955dce3658b10ac13fe7cabba9496c0f49890aeb7d70b643462d72e06f05be01

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

955dce3658b10ac13fe7cabba9496c0f49890aeb7d70b643462d72e06f05be01.exe
Size

340KB
MD5

090cdcea9e5b4af8b5c1b2734fdd2a21
SHA1

f5e78d596db948d4c55b3e028cb0592905f45685
SHA256

955dce3658b10ac13fe7cabba9496c0f49890aeb7d70b643462d72e06f05be01
SHA512

c13952f3eb8df7c1bf5264020e17de5c4ce011dd25219ec315656c702d7b43675b67165bfaadaf00b8c24824f38a5915932aa051357b1ddf8304e5878cae08ae
SSDEEP

6144:NuCA2+EiIyedZwlNPjLs+H8rtMsQBJyJyymeH:w+yGZwlNPjLYRMsXJvmeH

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe

Executes dropped EXE 64 IoCs

pid	Process
4144	Npfkgjdn.exe
1300	Ncdgcf32.exe
900	Ndcdmikd.exe
3988	Njqmepik.exe
4536	Npjebj32.exe
4148	Ngdmod32.exe
2504	Njciko32.exe
1460	Npmagine.exe
2748	Nckndeni.exe
4612	Nfjjppmm.exe
4120	Nnqbanmo.exe
1400	Oponmilc.exe
3608	Ocnjidkf.exe
4608	Ojgbfocc.exe
3572	Oncofm32.exe
2104	Olfobjbg.exe
4004	Odmgcgbi.exe
3056	Ocpgod32.exe
2620	Ofnckp32.exe
1464	Ojjolnaq.exe
2696	Oneklm32.exe
648	Opdghh32.exe
3456	Odocigqg.exe
992	Ognpebpj.exe
4180	Ojllan32.exe
4176	Onhhamgg.exe
4804	Olkhmi32.exe
4988	Oqfdnhfk.exe
3092	Ocdqjceo.exe
2524	Ogpmjb32.exe
4296	Ojoign32.exe
4032	Onjegled.exe
3540	Olmeci32.exe
4692	Oddmdf32.exe
3000	Ocgmpccl.exe
4136	Ogbipa32.exe
1876	Ojaelm32.exe
1516	Pmoahijl.exe
1780	Pdfjifjo.exe
216	Pgefeajb.exe
5092	Pjcbbmif.exe
4480	Pmannhhj.exe
2280	Pqmjog32.exe
8	Pclgkb32.exe
1396	Pfjcgn32.exe
1148	Pnakhkol.exe
4344	Pqpgdfnp.exe
4624	Pcncpbmd.exe
4396	Pflplnlg.exe
4824	Pqbdjfln.exe
4284	Pcppfaka.exe
4240	Pgllfp32.exe
3028	Pjjhbl32.exe
4700	Pmidog32.exe
5036	Pqdqof32.exe
232	Pcbmka32.exe
860	Pjmehkqk.exe
5080	Qmkadgpo.exe
3164	Qqfmde32.exe
4836	Qceiaa32.exe
1556	Qgqeappe.exe
2196	Qjoankoi.exe
4484	Qnjnnj32.exe
4008	Qqijje32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5372	6048	WerFault.exe	221

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 4144	3720	955dce3658b10ac13fe7cabba9496c0f49890aeb7d70b643462d72e06f05be01.exe	84
PID 3720 wrote to memory of 4144	3720	955dce3658b10ac13fe7cabba9496c0f49890aeb7d70b643462d72e06f05be01.exe	84
PID 3720 wrote to memory of 4144	3720	955dce3658b10ac13fe7cabba9496c0f49890aeb7d70b643462d72e06f05be01.exe	84
PID 4144 wrote to memory of 1300	4144	Npfkgjdn.exe	85
PID 4144 wrote to memory of 1300	4144	Npfkgjdn.exe	85
PID 4144 wrote to memory of 1300	4144	Npfkgjdn.exe	85
PID 1300 wrote to memory of 900	1300	Ncdgcf32.exe	86
PID 1300 wrote to memory of 900	1300	Ncdgcf32.exe	86
PID 1300 wrote to memory of 900	1300	Ncdgcf32.exe	86
PID 900 wrote to memory of 3988	900	Ndcdmikd.exe	87
PID 900 wrote to memory of 3988	900	Ndcdmikd.exe	87
PID 900 wrote to memory of 3988	900	Ndcdmikd.exe	87
PID 3988 wrote to memory of 4536	3988	Njqmepik.exe	88
PID 3988 wrote to memory of 4536	3988	Njqmepik.exe	88
PID 3988 wrote to memory of 4536	3988	Njqmepik.exe	88
PID 4536 wrote to memory of 4148	4536	Npjebj32.exe	89
PID 4536 wrote to memory of 4148	4536	Npjebj32.exe	89
PID 4536 wrote to memory of 4148	4536	Npjebj32.exe	89
PID 4148 wrote to memory of 2504	4148	Ngdmod32.exe	90
PID 4148 wrote to memory of 2504	4148	Ngdmod32.exe	90
PID 4148 wrote to memory of 2504	4148	Ngdmod32.exe	90
PID 2504 wrote to memory of 1460	2504	Njciko32.exe	92
PID 2504 wrote to memory of 1460	2504	Njciko32.exe	92
PID 2504 wrote to memory of 1460	2504	Njciko32.exe	92
PID 1460 wrote to memory of 2748	1460	Npmagine.exe	93
PID 1460 wrote to memory of 2748	1460	Npmagine.exe	93
PID 1460 wrote to memory of 2748	1460	Npmagine.exe	93
PID 2748 wrote to memory of 4612	2748	Nckndeni.exe	94
PID 2748 wrote to memory of 4612	2748	Nckndeni.exe	94
PID 2748 wrote to memory of 4612	2748	Nckndeni.exe	94
PID 4612 wrote to memory of 4120	4612	Nfjjppmm.exe	95
PID 4612 wrote to memory of 4120	4612	Nfjjppmm.exe	95
PID 4612 wrote to memory of 4120	4612	Nfjjppmm.exe	95
PID 4120 wrote to memory of 1400	4120	Nnqbanmo.exe	96
PID 4120 wrote to memory of 1400	4120	Nnqbanmo.exe	96
PID 4120 wrote to memory of 1400	4120	Nnqbanmo.exe	96
PID 1400 wrote to memory of 3608	1400	Oponmilc.exe	97
PID 1400 wrote to memory of 3608	1400	Oponmilc.exe	97
PID 1400 wrote to memory of 3608	1400	Oponmilc.exe	97
PID 3608 wrote to memory of 4608	3608	Ocnjidkf.exe	98
PID 3608 wrote to memory of 4608	3608	Ocnjidkf.exe	98
PID 3608 wrote to memory of 4608	3608	Ocnjidkf.exe	98
PID 4608 wrote to memory of 3572	4608	Ojgbfocc.exe	99
PID 4608 wrote to memory of 3572	4608	Ojgbfocc.exe	99
PID 4608 wrote to memory of 3572	4608	Ojgbfocc.exe	99
PID 3572 wrote to memory of 2104	3572	Oncofm32.exe	100
PID 3572 wrote to memory of 2104	3572	Oncofm32.exe	100
PID 3572 wrote to memory of 2104	3572	Oncofm32.exe	100
PID 2104 wrote to memory of 4004	2104	Olfobjbg.exe	101
PID 2104 wrote to memory of 4004	2104	Olfobjbg.exe	101
PID 2104 wrote to memory of 4004	2104	Olfobjbg.exe	101
PID 4004 wrote to memory of 3056	4004	Odmgcgbi.exe	102
PID 4004 wrote to memory of 3056	4004	Odmgcgbi.exe	102
PID 4004 wrote to memory of 3056	4004	Odmgcgbi.exe	102
PID 3056 wrote to memory of 2620	3056	Ocpgod32.exe	103
PID 3056 wrote to memory of 2620	3056	Ocpgod32.exe	103
PID 3056 wrote to memory of 2620	3056	Ocpgod32.exe	103
PID 2620 wrote to memory of 1464	2620	Ofnckp32.exe	104
PID 2620 wrote to memory of 1464	2620	Ofnckp32.exe	104
PID 2620 wrote to memory of 1464	2620	Ofnckp32.exe	104
PID 1464 wrote to memory of 2696	1464	Ojjolnaq.exe	105
PID 1464 wrote to memory of 2696	1464	Ojjolnaq.exe	105
PID 1464 wrote to memory of 2696	1464	Ojjolnaq.exe	105
PID 2696 wrote to memory of 648	2696	Oneklm32.exe	106

C:\Users\Admin\AppData\Local\Temp\955dce3658b10ac13fe7cabba9496c0f49890aeb7d70b643462d72e06f05be01.exe
"C:\Users\Admin\AppData\Local\Temp\955dce3658b10ac13fe7cabba9496c0f49890aeb7d70b643462d72e06f05be01.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\SysWOW64\Npfkgjdn.exe
  C:\Windows\system32\Npfkgjdn.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\SysWOW64\Ncdgcf32.exe
    C:\Windows\system32\Ncdgcf32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\SysWOW64\Ndcdmikd.exe
      C:\Windows\system32\Ndcdmikd.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:900
    - - C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
      - C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:648
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        24⤵
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        38⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        40⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        41⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        47⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        49⤵
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        56⤵
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        60⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4008
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        70⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2632
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        83⤵
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        89⤵
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        108⤵
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        113⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        115⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        118⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        119⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        125⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        126⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        128⤵
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        130⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        131⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        134⤵
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 396
        137⤵
        Program crash
        
        PID:5372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6048 -ip 6048
1⤵
PID:5244

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Banllbdn.exe

Filesize
340KB

MD5
16afb775b6d0cc9e2e80aa215e7204d9

SHA1
d5409aa274591296fdf6babecdbfc41f6847988d

SHA256
41bcb4e91a35c6034657aad1c42c42344436dfd873240752114499958a0897c1

SHA512
a45ad38e71f7344fdaa3873e7c838996b7743f0b27ca0849f60729844988e92cb108403a555ed4147bd4da2d9dedbc298c62773003032beb7c3145da52e2f3ba

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
340KB

MD5
1463c45bc352da98bd50ad319fe73a24

SHA1
39afba7bcffd3a6d71cf96fe5bb9609a079be223

SHA256
d5d37fc280f0bb12d71390163a5462f5782abfd79262edc139027c838e62b613

SHA512
eb8941f63decd33a5f6600d5d4e76a57284bd4f5560588f7b2e0f65f994a8d18efda24be872d0599e7394b322352f7a7b2e5a8fc3cb19d8584f8a164569acd25

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
340KB

MD5
6e980142fb383e4c2df7ad702cc19dbc

SHA1
f48b43db23d3c71ad3b5e4de6708a4a7426c8ca0

SHA256
945f94e47656b1bb74db68949b009a2142dba1a4980027e0cc3788993e94f1ee

SHA512
33fc94f71a7576e91294c6867bb783f3a1f2028966bbfa677eff6e34282b7651e63ddc637cb98e116d2e772b8f2883f2e941e9dc112773167ee9d1da5af5317a

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
340KB

MD5
0d9aaa28c5a5cab8c64d2c39cd1314c6

SHA1
7ceee2582f4d11b4af2070f56f07409dc77b3a9d

SHA256
b129276d4dc3eeda9b1f06cfe9e7d9435fe673cb46c5595375bcc0bcc413bca4

SHA512
69fc113be8d1c9b5bc220a04b6bbbaa7d9006e58b278c518106d55548482e04b6caa2dbbf78460d0a752b01de8a0b501554250b5224c5bf48cc7c7e68587da2f

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
340KB

MD5
0b7c06f35d8397711f38b15b321df66d

SHA1
9fc06b223427a944962c2d522ea07d1134dc1459

SHA256
c89ee6263fb8ba26765e3d498b2945506222320de9a446adbae3be33279ba876

SHA512
8f4a6d1738d41c4cd42f64f9f7a04f38ba9f1e17a5fa91fbf07993926cba0e40cfa881178e5fb08b49213c0df7ebff8a5b6f5b0167bccaee392c3074b977c379

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
340KB

MD5
a731f11ea2ad0b8285c9ff411bcc8007

SHA1
52966414b81c25b195aa187196edc8da85f41921

SHA256
1388224e4195500141766c8b3ddf1b27740e7a8b77e8f925c34eceb0d92413fb

SHA512
3d7eeaada12e7630909d29d1916a1db6598476f0d948e80982c9c6627ec6b122bb43e5c3d4b60956887a33d24ab372357f6dbfed4a90af169c41780d0fded262

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
340KB

MD5
0b9c9f3767857128441374d3c2a789ca

SHA1
fa0ca7b2fc4dbc8c13a97aded7909497701875a9

SHA256
ac5c4479936f1ab4a7ac505449ebb103741f8dd56c03dfc85644631f152fb523

SHA512
7e27b4355a1e72d6e69627ce7d40543e2dc41a2a293b00585ee134170ef66050f7205326025486b94fcb40ab3801689982a2d74ff41140655a435d70c847d294

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
340KB

MD5
0714632daeaabfa060e5f15d8783d428

SHA1
e583b53e44a095c31d651c96c6a168917d1056d6

SHA256
3918433624b3888030c9d293714e46e08a61e6b78aaba85591f474753e3a6bdc

SHA512
dc3b3f7899266dd529aef5153360d304df1e9ebc1c4972bb6e2d956fa19da23616ef34266d2fc37ca3c518aa2aa8e6dbf368e7ec301287c402957e0b27e578e4

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
340KB

MD5
24b21fa4fb7e8e026b1894049f6bc733

SHA1
c024578dec28ad0e5e5b1519aa95887f9bdd201b

SHA256
d8113c3c048f4aa4804972c415a8d9653c0a5eb54dca80eaf348324911a1d86e

SHA512
664117e2e05df70a01bf06872582f31d87839a11a711658443d06fcf4d4e00d24b738b84942047f8fca267280d0109ed46215341cad86b4af77aa19a37e463cf

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
340KB

MD5
25abd17ff758061efdaccd472e0ed2fe

SHA1
4f41de5788dfecb2efdba1b0d618ad51fb24d2a7

SHA256
c811566d8ddffce4df296dfd5585c525471d6c7910c9b02176b45bf97bc139e8

SHA512
a0dbdd8d2c58c3fb5c5964f4781c19cb0631735c827defeb4430417a5e9c6f720ea266ef304bfb745b66de74e465233506ac97e63ad6f3dc177480881a9cc6cb

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
340KB

MD5
29a91cbebc8d3df56c2e137f2e213ade

SHA1
199f92808f296cea4d51e46cfeea026544d3e1c3

SHA256
37ef88ea704f63420d0ba24521a4333bfabaedd68c0f4453d1799e45345c8fc7

SHA512
3454ec37914f1b7e2a4441fa55412dcd5c1b7859fcc44e3993593022fa926d344d5b7725ec520623c87f287dac2d53f38710ce43b02997afb19e682563db959d

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
340KB

MD5
fca4a46bc54c26db036e49e3b628832b

SHA1
ff2100eb0f632299a108aaf120bdb395eff1d643

SHA256
0737eaace91ca23b13d3e7958fb101b1aed7d9a8e438d06b8595e720ccde16e2

SHA512
14b8494b5e7b2a328577b1f84598d3c568af2d344e803006e937c0647da2d4ece53795a355ac54833ce5ec43a4aea5d7830110e54a85c247c837f707e47af151

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
340KB

MD5
80296b8ebce3b75b7cf7566a7f564fb0

SHA1
834a4928b4a7c5cbc17a621799d9a5032cd8d44b

SHA256
344d2bb6cbe2aacee1659d80eda40d542fdfc14cec3938af615032bf4348b9c9

SHA512
504d3b55461bfd6e1c9a430c7bdd03f9b6655f31bf2c0aabb4f480b6f571cf94db74b874806f9c99275600eb7a232d20ce5d2bf381fb0bcc7fa0f5d7c3da7f8f

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
340KB

MD5
49f6cc67d9262e378c782c011a1d993f

SHA1
0f5748c9f0266cfb95bb44159b81d22a8bc9b071

SHA256
968b0afce4eb47a2255ebdeb53ec84afcc9938d2acd2de785cc322bbc386b612

SHA512
51ee2e6b134e7fe612475d62740fcf3abd0dff7dd64560c7d2e70d53ff13b09754983b234601eee858f7729debba9873423495b74ede03036654e222fd47c5ab

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
340KB

MD5
0fcd022122ca58e192cf2e8248da821f

SHA1
10a14166de06780c91f48fdec73e1d6cf52456f4

SHA256
b28654e896940e55d6473c0eeff2d4a0cf4130f9406a77f2bc1ed282785ad594

SHA512
987728a85d9e71af7d55d576405d9a2c0041002f9335414ec5e4a7826228fe05cc4e0f50d412b9711bfdb734e777ae58682454357591fe88f0f96bec3ce4c8ea

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
340KB

MD5
3bff7b59765ecbc870a8d6e6479e77c3

SHA1
f3ca88f3e4c7e0779cb87d3ae43b05fbf81c9d1e

SHA256
abc98dc15e5b868cd56d16621ac08ed4f1c13523ef064bdd370411aeb59151e6

SHA512
3ab987e8b2755c49cefff03ef568c299a4a4b95af771835aeb7bcbe818320b9ef035ba0562cc8f0aefb48d856f159cfbe6ef04dc90b30e43199c2dab46b13b79

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
340KB

MD5
43aa24d6ee66fe10f24fcd4986060741

SHA1
06b536a53b67f33c79c17b63258b8e1993090322

SHA256
d4bf24440e0e0f7ed66c9b1833977d98497be742ff26cbdbec65a72c37c7bdb5

SHA512
41956ad6a6d3b06a5f31ec18c5eaaa48346a49405de07667b8b29710f0ea2500473e582ca11efa7b047542ff62c8403697500546b3b7746f92041bcde7aebdf9

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
340KB

MD5
ed97e1292c1db728791f853727ed1944

SHA1
8840ba48e11a730a3b0230635a5e78421ec9e501

SHA256
5fe7822393746704dc8568bcab80645738db373c436ef48e7b9cf2ada83e4441

SHA512
307dd716da96ac7b6eb6f9edfe36e8374921bc2dd8856f032e914fb831214503bbc8b931ea976b480904d61eb4209c9a776ffa0a97c7117ad1d01ee5ccf67112

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
340KB

MD5
33575c981d0e45e5c94c426afe754f00

SHA1
58e99e53050959d3fb3d5967aba5ae377bd05d50

SHA256
228154646f24b99748a291e41880d0a6e457b7965ca9cf3bf56d64a1c874aeeb

SHA512
9d5f88a8c2ac006c9eb2b15848dca75bf11958bc6c9987cd25496e213f1aaef0c078d12137693d42b7ff0e400e53e110789243b6b273db13f695f05f6a5aa0ea

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
340KB

MD5
27bda297f4007b8652e407a5c473bcd7

SHA1
7e302052ff688b12a43aaaaed99ea0151e90d3d6

SHA256
88f2d1aaff1f6ec2bfa9cc0e7c73c974a239c6cd7a4b103e682ffa2a22ca1303

SHA512
073c7219a2084c5e4c11d748eb636b47fc96735c68ec8383daed04c35d66436d8b3f46042f676b80cac7558393d02036aac90d8c39f028cf918a6048eaac06ea

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
340KB

MD5
72a3eb9219f54b3980c6587818beace6

SHA1
f97f7a1f1c5c14163adc2bbc3a27aaef1f72d1ca

SHA256
ff1561db7844fb651f9b160adc085ecf5a18583cd3bf3dfa1787f6440621e26c

SHA512
fb991f5ebc7bd8c3e05830772b4caf87dfda24d7ad0a07c0ef0f420944d31f74c881a8791ae4318219746bad7cb1cac3e030f2b925a4d407db334d9de3828488

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
340KB

MD5
b74c3e6da1f2d0d105916134877407a3

SHA1
dcdd1837fb558b527969c5f2f945bb5f5245aa23

SHA256
0cdb9910ce509cb8ef061c6536853578ceb54b9e23d2b6b298cd8509f7416e28

SHA512
3219ddf520d684b95e3d185cea8cc553adbeb1b20b2f3a7bd798ee4612db15ee0c92131ee261d1f23fe0726cf242871789342486ed616df506a1227bc88d8a3f

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
340KB

MD5
bafb0d46a2c546f7dbd7942c977071a3

SHA1
064b325f02203ab7a3e946db9f248819ed89b0e7

SHA256
e1bcdbefe8ace009b5c317328ae3881577bdc924458dd10792aa6c233534c43b

SHA512
6b3c27940d97e616c1724b836eeb7cfbe81dd5744b3b4720a90de1aff361062c9471799195e19c3ca3d8563ed3757e51d324bce4324dc3e7b85d67ef8fdb8097

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
340KB

MD5
bc46d6f79471fa73bb95bdada43c9dc9

SHA1
1ad544f20847519a2a2fe2a23f4af6e5e94b8a46

SHA256
67436a0422b8ff5924edd907b45efe3f006d6154b6cad1e10052c7eabebd135e

SHA512
3c66b4729c1fb234039f845fe256e08b7ff8eab1be4be69e513ddbbdcf2cd3a02718ae4dab06bfd7f3eefa55ba474cf435e6a7b4910d2cdd8fd6425ea612eb17

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
340KB

MD5
a940bdf4af5e0d1d0b9a28e8348a65d6

SHA1
4a1d38a257e7009e162f46b5c9fc11ec595343c0

SHA256
b45730daeea7e75454d781e493d1ffa74eb8d7b36b666c3b79e966837bbc4b76

SHA512
4a01858b6963fd937c3ba18f880d4b0ae90deb4eb1afe25cce570cd4c9be3b9af42b3fc13c9a58cfcb1536d33b6876329d6ae85973a89ef6c9d2509c50e32715

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
340KB

MD5
3e97ab40e30a12b130e86b3ee5f7abea

SHA1
452463aa79b6e6da15c3ab0af696f1649b3fb13d

SHA256
6fc0f31d3b21eed08536487dfae0a258b5ba2729ffba63e4cc74ef5fe27f2740

SHA512
13c4788a0244d777f65acd3fdf67152a40cfbf0c2d7828481dbd20e98394b340e95a52d50a3ba0de2868adf2181cfa9aff343e71ecca06bea8cb3ab4e5ddf0d3

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
340KB

MD5
6aea14efc552585e3d6cf7b978a7792b

SHA1
e2fc88ea2aa3e3ce9404b774b93dcebf939261a0

SHA256
4bfa71d9719ad84b741b17897a69a906a58a04f2afc66bbe322fb861330dbfd1

SHA512
1a3d8183816e871472f0b3d91ab9cbb3b5fee3b0b8d8756a7ac896f60ec9aa7585c337841c97d1bcdc6caf0e684082eaa8ca78d06a620f2c3f1c743907c9caf3

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
340KB

MD5
5676a36d64bc9e45c78b007bccfdd743

SHA1
8c6b4abb0c86cd5555a91616ad605d06f9f625cf

SHA256
49d61a9c45fb90e7c0bb1373eabdf27b53a653d0d881a96b96aa515c7a38ca8f

SHA512
cfd78583087c04bdf9cc0b8de6194cda4deaccae133749b219a6281887498eb039a75e3cf7be9d95712863e3ff0c19fd72440d36e4cbb7bcbee2afdeae4b844a

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
340KB

MD5
8bc914f5a1a5c2198efb118f523d4523

SHA1
316b9e838e2fea79a63940ff9706ebbb9d407852

SHA256
01b568aaea9ca26c3102e05dad0068594f762de566fa4ddd830562935dd9accc

SHA512
3e43338dedd2192b6852b10c7f080012ae5a4cb42d14d5dbceb9df47136047225fe4a578391858981f8ddb746d1b100c21b6ea546242981d8233939a6b7dc940

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
340KB

MD5
fe6ee10c498d9f49643ee8fdee312686

SHA1
f2cb6180e0f9c23a9c54e456ba06b93330ed17f1

SHA256
c0b59c08b5a99a50a490b1fe6ddcc5ed697c201d55376c09e878824aa08670fd

SHA512
0099cac2db55405df9c57728e1ab140fc05b96d3eb65cd884d85ab566759398d9414c8a23b8879a55429f65a965f5346508e09c319b59229392a9f67b2259941

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
340KB

MD5
73fdaf43ec58cef2dcf39a9c881d7dfc

SHA1
0ffc0c157816f843d8e4d5059f92be9944eab60f

SHA256
c0a57f1391a4dd9a8bfe2c67c47b9f7d9efd5a598ee4669201116fd1c5d89390

SHA512
87d6900434814b207f77a1a37244d16127ccd4db88ddb537afc89d5b6002bbf28f7a33c0b860306e575fa48b27a327a76ea7857e5e73274f685c55a4c0f9e1b9

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
340KB

MD5
07bad3ddf4f8bd4c12b6ad654d01ed2b

SHA1
807121aa2fd520a4b787326e00ca9b64062460c5

SHA256
44125fe5848cab4361f9b499d1999a5324c25d5dba1d3c678139a3bfd30f38fe

SHA512
c1e0535310f7a6d170790c5a08eaebf8e1ecedcbe851232ebc3d3b4e54b524da98a95be67ee3ccf34110cc4fd2b16da4cbb3db5203d5a5622e6c3270951a000e

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
340KB

MD5
471ca31366f5bda594fe30088c91f6eb

SHA1
5f9ac706b03a2e1f3ad2b895af501f95ebc765c7

SHA256
cf9a02d5c3a14463b36c1fac0ca9b00d1b5e1553645db38161594c5742da854b

SHA512
77df49ffd07490e7b6f52b91d31e9cc85b3d109181e229628f38c71d7ead1625f2c0763deeed43242bf825c582499b8fca341bf6d107e15d54a784ba62c5eb06

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
340KB

MD5
fb9370912f0d36ee6794b84da000ef15

SHA1
b3ed0b42bb5e1261437a1c2a17140daed4d896f3

SHA256
269b01e1a22df8323eac56355b0ed73a18345d48a4f2ac4a2c51f1c180ba90ca

SHA512
c8d5a0eba1cfdcdf0c341a5ca644951116ed81b625c1d56027dcc1c7a5381275982efccb51d03e29423b3f6f1cf8dad8800fb95533b49ac068f9600d5efbd4c4

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
340KB

MD5
aa2f99318765b7454bbe12782da4a092

SHA1
c90ae2ea6ac6e9d7c5c63ed406f35a12d2fece7b

SHA256
200b58b0d848dfd87f90f355d731f638669722773df97fce177d0275e1d12b08

SHA512
8706a07c880172bc4928bc1f35e5873350204b5147a5d50fa74576ede6685b4e003db00fa0fed66ede87cf07bd5fd100466c9f095237161311906eced28c8274

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
340KB

MD5
117228f21ffb2e25e9dc688abc3e9571

SHA1
eef1437c8155fc4dcc485cba255bf082608dd0de

SHA256
71824d2da25ee2fe243430f7769cf0cf6b987be588906f96b020a8bb9b04f177

SHA512
cabbf2585cddadbd3277061b2b4f31ad16449fb78dc33e2c01d753baf901547720652fbc3910124d8243409b6c457419098156539426969983aa38784a81f826

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
340KB

MD5
a7dee080a9fd8c96e01d2a182260cc07

SHA1
0a32f5c993678eaf551c39a100cf392931988448

SHA256
277c0eff11b7ae80662c1997006deaab9bf12c904b1b054dd2edbfa5ab340652

SHA512
0ba69cc86058622b13adc127326c99ab242f8688823c426edbedcfd32aa6f43dd40907777dc0e106ab15f7d6013884498922334c756bc33a8d146ee8fa1c6ec8

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
340KB

MD5
c709688b1cda976a381fe80e854164ad

SHA1
394709200b7ccc3c43a466fafacb8a231cf266cb

SHA256
682db8d897398203b0746cd3d76b037ebfd14ff07e84e157854f79721f7006b1

SHA512
c095a8ddd306c8a6944e6324dc7c24b3f4ad6d6569d65e2a1a77f3386bc0b85ce7f875ae3196c3df4d1bf1d385e9e40d0ccfa8cb56031a5e6aab8456974fcf21

Download Submit
memory/8-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/216-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/232-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/648-181-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/860-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/900-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/900-578-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/992-198-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1100-519-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1148-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1300-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1300-571-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1396-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1400-101-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1460-85-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1464-165-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1512-572-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1516-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1556-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1780-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1876-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2104-133-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2184-531-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2196-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2280-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2372-496-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2504-78-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2524-246-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2608-586-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2620-157-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2632-514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2684-593-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2696-173-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2860-485-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3000-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3028-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3036-557-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3048-558-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3056-149-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3092-238-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3164-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3180-579-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3312-521-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3456-190-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3540-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3564-503-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3568-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3572-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3608-109-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3648-497-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3720-551-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3720-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3720-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3908-477-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3920-479-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3988-585-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3988-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4004-142-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4008-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4032-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4120-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4136-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4144-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4144-564-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4148-49-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4148-599-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4172-545-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4176-213-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4180-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4240-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4284-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4296-254-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4344-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4396-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4484-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4536-592-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4536-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4576-533-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4592-565-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4608-117-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4612-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4624-357-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4688-539-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4692-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4700-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4788-473-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4804-222-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4824-369-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4836-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4984-459-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4988-230-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5036-404-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5080-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5092-315-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads