780cd24d512ee309697

SHA512
6e86725336f7005875ce51ddd0fff709e000a47f2fefd987d0bb1b8b2ef20889fcfd266e4ec856ff2c1b047ca0bd9052c97f0a09b186d4ee5ae7a127cef7e0b8

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
407KB

MD5
093702cf7f0a1e06e13e9c2276d9e88d

SHA1
8d17bcc80c042d2d590f4f6094cadfb3ccbe4fbf

SHA256
a077345b54c3d84365ff8cdbd796ea49731a82804d477779f8ae3e3e8b7f0888

SHA512
fa037bde9f15c12c42fd868685a0cda9b1b9b80436bf839469f257ed7671a91986d8993c774fb40ba29ca1306eda49bdbc93bfceab18ef17ec659d1126a0bba1

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
407KB

MD5
52721d56a3fc0db05910dc851a2a35a8

SHA1
5b99ad1488d49099f56ab59665a64eac6ad4c171

SHA256
fb6d7f61a51909551577acdc76a6ca1d62b65d935fae4d0943c9314b147e703d

SHA512
898435d7ff3063b8351045288273fc0ae019c1e4b9ab9527cc466a3f0026a0cbb2b37707971a2d3260313b216b31c25ff8c59e27bfd689dcdf1d17aacdb42e77

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
407KB

MD5
24175eeae3c6d9a070ed404412e4e87d

SHA1
495ca0292c081244e414749b6a29288e1a2272ad

SHA256
32f84ccf28a6f8effad41ee7386e0637e241472cb0e4d34f5d7d43756b7ee31e

SHA512
16bbdf555ccc22b4382eaf13a148256380566b05f4f1f27ebfb9b23e6d958928d64ce99833d6ebc26d137e7259a18f81522e10f3788966a7998d063a95a3fc85

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
407KB

MD5
a30980e5d3596601efceee0d6692349f

SHA1
f8b541f75a806a36edf69f6a5a45d41b28694954

SHA256
e06dd8bb92ad48dafec91b95006e9554092d7c8000f4e7f09d2a76c4b9405797

SHA512
d32512a340d191beb76e6f805ddc1b5811a59b38a48edec26e60a542dcfa5657ca937afcd5b4f34c95aaa3330e466a76b1ef1654314914cf5769c45195dc63db

Download Submit
C:\Windows\SysWOW64\Gcgnkd32.dll

Filesize
7KB

MD5
9210403af51db2f31e80a7508812a871

SHA1
e6d4c7806872357860299efbd55e5719c06c2f34

SHA256
2cb24aeed5bcf7a635fb2eb0eb30d590f3e8f67bdaa08e2cd21f5da14157f750

SHA512
3fc7589f8066f61be0332a71c94e033f6cb1c8076c50cb9d221bf734ce465ae2eed2b8eb2a94dd0f452c94a2cf615e3c37cc4fae8b6a8872e3e2bfa329fd5852

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
407KB

MD5
09d707a17e5a62dbaf884722b0826875

SHA1
bbf0b2c60e371632a7e9b0a5eb7723b8216be270

SHA256
71b09a26effb69a88a89a37c9c7268c966bf9da3231fb9a0aa59a2a212fb9616

SHA512
0887c720ee3bec0e1a2b5d88cb5de3bfc7b8e99853918700e24204ddf3b9a7b9ad1db42d7814403d111c41b7cc3a8134d6ee845d3be89cfbf4d4388f51fd1b12

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
407KB

MD5
b3d2077872997947740cd7de48a1e283

SHA1
dbcef08323369729a0b85297b3b225226ca35974

SHA256
c0fc167b6f0a2261e3068801907aa1925ed5e307e7fd9548f0739d520141a3b3

SHA512
03b27c4eadec1b1d18a495fe3332f8107f1ff4b518b28780816d1c5fd5f039c1aca793c22dc6e429b22034c90fd9995923a316c0187df40deb368a16834730bc

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
407KB

MD5
1c44aeebb64af5a009676eac0fdf0b94

SHA1
d5582bce9b908b30c0abf887bf816cf3e87e1c5e

SHA256
4b0f2c78c81d6bf539e8664781e52403ead9011535c56babedeec7df0ea632cb

SHA512
464bcded579a646ae8597c57b06369fa9964e698a4e4720d369a757628925035e709c1a5c3593886227a02a7343b84befea184dbfe7486a38e68bab9498977d9

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
407KB

MD5
a18d0561d99d9c7c56b14cbbe4fab37a

SHA1
b103787f4213284ef126351360085e0cf204ac24

SHA256
8ab5d7b09d4bfdbb033af576253f4a340595e10dc87574ddc6a6a5928ff95ce8

SHA512
3e34b4dc6f023d1cee5947e1314982f72a0304d8c0f397354c5d94c1dd78dbf77c1531ef238138a02359c5b8c3d2c0b2e70dd3bc5983ba53b9038c00f872806f

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
407KB

MD5
da206a95406cbe52326a0a456ed60879

SHA1
b3118e08fdcf285e7966009c0c89d0e987407cc1

SHA256
a1d16eaad6ce0d8450c586bb80d1bf3d11ce083468e70f4fb16741ecf6ad7edf

SHA512
c847f2cc4142dc51137342a08fd19eec70acacec04858d09e67db7f2d6497c597671e50a953dd7ec657d9940b45e03f08317daba1c90a51fcc65bdcb2c9c8e91

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
407KB

MD5
bf9eea5a07743c42b08a282647f33e1e

SHA1
6f7a127f8471104e2f75d9d1d978da644ca21db8

SHA256
d7fc610918a8b74a5e93778aa93642aa03ae7ae28d4819fc28b965b74fc6fc27

SHA512
54448e6b7fdc039437d8f667085c1266ccfa89afb2b194094e1aca709b4cf87a89edd1763dc1fb2b5564dfd2ac6b2ad9be8288801090560434467b4f376e1c0e

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
407KB

MD5
e9f36d47a3395b4e135c44412f364874

SHA1
75f7aea03a8ef9bc9ea73a0575b6bcb293b5f560

SHA256
21e24f74854c4ab3662b4535bfacc9d3ec4ce903c4bb39c26d754104997156f9

SHA512
d5547ec58b1f7a04dc31c41eb49f10b5bb6c6f64c7a8b2f27c8d6d4ea370a875a492495611fcaba3018aa8174588c7647680c26708cf755db90859ef7d0eff49

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
407KB

MD5
82b1c59074c5be5977941a51c77879f7

SHA1
8aeeb40ec1c59ae5e2538eb7ad16a21342220214

SHA256
7c77cfe9da1549d6796acbdf197fa105c2a830030179c37010642faf91d7866f

SHA512
650b85502e927824286636ae88c05bf481a72539d3d45aa0630ffa7867d524006119917737a95b7cb2175f8d1c9510e3487a2922c9baa7d592669eeaf2fa1890

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
407KB

MD5
ccbaa27072620e5eac67804c542ad6e9

SHA1
6b09a5d32334ef1304aa3aa584a2030562b0c110

SHA256
0ec5f6f0d00c2f0180edaa26559720e9da30140d71669a0f84b1031eefcd4fdd

SHA512
5bfccd10af27ca03e2490a8ba3c17f926d935c68f1547e8d7be781511eaded8494af75c1f8ec6eefdac2bcb3945a84964812c68a9e44a6086c0d88d61721a6fa

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
407KB

MD5
7aa451605ee1eed5a25d75aa802dd5b9

SHA1
72682fd4276aa4d2f30bb65e76c6cb79e084067a

SHA256
43ba19fc8db24684692fc39ab16a72e875de69703605fbe46b17fc23a87e8bc6

SHA512
9024cb9206935e56695d97cd28c58c563b4205a54e73f253b93700633ff735d85dd7f89ff8b6524d2a7bbc0d61629d32816d13cd2080f059ebe39bda284f661b

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
407KB

MD5
3c2408ccc404547789bef65ff40d8c66

SHA1
2bfefa26af69152e71d5da9bbaf7859ee50fb11d

SHA256
67e83cd31aecdd9da430ce5b05129514198992b9d3e7c62e409d38c349a40b66

SHA512
d40e5e23be4d6a34b90c58ddd56e1c2ee8d858f3a9d20e8b8da9517c1bc8deed4faa90a15be5097e9f33dd0aa4c8361aa28b9de04b739f9664b21213df5dbeeb

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
407KB

MD5
2a4dee0ca32dcf6511cf22ceb2807bf5

SHA1
f88e48f6baac9d29b803f0f81d38b7e152c3cdd6

SHA256
eb21eb31d2f1ee538f9cc01a23413827b550cba8b305ec250a9233b763134800

SHA512
3e37bedc35187bb272c442f0844c749fee20db07df6d543f0a3f61521fc8bbe06795704c2fccd8484e85e9f8d760ae2b092cedc235b22795664822f3cef4576e

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
407KB

MD5
ea2842bea459d6f718b02767f5009a75

SHA1
614893153afc910929a9b9d845a2e949fa75a559

SHA256
90d58350ad1c15f8822c489eff954d37e9c7d56cf255a43f3795123c5a76c73d

SHA512
b789f4f7908bf2fd0b57ae3e80cdc75a46af3c92199816510180f43ee407503d2b9fae23ae3ae0b156350853d6b9f6667aa9be79425a0c685d1e0231514a33cd

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
407KB

MD5
4de13703e9e39bcaa346b765f284e644

SHA1
35853e369594d3cb02492a53a581408172ab8ad3

SHA256
690d952e7208bd2f82004431b74ae3c2f1e3a992d6906166126b793e15e866b9

SHA512
8ad20814ad695e6e078bbd27a9e8eebeecde80cc4feb9f1f3d05c3c13ee031570866111203eb39757055bfbdbf7f3c4bc3febe84c8322ce6521888651425592f

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
407KB

MD5
aca30661733a5491b0ea6bc91267b3b7

SHA1
9741a8ade942cc4db99ec999373647e807fdcb1a

SHA256
6a0ed80ee69befd46655b482746a06904e79f4f31c6b231ae1cf5f054e97705d

SHA512
6d5beaa4b8de761a8121bf4957a2f7e4d2d5bb87481b1f0d18cf7d7ceb99fb7d7dfe00543706b8cc512b122b413d1b4f9c0e81850e3284cdefc899aa69dfd311

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
128KB

MD5
77eed0805c6046488a024432d0fe3b0e

SHA1
be8cee7c0ac9b2923a1365bd05d7dbbdba49cd4b

SHA256
37512e7f5e0a18d05231ed8bcd7d0aa5463515df89db98f9d4d9330a010ee461

SHA512
1d75dd66a5873ae368c3efb1bea805af100a555ed982c36ed6228eac39f99f5fbb9a72c3beb44c3af0e484664c4b3ef20a2408ebe952da61f40c0f33fdd45555

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
407KB

MD5
28699cb7e39a0091519ff327c7145c9e

SHA1
a36099b147b5ad055522d14d4673a1c1f13a3abc

SHA256
38984754d25e8d62cbe012400ca5effa801a87b105bc37483e37ae1bc8fb0310

SHA512
1b4dea461323a21148ee3ba56b444d5b27a248c4a3288a3d5760dd559823210f27e256f4ea97ef80859dca097cedced5c593a8762dd8344afde5ba96f7425a8c

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
407KB

MD5
e64dcfcd0eb9e568f92b87ff502aa4a1

SHA1
87c9a375246682c647736155762abb7024c3c8e5

SHA256
1e2b1bf4bd8c0dbae37566670261bdabdc1aeaf6e11736b6af0055f00cad5a21

SHA512
587fbcde3a7132846f9dc298db2f5b0c0e7452400deba815aec2a4f5da5f800dc5b55a1e4b9b6c232aab681a10fd995404a9e99a9101c1e0b7224d29e042b061

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
407KB

MD5
708f8a400614753ad21cf2a74526323d

SHA1
0d110b0d38f7196cbbde706acb90f487da444cd4

SHA256
1517f31a3f916868de097f33e98d65f918e9ccfe3dd9477ab7558df119a87d49

SHA512
441c6f370aa77e714902f00901e385a55d7c121e506cdd4fef0b25af9bd49851e8d9b5100c4f82b3a3ff310bbcaba3ef3163c4d13029243646756b001e24acbb

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
407KB

MD5
2a20b7057287cd8220c05cb28cf952a1

SHA1
50f7a8818b96d1a39e8985a0e3fa831f37effe04

SHA256
37964cec91bab7ae70b7dc405f195f5da00898622e23777aa428b44fcab10b8a

SHA512
14fedf0239d5009517c809a6deef17da9ec127be01ccede49c20a8475b7214a4b185625616ff48b29775d092d33e89740741b041ac4b39ee2187e556889fcbb0

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
407KB

MD5
2019b3c9cd2c574dc4723c7cfd5bf090

SHA1
deedb56fdb1a8920ce2b11796098795f42068c9f

SHA256
fa04db44255a932532feaa42805656f1b091869ace2621658972c9741100414f

SHA512
246d4ad8e7f1befc3d5eddcbf619e17a124e06c71652548299538dcc8229b7c831886ee94c7e82a0b165705fab962339a6dfd90a8d8c6dfb156282a45d8374e0

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
407KB

MD5
71a1c022e22c2af3a8958ecf39907444

SHA1
7c5b498daadaf7748b2b86e357b3c6daac4af955

SHA256
f058dc06ab8a260ee94c087c46e4b1d99a3394fb1331af90769496cc55096881

SHA512
0c671f29059c429c931f0276b585d9d09a11a48d85d0ec722efe1d62db4b0024a52818ec4d50b1e881f42e1a7a75753c9a8604552f204d68b7f71eb3c2a96875

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
407KB

MD5
c8bbcb91e1ab5548263576b09cc4622a

SHA1
aabaa693fbd818ece667c706a9bad79216265320

SHA256
0e4267f510c3d917fae93989f51bc42a45cb4885b8d55d08e6bc95f64ec5934d

SHA512
1d4aceee34ce058e0aea034aab8f22cfada1af59930011a73e4f8279c6102ec71ec642b33a8cf3e63327312b1a65a2baf252bd67f48ada8da8e7bc230af446f2

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
407KB

MD5
68387921feaa1fa6f966b387823d8c7b

SHA1
50d00e648668bafe67af13659340338fec68ceaf

SHA256
4137ba3e268c364aaddd4493a61a67a4e2a6b2733fe90f4808612e50fe95840e

SHA512
20be7152dff0c9171fe44384a7dbb896e394d21e9c06548d6b78eda355a034ce5713b1e582aefdaadc1bfa4f1121359d13b412562a9da15d7dd8c16d4b6376fd

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
407KB

MD5
d1251f0d0b41452b86590b37026e1bd4

SHA1
f2852d01cd996f4d9ceecf75d13f1dd72820c183

SHA256
7a6f410a1d608d34b3ccc9e9919609c26f7147b350f8137642689f24732ad60d

SHA512
cddcd851c3a63e988f88fe59dd39bb095848b5f80ab024f7e2ee9867ab727c4ab75cd0eb3ff2873f91189cbb2b001144da4ec503129734ce66dae434cb4f9a5c

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
407KB

MD5
25a5dd41a766b5c08ed2578e59f9fedf

SHA1
cca53eb8c99ea674740f4d7f82d9b3389c100911

SHA256
5e7fba58761010070aa547fa4cadc27e7a45e07fe8b0424d7d684028fd8e45f5

SHA512
6ab3226fab4c24c2c914a032e0a5af6ad704cc630e03c9c0517c475c0e7dd576871e47f1ca4c19f6648a83c0c1b566822029cb54141231f67dea64e74df7a51b

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
407KB

MD5
b0011ade323bb9417af9f09497524d87

SHA1
e45b5b6ebeb90fa9327dc88131c7b99ec562c56f

SHA256
2211f51716be5fff180a7cdb75e6ac23e788dd3064c6e8ddb140f3ba70963d38

SHA512
fd27924fe8df88dc16dbe8ad80cc539758a0d6ddf6da32e5eec2e6013e1a0217a08a86006cafb218b47b6c29af64934ebd9905c0fa0cf7e4f1595013f0ce18f7

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
407KB

MD5
b10b204fb77b740841845f62a3a76d92

SHA1
7e07a1a8555cc6b48e54f32103c5681b5accb0aa

SHA256
ea1aa01c9251addf6f6bbe35b7c1a24fac3eacb1a00fa4a05c69494ac91d97c7

SHA512
511e275aa0645934a0cab16adfc6b5ad3b7bd7e42d28fa7eedd030d8721cb91f391ad02968bad810c612c9e7271aa1269f38db84e9052b6d51959564396a83e5

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
407KB

MD5
3c66598aacd28d27320bc287217f569b

SHA1
ae7c033ad77f6a246fcb3f64fa76a9ef2e918019

SHA256
d28995a3ba23f624bd544a6e1b92c6bf033bbf61f2ce43f377ec76e738b065af

SHA512
f3230a1184d1dc7ab63fa18057d3942d92546a47a2c9d0760f964e4fe22878e6ddd952ec8600de278f8c334307097f7a7821eb05de28249056abc5dba9bcf70e

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
407KB

MD5
ca8dc2703b67de36db9fdfd36eea986f

SHA1
bd9cb49d8ba7bf237360ad6f141986493c4cff5a

SHA256
6ef4e4a524a3053f2b094247965ff9f9ecd31cd804e396a32e16faec52a4b397

SHA512
2f49446c5b3d768bacf87acc567e2527c561611790a9687977b5706a1fab79ae216ee7588d2cbfdaadda54c8f24e81528a9258b11f942dbbffd1bd27b05dda78

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
407KB

MD5
0fe42ae6ffd78fc4bb059429d858bd21

SHA1
242e3b31c70da4954184d9bbb71b6c874f2b2d85

SHA256
ff49ca19654057342241540f4db8d90aaebaedc2986203f78b088c97d49684a9

SHA512
bfa89e224761da6666816e27b0a2406858b72fda7109f73c8ed8d2c422eeabdda17f4591211805f0036951c3cc442346a5b2122b925029ef4fed24eeb1f6f3c9

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
407KB

MD5
371949ef4d45083bc91df747f894cf28

SHA1
d901a1aea443fc746de7473e1413bd2fe12a4d9c

SHA256
b8ce62ea71dc82e2a14daed1e5f436735231cb42f96aa33cda9790370e8f38a2

SHA512
decb6c2d61692dfc3d4d068e57ef7aa2eb9b0e2e60cecf91c89ef9b6c47090d3d5bbebc2c055849a1fb014b23bc11d342c9870380bff35737194763c1e782ac5

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
407KB

MD5
4f65127df309a96007dd82472c572830

SHA1
0e131a86ef7c56dedd9ae885de807342f7265b39

SHA256
1af4985e8b8e2db466f77f353713c689b3b6d000113730fa8eb83b9b55511fff

SHA512
2cd4b5f6099adb4e929adec961efde2beed836bb0d7c0455003bbb0837d572a49fafd8a0f95fa873a8e758c2b29bf5c60dde540a4d7e2496c19a00abb6459b36

Download Submit
memory/348-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1296-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-688-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5180-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5224-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5272-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5320-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5364-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5408-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5492-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads