ace52d6bd972c404dc7a9378faf78ce25697423c8e6e90d4554904543c855b7a

Analysis

max time kernel
104s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f2e3f315723f295ef850dd8564cad90N.exe
Size

77KB
MD5

0f2e3f315723f295ef850dd8564cad90
SHA1

233adf9b6b50897dc908a37099cb6f6c35e2f895
SHA256

ace52d6bd972c404dc7a9378faf78ce25697423c8e6e90d4554904543c855b7a
SHA512

e6e5bcb637fc83b15270ddaf57a229f0189f888780a27dafbbd663c75a6ecfba9e28f6c1159a049863961c08515cc4208d0100c8ed4de4b0c64650304d35f921
SSDEEP

1536:q7DU/8RjvrbDPFsYfYZDSZ3Ba072Lt+0wfi+TjRC/D:q7DU/8RDXpvYJu+Q0wf1TjYD

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0f2e3f315723f295ef850dd8564cad90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe

Executes dropped EXE 64 IoCs

pid	Process
3292	Ndcdmikd.exe
4048	Neeqea32.exe
2492	Npjebj32.exe
3816	Ncianepl.exe
3136	Njciko32.exe
4172	Nlaegk32.exe
1448	Nckndeni.exe
1668	Nfjjppmm.exe
1260	Nnqbanmo.exe
2140	Oponmilc.exe
644	Ogifjcdp.exe
4472	Oncofm32.exe
1244	Ogkcpbam.exe
4068	Ojjolnaq.exe
2880	Oneklm32.exe
3080	Odocigqg.exe
3076	Ojllan32.exe
2272	Oqfdnhfk.exe
4776	Ogpmjb32.exe
1084	Ojoign32.exe
4164	Olmeci32.exe
1940	Ocgmpccl.exe
3052	Ojaelm32.exe
1952	Pmoahijl.exe
4788	Pdfjifjo.exe
4640	Pfhfan32.exe
2852	Pnonbk32.exe
4448	Pqmjog32.exe
3396	Pfjcgn32.exe
4752	Pmdkch32.exe
3620	Pcncpbmd.exe
1656	Pflplnlg.exe
2672	Pmfhig32.exe
1316	Pgllfp32.exe
3944	Pjjhbl32.exe
2924	Pqdqof32.exe
628	Pcbmka32.exe
2928	Pfaigm32.exe
2108	Qmkadgpo.exe
2296	Qceiaa32.exe
960	Qfcfml32.exe
4648	Qnjnnj32.exe
5076	Qqijje32.exe
4292	Qgcbgo32.exe
3828	Ajanck32.exe
1640	Ampkof32.exe
5100	Adgbpc32.exe
4592	Ageolo32.exe
3012	Afhohlbj.exe
4208	Ambgef32.exe
1756	Agglboim.exe
4176	Afjlnk32.exe
3456	Amddjegd.exe
3844	Acnlgp32.exe
3800	Afmhck32.exe
2324	Andqdh32.exe
1004	Aabmqd32.exe
3276	Aglemn32.exe
3176	Anfmjhmd.exe
2228	Aepefb32.exe
4360	Agoabn32.exe
2896	Bnhjohkb.exe
1536	Bagflcje.exe
2500	Bfdodjhm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	0f2e3f315723f295ef850dd8564cad90N.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	0f2e3f315723f295ef850dd8564cad90N.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Olmeci32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5212	6044	WerFault.exe	202

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f2e3f315723f295ef850dd8564cad90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0f2e3f315723f295ef850dd8564cad90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 3292	3596	0f2e3f315723f295ef850dd8564cad90N.exe	84
PID 3596 wrote to memory of 3292	3596	0f2e3f315723f295ef850dd8564cad90N.exe	84
PID 3596 wrote to memory of 3292	3596	0f2e3f315723f295ef850dd8564cad90N.exe	84
PID 3292 wrote to memory of 4048	3292	Ndcdmikd.exe	85
PID 3292 wrote to memory of 4048	3292	Ndcdmikd.exe	85
PID 3292 wrote to memory of 4048	3292	Ndcdmikd.exe	85
PID 4048 wrote to memory of 2492	4048	Neeqea32.exe	86
PID 4048 wrote to memory of 2492	4048	Neeqea32.exe	86
PID 4048 wrote to memory of 2492	4048	Neeqea32.exe	86
PID 2492 wrote to memory of 3816	2492	Npjebj32.exe	87
PID 2492 wrote to memory of 3816	2492	Npjebj32.exe	87
PID 2492 wrote to memory of 3816	2492	Npjebj32.exe	87
PID 3816 wrote to memory of 3136	3816	Ncianepl.exe	88
PID 3816 wrote to memory of 3136	3816	Ncianepl.exe	88
PID 3816 wrote to memory of 3136	3816	Ncianepl.exe	88
PID 3136 wrote to memory of 4172	3136	Njciko32.exe	89
PID 3136 wrote to memory of 4172	3136	Njciko32.exe	89
PID 3136 wrote to memory of 4172	3136	Njciko32.exe	89
PID 4172 wrote to memory of 1448	4172	Nlaegk32.exe	90
PID 4172 wrote to memory of 1448	4172	Nlaegk32.exe	90
PID 4172 wrote to memory of 1448	4172	Nlaegk32.exe	90
PID 1448 wrote to memory of 1668	1448	Nckndeni.exe	91
PID 1448 wrote to memory of 1668	1448	Nckndeni.exe	91
PID 1448 wrote to memory of 1668	1448	Nckndeni.exe	91
PID 1668 wrote to memory of 1260	1668	Nfjjppmm.exe	92
PID 1668 wrote to memory of 1260	1668	Nfjjppmm.exe	92
PID 1668 wrote to memory of 1260	1668	Nfjjppmm.exe	92
PID 1260 wrote to memory of 2140	1260	Nnqbanmo.exe	93
PID 1260 wrote to memory of 2140	1260	Nnqbanmo.exe	93
PID 1260 wrote to memory of 2140	1260	Nnqbanmo.exe	93
PID 2140 wrote to memory of 644	2140	Oponmilc.exe	95
PID 2140 wrote to memory of 644	2140	Oponmilc.exe	95
PID 2140 wrote to memory of 644	2140	Oponmilc.exe	95
PID 644 wrote to memory of 4472	644	Ogifjcdp.exe	96
PID 644 wrote to memory of 4472	644	Ogifjcdp.exe	96
PID 644 wrote to memory of 4472	644	Ogifjcdp.exe	96
PID 4472 wrote to memory of 1244	4472	Oncofm32.exe	97
PID 4472 wrote to memory of 1244	4472	Oncofm32.exe	97
PID 4472 wrote to memory of 1244	4472	Oncofm32.exe	97
PID 1244 wrote to memory of 4068	1244	Ogkcpbam.exe	98
PID 1244 wrote to memory of 4068	1244	Ogkcpbam.exe	98
PID 1244 wrote to memory of 4068	1244	Ogkcpbam.exe	98
PID 4068 wrote to memory of 2880	4068	Ojjolnaq.exe	100
PID 4068 wrote to memory of 2880	4068	Ojjolnaq.exe	100
PID 4068 wrote to memory of 2880	4068	Ojjolnaq.exe	100
PID 2880 wrote to memory of 3080	2880	Oneklm32.exe	101
PID 2880 wrote to memory of 3080	2880	Oneklm32.exe	101
PID 2880 wrote to memory of 3080	2880	Oneklm32.exe	101
PID 3080 wrote to memory of 3076	3080	Odocigqg.exe	102
PID 3080 wrote to memory of 3076	3080	Odocigqg.exe	102
PID 3080 wrote to memory of 3076	3080	Odocigqg.exe	102
PID 3076 wrote to memory of 2272	3076	Ojllan32.exe	103
PID 3076 wrote to memory of 2272	3076	Ojllan32.exe	103
PID 3076 wrote to memory of 2272	3076	Ojllan32.exe	103
PID 2272 wrote to memory of 4776	2272	Oqfdnhfk.exe	104
PID 2272 wrote to memory of 4776	2272	Oqfdnhfk.exe	104
PID 2272 wrote to memory of 4776	2272	Oqfdnhfk.exe	104
PID 4776 wrote to memory of 1084	4776	Ogpmjb32.exe	106
PID 4776 wrote to memory of 1084	4776	Ogpmjb32.exe	106
PID 4776 wrote to memory of 1084	4776	Ogpmjb32.exe	106
PID 1084 wrote to memory of 4164	1084	Ojoign32.exe	107
PID 1084 wrote to memory of 4164	1084	Ojoign32.exe	107
PID 1084 wrote to memory of 4164	1084	Ojoign32.exe	107
PID 4164 wrote to memory of 1940	4164	Olmeci32.exe	108

C:\Users\Admin\AppData\Local\Temp\0f2e3f315723f295ef850dd8564cad90N.exe
"C:\Users\Admin\AppData\Local\Temp\0f2e3f315723f295ef850dd8564cad90N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\SysWOW64\Ndcdmikd.exe
  C:\Windows\system32\Ndcdmikd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\SysWOW64\Neeqea32.exe
    C:\Windows\system32\Neeqea32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\SysWOW64\Npjebj32.exe
      C:\Windows\system32\Npjebj32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3816
      - C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        24⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        37⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        52⤵
        
        PID:116
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3800
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3276
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        71⤵
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:616
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        74⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        75⤵
        
        PID:544
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        81⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        85⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6036
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 404
        114⤵
        Program crash
        
        PID:5212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6044 -ip 6044
1⤵
PID:5160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aglemn32.exe

Filesize
77KB

MD5
17c840c884642e38102bd85fa0c0c9b7

SHA1
34957accfc49704692977a25b4ee13b95adeda6a

SHA256
77cd2f8061af9f73ef30d691c678a0bc4904aa866bb9bc00efd939b09b220d25

SHA512
7c963448f2f5d6c97216d562ef3f24285b22cad97b8f1e4d66096d71fa41e9611e1fbac30ac531340b8cf3d88df97fdd5edb0d8edd48c09a591403cc2f87ab04

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
77KB

MD5
7b765eb434703ddc9c9946dea3f1fc49

SHA1
597efcd9214a940565c5f8e034941b27b1e8fbd3

SHA256
6913c06e2e5dbc8a8e172ef8b9aa9a3496281e481ec99d5b16032019194e132c

SHA512
6ed98edd85456bec6dabb65d8fd8f971e87f0697e63d797398f442eabac3b36574158d5a9cdd3d4f7f2b1a046fa0a8443f1b9fd152bce1755ed50a4881c7c7f3

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
77KB

MD5
264705d8aee3eba069963eb2a97eb492

SHA1
c258a3a4349faa5fdff24099700bfce8cc1b218b

SHA256
9d0907733def079fdec91419eac976e4a2e1c27ceb6e64158343a3b1a075a304

SHA512
a221ae3475f6689a4d768bcdde97216faaa0448adfcaf3720143995a6fcd1fca775c0735c076b127655f80eed70c4c5c652c5491d510846765d5011f4e892e43

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
77KB

MD5
d7ef07bc5822478dcc613bc77b62bce1

SHA1
8c20a2f6688c3bc3b02f5b2847a5fa11d25206b6

SHA256
437442fdfbb12b948af6ce19eff51d8117b3bffb5b4dd175bc1c6e54ced71046

SHA512
6ae68793b5baffbfa045ec92cbdf8345f6fe023dc9065f64ceae208bb52789c10cf2cc401ea0d999a5a3ff326a3fbef2475044a8d5ff1f2ecde2e8c01700fe9e

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
77KB

MD5
a0a0fb31d2af366a3854de408e77b743

SHA1
dbeae4a00155427a75dda9cbb2aa8c862f238f99

SHA256
c582b79f07ad1f1ce894a1fbd6ddcd99732a7f68659f39f7b284111d7d49825f

SHA512
33387d26e5f8636594f0ac7e37082ff9d0ec5c9fc9c60fe9faf0d0a2cc379bebb1cbc17ae887612b79b74e6f45d78fa04c65c31e6dd6a16114d1e91805bee21a

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
77KB

MD5
80851f1213413dfa60464506fb7ef98d

SHA1
7bab160b47be25ca29b06fc9586bb073cea5dfa8

SHA256
3f8238118707a678c474e6dfa7c5de4e0c20e62dc151e8ef350726d1cfc0e040

SHA512
114c4347c42dec7638b5929ef42a8d6ceb68873ac8d3f64848c237ca6a12b277be762ebcfad907e0736ba89c4c30a190c102b8567b47b2a70f418770dfee5178

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
77KB

MD5
b8ac77414a5db5a49dc41da9c98c8e29

SHA1
b510402d8c93e1b079a45ddd0340e469775774f9

SHA256
0175aa028b79c6e1170f4f7b65deee126d94b70e4eff9310fc41af720552fd24

SHA512
3c4dc947379890d8c1808d659f5f25f079711db963ffee6719a66950c0ef21f00baf38ec5a7ee28d84491c7a7f7fa48cee8f5835831193d1666e8b5fcd76cba5

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
77KB

MD5
5a4ed6b64915df1b6036028d5a0a126d

SHA1
ab80f52fb8994cb554e343f9484d833564899cde

SHA256
26ec5ee29bb248c7db5400cc645725ceaa510cc71f7b34014f7992680de62ff7

SHA512
88adaa12aaf1c6d7c04419bf4a961151c229400d383dae8259dc1ed1c8f54729873cc5fe72436037dc1f708f103c93322df25796bbdfcd4fbba1e711a85ead89

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
77KB

MD5
7a88e84673106cd37ff721f14e252d6a

SHA1
dd927fdd46e495944ec57834598a5b6cf7ed7ed0

SHA256
4737fcfe61c0179808bde428faccd9daff6bba513159ee3b79c4daa1ffe2b542

SHA512
b1fc8b1dab3733044539c50d3a0168ea14f4fc608e5d7d6996dfeac948235548a6f893a9eb6c360a3778a0bca403daed5b4421090ce94e5c2d306fa3b133e560

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
77KB

MD5
5b8f6c443ce0d210507d501c16d66b74

SHA1
f3db23847e28ced642abd7d76495ee48b2806ab7

SHA256
99d97d7ff09722ad4a1659557bc5852306e091f1439dc638d8da343af049933e

SHA512
97c444a78712ea1e5f18f4534a3d1d55a0eb3b65546ce746853723a170fec95e79884b1c06565c0cb5e1299bb4dc9fd6a9f4f2c057b1c310d694ca38c31049a4

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
77KB

MD5
fe577fd397bc785f2c76759c78154811

SHA1
f06a43f6a1aa5ba9c8b43a406fef9351cc835882

SHA256
6ada22937d54d2a061129f235a41775b2cacfcf75a0a9adcde591e2c0b924fad

SHA512
420928b89ce673ec3736094560ef1057cbbc510c49db4c19bf286de953ea785f67cb53513b81783d87474f50a8f025cb27cc3e1021426ef84d71335094ee2aee

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
77KB

MD5
4087393c010b43eb7404fcf8f590bd9d

SHA1
22d54832e9afad0e72dc3e0af4c3c3f24344c267

SHA256
5d909027b24d0591430565d37340e5b24d829fdf5ae0857df034f771a2dad55d

SHA512
16e4f4c80de6820df6a39bc3fe6771eb8eaf2551709ff733ff2c20ce17f9847cf8d66e7aa1a6b5d3a37f909cc0d2f44f57c7dd9effd58555d497e25d845ded54

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
77KB

MD5
b52000ac0eeaf7e5e558d4f9edeea1be

SHA1
722819420a21ae6c46a03d33321a4e3860ba89fd

SHA256
894ab1b0b99507553572377c6203e297b1fd4172437f696c9b0977aba89fb295

SHA512
4eb9e091597a7641933f0a523e73e6ed38b5a987b229a03c2009ab05787f555e3e1491fc952c480170c2369696c651225373c86fa7b5205297a72f9403684783

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
77KB

MD5
f39a9232fad93969156d56dd950fffbd

SHA1
1d68f3249d648eefdc85524358f8f385c47682ca

SHA256
d77317e0606e08b38456f63c5a5215cbe66e2c93cda8aa24f61d8ea90385c86b

SHA512
d95d02758977a5b4d76d884a3f55983e74ad5f933e6c00793c8f97b0b77d894636b31f592403430cb9bc425a9ed1ca6f237432e9ed51747ad2ff35849480355e

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
77KB

MD5
597581f1c19047f244ed0800f37ff888

SHA1
76cbe1048d12915c154e2d2c099209e34dd60e4f

SHA256
c1c4490e3404d713603e1f5e27b9c593e3d8df8961d5bc49bb2324f9aef13b27

SHA512
2afc5b9b8ec0ce7c3f002de3dd4b9eb34378b9aa8acaa6f608450109b2cd8ad622b18f375375a20c326d88780b87c860490e1747ad282c2f1dcff70f2376996f

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
77KB

MD5
40c09a40c217425f70fc60f4dca12c7d

SHA1
e7ecad682ae8871537f64ebcc71ad6c52f5ce904

SHA256
b238fb936783c81dd7cc7c9ffa94fd6e0a2305571135f1c5a6617c53b282f875

SHA512
726f448ade72b5a7e562d90dc4470d676151cf3415c7a6ae5390bf86da632516bbeeb4d5c40f1acbf1aaaa26d074c1755bc8e1016bdd14c0bfbb7cdd4e7a9160

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
77KB

MD5
da68dffd0610388dafa34268c1edddc1

SHA1
b277afd165da08a41b76e289ccd383ad9f39cab7

SHA256
fd94df725a85d5f9ec74b74797c63c8ffca79551b2f5249c961e62c002e5099c

SHA512
97995c1afd211f03dbefb98036b65781edc0312534e13af42c2ec00a7f5830118039f7a2a34bf7f925c0ce380e08e6e01fbf534340dcd2a2adc079445dbef9ca

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
77KB

MD5
aca55c404b9bf85021ec19fa880ba300

SHA1
9ca9497bb4f2a9b944f2a1cd0f73f5d8c6e1159f

SHA256
ffaad0875496a74d9af03217807cfc7bb383777d083380f2e49cf1b694064c5b

SHA512
7c99186cf9105161c3164f079b033991c9b4f5750907f25b8dca27b1c52b40dfd8badfd160ae5b199f2e97c112e476a5c0880c4f32459af415c8790c814288ad

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
77KB

MD5
910c24c472790b593433f10a1f931129

SHA1
fadae0cbef86fb79d9bdef30a1a4e14fe4080ebf

SHA256
426ff910a4bae7269ddacb682638124ebc237f7a7ce0c5467f1919e08fe703a5

SHA512
cea69f867ee4a2340d6e8c07ac530e1c4d97b480bb244f0682e7d9a8ae87986c0db382268c7b767015a3eba0b7f77c88732fb36bf7da1ddeaed2ba15533f8661

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
77KB

MD5
dfad581f0f43ae9d736d655a1e7ac5c2

SHA1
1b713d17d5eeae317c57b6ff5e8fcb6d21b55f58

SHA256
60aa05a80da2522d5cc7dccb1715705adc03f29105fbade16aba7aff6c4109cf

SHA512
1b4f16dc583b2cf008d07d7f4b4e148e6e4ce3378b6f88e6cf523aeccc556476cb285ba8cdf4e322a628a17178c8a78e46b3cfd5f5fa12de6afdb8f9b1d8597b

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
77KB

MD5
ad6f743c5d5f09cf4010673eca3333a2

SHA1
f70ba77a4844d8b9904e1b84a38f91d9ded0c34f

SHA256
246c83369f2cbc1368749c02f65edd020b046a08413208cd87d2434cbc67d798

SHA512
1df2d4217402487aa3b1fccb693271b1d4dfd65066f80a6bdcdcf61b848c4e2803d485d8b3e90212606e9384703290ed3dbc236ed5b0aa7eacf51ad5386b0a4d

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
77KB

MD5
07d6b9c348e0183ccf3d528bc3821e8b

SHA1
f53ea68d4e2308551a76871e1de8e35f6dc56137

SHA256
18e8c9744bdfa76f4b429bf7e1ca56c05d8bf33bce197c9fbc11ecf33a15a143

SHA512
0c5d140abb545194475bc3725ea3025f342addea7d4c761e700d3c42cfa084837e75b14532bebd67a63758fe13103994f1ce8d469f2d944b286219be0ac03670

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
77KB

MD5
e651033e1843d6f80129fe84570622ee

SHA1
5604deac5922b78db1b3a81fdd625617071493c9

SHA256
2e90e0bc7898e13dcb41a5511cd90dd14b381ccb12e93cbfbb6851111d0258b5

SHA512
acbcfc7759e167b3cb4bca90f1a65e4f97b1daf6fefcc02d19b6d123189133d23fa263671763f716f3c9deca9ac660ee8f1c6dd9e5c1c4a73f19ca108ee5acb0

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
77KB

MD5
db66f5d96f7f81da9216a361926c146e

SHA1
2548df2b22f01f59920cd6100b110a26ac14b5ed

SHA256
feb83ecc6d1d6aca0403be0ce7fa21e0c96bfb15510bbec03e4d5d9ee3e7d317

SHA512
f7f8b974559af52223f6979be471a1237c054125d02f7a8c6dbbf50632fa73a07192bc03e5c88de133df579cfc496b2e11820353c6b3c8dba4b1118c541822d7

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
77KB

MD5
f0a0c7d13f14a65d0c023494ddbfb13d

SHA1
854a3d7a26539a785288d305ba7494f4435a4790

SHA256
d7c94368ca477c4166700f73202e189725cd82006c3f3b423495f36e677378d6

SHA512
038e664c42cdc14f72d5a677d370f315dae0c0ac7e15aaeda12deaa49c815b6e0c5fd41c139f25e150f1284e955c47a8c022752a0d0ed9be3511ba9be422572f

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
77KB

MD5
1d5e6cd1c53242c08258efd823fad1dc

SHA1
093e1ad917002579166d7ef9bcd88e03205c05d6

SHA256
963ffee65ecf4bfcdf4aaf4c71df98ba18c20b79301acef468456d4b98ef857e

SHA512
f4eb85ae9d3b60cbe6ca346281841e6e8820cbae8dff10d6c4536dedaf9bc012d5c27b90bc02f7b8f594cf4162b4a95f162e455cf6d8d589b0436f7fbe7c361a

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
77KB

MD5
514e0c86c831a7d226221989bad60467

SHA1
35288bcb8c9b70a82d75c2929785c1431e855add

SHA256
7bf2c4052f91900959422827c351d05592691c66cfa619aad6bb9901ef2c196a

SHA512
eb05e050a691fb9951b5ab249d3b21232b504b9752e07484b612f0444276c97fe0bee7f087941d2ff3362c984b849bb0ac36f2ff2afe2e3351af9dd2e231ef3e

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
77KB

MD5
77f8cc1c3b64706a814abea8c19fdca0

SHA1
aefb422a0401f5568a453ce55e605e356be9f7c4

SHA256
1375b1a41b344e4726a1591d31c195a4f90afe14784c6fe65fcb56d7accd5724

SHA512
1fe90fe6ec3e8a241bdb21258cc83faaecd008fa437fb527cb4615b01363f4be5aac8083563c71fe3547e295258b2c5c5b14814fb943defa6e04b350951bf3a4

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
77KB

MD5
e5e1be6eadef0b82935905128b0bb0d8

SHA1
dd2f6850ae8fc684072a5bd1d4d4f3b55f107a86

SHA256
00c1e23b9fd9d88048d9d593f46bddbb79ee188dbb2a6e032a369e6fc8e928f7

SHA512
85f276370d1c5b1478b2b2ee4d29419836ba08273de9626ba357cc87deb25a03909e6c249b39b8ea6267fe12f1968cae6a5bb72f8dab98e1cf701bae83976f78

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
77KB

MD5
e0004c8db7e14e6adfc3e983fb794ee7

SHA1
2af560f514d5c9149a85c6dd2a40734247bbcdca

SHA256
7fe791e1cafb56086faa140ae9a948722c887a8949af8bc41a44389b61e68525

SHA512
5f50111937637315d6c4233c541fa94baa53c68de012fc345fe0021d4befc55bca6c61beab3e1a197c10bae184a6dc2aacb8bf3c228eedccd98bfe64d79464c9

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
77KB

MD5
fad0e941803a7c52db540988ce8fcd29

SHA1
f815daf3903a1d110ffd01b46d8298eb086b287e

SHA256
84f2b6d62e377e771ad368af5d6ff5b16ead1e94afc337a61ff3cd8ea623cead

SHA512
9770fda6671848908874e20cbaea357442ecb31174e673e6e205b3688ef684feb8ade40544976dcfa8b2e5b2d306699792f940d8cb3aa6405f8b264c032999a9

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
77KB

MD5
2b26e270d91a0af850b7d0addc5ec6cf

SHA1
6554d5a9e15de42f1875ba7b8868e8a27932b473

SHA256
4d49a50d191b2264b7be77b07254430979fa72a108641f0f6ac49d2c7938181c

SHA512
2c62581f78909bb6436cdf04509e95ae377fbde0da4c16eb562d5b9af1cc3cb2a651b0cf7173a3e370f1218218ec950499cd49ab605fff18abf98003ff9be593

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
77KB

MD5
5b8c18a8bac9ea828ad62b64760c16da

SHA1
1c92e00a7240328d96f91757ac30aa64e2c37859

SHA256
069445143153663dc3d9937ce330736e63a5cea1be90b10a0239d8a1e6ad0a1e

SHA512
41440c7bed132347a74a2dcd00c53fa93a9033ee601de619bf4ce52e8f707356d5d6eae3b860213798731fbe13b54cdf88698f9e3d93ab48f285d692ba93e08a

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
77KB

MD5
5e23b1325be92f95119adfb76caf733c

SHA1
63765a945f09e254322467770a2b47ae6dc094b9

SHA256
f617612fc7bcc6ba29517de07f36571043715a5afc8119ede97de1185222ca61

SHA512
dfc003024fcdc1abb4187eccbf932a4c1b0b5a9be67bde0a97bf501791efab704eecfdca7b8a70e95c7bf477494d0a2cc4f31af3d39770d6420a4dbe8d265440

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
77KB

MD5
29148f0c71de11ea63af25cdf9a5c678

SHA1
0be30f46cf3ed476e1aa3068ef2225f983226ffd

SHA256
a13aff697ea8c14ddd8e51d7295dbdf00ddbde3f194fe7f98089851daaca16d5

SHA512
ca83565332c3afb801191e605935e629706485bd28290998f7280b983b76ab80df63b660a4ac1f3d4f52b4383b782b213016aad2051ad136729c86184a00cf69

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
77KB

MD5
6f04941e442fa1224c61dee38e12f140

SHA1
81b13cc8f38aac77cc0f66f0aa1321e4598ecba5

SHA256
8b9ad27b0b240543db688ae9960c91e4b1aadcf342643186b594e3e9e0001e9e

SHA512
0754df90cdc4fe182b90fbda8c65db7e3c7fa0dc00ddee4929da4ad153625c2a23a2d993390dc0b691187565a4f570379482791e33993c6282b4346833ed8e48

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
77KB

MD5
9857cb4cc9a05dec6047078077122149

SHA1
40228a9c04ae621b4407c744d948f97aebeabcd9

SHA256
2c70f3292ae39cddffebb13811a4eded2677f29d75f6123f25b53ef5120376b6

SHA512
aa1892493240dbbd3fce73a6d8062d35ebdddb0224606cd373ce65aea387bfaf26885f11db8fd471637d5d22d8a65009d4d81722797fb363ef1db33a296b3af3

Download Submit
memory/116-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/544-504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/616-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/628-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/644-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/760-522-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/960-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1004-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1084-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1244-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1260-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1448-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1448-589-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1668-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1756-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2004-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2108-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2272-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2320-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2324-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2492-561-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2492-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2704-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-535-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2924-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2928-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2952-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3012-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3080-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3136-575-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3136-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3176-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3276-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3292-547-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3292-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3360-510-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3396-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3456-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3596-534-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3596-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3596-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3620-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3800-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-568-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3828-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3844-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3896-528-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3944-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-554-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4164-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-582-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4176-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4208-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4292-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4412-516-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4448-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4472-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4524-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4640-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4648-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4776-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4788-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5100-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5132-541-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5172-548-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5220-555-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5268-562-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5316-569-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5360-576-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5404-583-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads