b3df2b6bb19e0ed8117d9710f36c2613f4a90418f0168bcd0a1a8317882a3bdf

Analysis

max time kernel
135s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 01:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b3df2b6bb19e0ed8117d9710f36c2613f4a90418f0168bcd0a1a8317882a3bdf.exe
Size

49KB
MD5

f1c677912632adc09caf12d8bc3647f4
SHA1

8d9701007841a5c9ccfc8f1266213c6ce6b49f94
SHA256

b3df2b6bb19e0ed8117d9710f36c2613f4a90418f0168bcd0a1a8317882a3bdf
SHA512

5f813c90dc5c1c7630bf83bf296cfcbe8d959aac5aa4599a4600333dfff90f9d64e7d78d59edc40a24099f682aafe8772bfe9ac6fd69a3a2648fa76d9342e75c
SSDEEP

1536:EBZ39dzleGJUkFR5AG7xPJIvLHPPOt61RADuuuqVWnE6bP80bl:E73ki5AG7xPJIvLHPW41jbP8cl

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe

Executes dropped EXE 64 IoCs

pid	Process
4820	Nloiakho.exe
2648	Ncianepl.exe
4676	Njciko32.exe
3116	Npmagine.exe
2912	Nckndeni.exe
5048	Njefqo32.exe
2488	Olcbmj32.exe
4972	Odkjng32.exe
3444	Ogifjcdp.exe
3412	Oncofm32.exe
3192	Opakbi32.exe
4440	Ocpgod32.exe
4956	Ofnckp32.exe
2980	Ojjolnaq.exe
3776	Olhlhjpd.exe
2368	Odocigqg.exe
2692	Ocbddc32.exe
4500	Ofqpqo32.exe
4424	Onhhamgg.exe
228	Oqfdnhfk.exe
3504	Ocdqjceo.exe
1208	Ofcmfodb.exe
3272	Onjegled.exe
1820	Oddmdf32.exe
4912	Ogbipa32.exe
4408	Ofeilobp.exe
1720	Pnlaml32.exe
4584	Pqknig32.exe
2700	Pcijeb32.exe
2716	Pgefeajb.exe
4348	Pfhfan32.exe
4980	Pnonbk32.exe
4768	Pqmjog32.exe
3156	Pclgkb32.exe
2728	Pggbkagp.exe
1656	Pjeoglgc.exe
2340	Pmdkch32.exe
832	Pqpgdfnp.exe
4448	Pgioqq32.exe
536	Pflplnlg.exe
2276	Pncgmkmj.exe
1432	Pmfhig32.exe
5104	Pcppfaka.exe
4460	Pjjhbl32.exe
452	Pqdqof32.exe
2124	Pcbmka32.exe
4272	Pgnilpah.exe
2736	Qnhahj32.exe
3788	Qqfmde32.exe
4148	Anogiicl.exe
1108	Ambgef32.exe
2948	Aqncedbp.exe
4696	Agglboim.exe
2908	Ajfhnjhq.exe
3976	Anadoi32.exe
4276	Aqppkd32.exe
4372	Acnlgp32.exe
4828	Ajhddjfn.exe
3308	Amgapeea.exe
4080	Aeniabfd.exe
1400	Aglemn32.exe
2384	Ajkaii32.exe
4048	Aadifclh.exe
1940	Agoabn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	b3df2b6bb19e0ed8117d9710f36c2613f4a90418f0168bcd0a1a8317882a3bdf.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5804	5320	WerFault.exe	217

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3df2b6bb19e0ed8117d9710f36c2613f4a90418f0168bcd0a1a8317882a3bdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 4820	2824	b3df2b6bb19e0ed8117d9710f36c2613f4a90418f0168bcd0a1a8317882a3bdf.exe	86
PID 2824 wrote to memory of 4820	2824	b3df2b6bb19e0ed8117d9710f36c2613f4a90418f0168bcd0a1a8317882a3bdf.exe	86
PID 2824 wrote to memory of 4820	2824	b3df2b6bb19e0ed8117d9710f36c2613f4a90418f0168bcd0a1a8317882a3bdf.exe	86
PID 4820 wrote to memory of 2648	4820	Nloiakho.exe	87
PID 4820 wrote to memory of 2648	4820	Nloiakho.exe	87
PID 4820 wrote to memory of 2648	4820	Nloiakho.exe	87
PID 2648 wrote to memory of 4676	2648	Ncianepl.exe	88
PID 2648 wrote to memory of 4676	2648	Ncianepl.exe	88
PID 2648 wrote to memory of 4676	2648	Ncianepl.exe	88
PID 4676 wrote to memory of 3116	4676	Njciko32.exe	89
PID 4676 wrote to memory of 3116	4676	Njciko32.exe	89
PID 4676 wrote to memory of 3116	4676	Njciko32.exe	89
PID 3116 wrote to memory of 2912	3116	Npmagine.exe	90
PID 3116 wrote to memory of 2912	3116	Npmagine.exe	90
PID 3116 wrote to memory of 2912	3116	Npmagine.exe	90
PID 2912 wrote to memory of 5048	2912	Nckndeni.exe	91
PID 2912 wrote to memory of 5048	2912	Nckndeni.exe	91
PID 2912 wrote to memory of 5048	2912	Nckndeni.exe	91
PID 5048 wrote to memory of 2488	5048	Njefqo32.exe	92
PID 5048 wrote to memory of 2488	5048	Njefqo32.exe	92
PID 5048 wrote to memory of 2488	5048	Njefqo32.exe	92
PID 2488 wrote to memory of 4972	2488	Olcbmj32.exe	93
PID 2488 wrote to memory of 4972	2488	Olcbmj32.exe	93
PID 2488 wrote to memory of 4972	2488	Olcbmj32.exe	93
PID 4972 wrote to memory of 3444	4972	Odkjng32.exe	94
PID 4972 wrote to memory of 3444	4972	Odkjng32.exe	94
PID 4972 wrote to memory of 3444	4972	Odkjng32.exe	94
PID 3444 wrote to memory of 3412	3444	Ogifjcdp.exe	95
PID 3444 wrote to memory of 3412	3444	Ogifjcdp.exe	95
PID 3444 wrote to memory of 3412	3444	Ogifjcdp.exe	95
PID 3412 wrote to memory of 3192	3412	Oncofm32.exe	96
PID 3412 wrote to memory of 3192	3412	Oncofm32.exe	96
PID 3412 wrote to memory of 3192	3412	Oncofm32.exe	96
PID 3192 wrote to memory of 4440	3192	Opakbi32.exe	97
PID 3192 wrote to memory of 4440	3192	Opakbi32.exe	97
PID 3192 wrote to memory of 4440	3192	Opakbi32.exe	97
PID 4440 wrote to memory of 4956	4440	Ocpgod32.exe	98
PID 4440 wrote to memory of 4956	4440	Ocpgod32.exe	98
PID 4440 wrote to memory of 4956	4440	Ocpgod32.exe	98
PID 4956 wrote to memory of 2980	4956	Ofnckp32.exe	99
PID 4956 wrote to memory of 2980	4956	Ofnckp32.exe	99
PID 4956 wrote to memory of 2980	4956	Ofnckp32.exe	99
PID 2980 wrote to memory of 3776	2980	Ojjolnaq.exe	100
PID 2980 wrote to memory of 3776	2980	Ojjolnaq.exe	100
PID 2980 wrote to memory of 3776	2980	Ojjolnaq.exe	100
PID 3776 wrote to memory of 2368	3776	Olhlhjpd.exe	101
PID 3776 wrote to memory of 2368	3776	Olhlhjpd.exe	101
PID 3776 wrote to memory of 2368	3776	Olhlhjpd.exe	101
PID 2368 wrote to memory of 2692	2368	Odocigqg.exe	103
PID 2368 wrote to memory of 2692	2368	Odocigqg.exe	103
PID 2368 wrote to memory of 2692	2368	Odocigqg.exe	103
PID 2692 wrote to memory of 4500	2692	Ocbddc32.exe	104
PID 2692 wrote to memory of 4500	2692	Ocbddc32.exe	104
PID 2692 wrote to memory of 4500	2692	Ocbddc32.exe	104
PID 4500 wrote to memory of 4424	4500	Ofqpqo32.exe	105
PID 4500 wrote to memory of 4424	4500	Ofqpqo32.exe	105
PID 4500 wrote to memory of 4424	4500	Ofqpqo32.exe	105
PID 4424 wrote to memory of 228	4424	Onhhamgg.exe	106
PID 4424 wrote to memory of 228	4424	Onhhamgg.exe	106
PID 4424 wrote to memory of 228	4424	Onhhamgg.exe	106
PID 228 wrote to memory of 3504	228	Oqfdnhfk.exe	108
PID 228 wrote to memory of 3504	228	Oqfdnhfk.exe	108
PID 228 wrote to memory of 3504	228	Oqfdnhfk.exe	108
PID 3504 wrote to memory of 1208	3504	Ocdqjceo.exe	109

C:\Users\Admin\AppData\Local\Temp\b3df2b6bb19e0ed8117d9710f36c2613f4a90418f0168bcd0a1a8317882a3bdf.exe
"C:\Users\Admin\AppData\Local\Temp\b3df2b6bb19e0ed8117d9710f36c2613f4a90418f0168bcd0a1a8317882a3bdf.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\Nloiakho.exe
  C:\Windows\system32\Nloiakho.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\Ncianepl.exe
    C:\Windows\system32\Ncianepl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\Njciko32.exe
      C:\Windows\system32\Njciko32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
      - C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        30⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        40⤵
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1432
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        48⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        50⤵
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        60⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        65⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        69⤵
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        72⤵
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4564
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        75⤵
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1564
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4588
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3512
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        84⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        87⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        89⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        92⤵
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        93⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5724
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5812
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        100⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        102⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        106⤵
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        115⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        117⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 212
        129⤵
        Program crash
        
        PID:5804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5320 -ip 5320
1⤵
PID:5660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
49KB

MD5
5b3c667c4b2ee57444a98a3491c85bd1

SHA1
b9ec8347f761d915a1018db59784ffd312338f3c

SHA256
1b454bc230c8f009141807c72b55f3620246cb9ffc44627c8e090b4298e5f7cf

SHA512
83379ad33a66eeb0726571f8f869d913722a2daf12fbe0eb2ba16162a70d30320d758f79015d6ae8a88fe691b9a5ac4354f62342a921ecd9811bfa3f8c820ffb

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
49KB

MD5
70234cf24dad65244b727bebaaa1b99d

SHA1
9d947156b1b06416c3fc23042dbb6da84eed9273

SHA256
09fd3faa51e755b49b0a086d1550ff7cf674912e0af32c51c21013f32d9f7b07

SHA512
95d5bc17fb4ba7677b76e1260105581d4adbd4dcec6e54d0425f7730dc31227ea1f4c15a9b0a559602ca793734600f54fa6f16965de766fdd7c6d34a35c0a574

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
49KB

MD5
ac9cc726bcab8a57315e08ac13642eaa

SHA1
a81c3d45328440a601b1f053b557529f7a73c38f

SHA256
8d5934c9e76482aad10849d2514935a217192cce8fecf99eff69531a27f74ade

SHA512
23c1faead65b62559b1a6ff2139c3a1ebbb8f80123c2f87abc5eddce76203af89d7fb1dfb032d60d297cc2c4f95f92bd6e5f64309719350c8da18ff8c7905a15

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
49KB

MD5
4b03202f2b0739ac1252d45c04508767

SHA1
f88f04f1e7ca51dfa36be4f11f97ff972fda0f9d

SHA256
1faa526353dd56faf89ebe723035ffbd99cf78883636a971ef7513778169ff93

SHA512
56b203696294d8bb4a866cc451f9fc970573d70709e18e74d45c696455273d223d0a04debfbb403e37a9696bf65898caa2b2129e4e5c95546643bb4d5445b06c

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
49KB

MD5
22bf94512446ed802f0b05d63d99449e

SHA1
5153e7916e4a7e8d4052e640ba9a0b1a6dc50c2e

SHA256
f433d94e72150e50ff194d52172a1f5710335b1be33116563399655e2676b86b

SHA512
583d2002cd31603033853d0b2be3b59b36c1b56beca6b7dd08ade24755db34684f20ae043a906b7b9f5abbe393f72f5072b877eb64e8c8eb6a8c788a09d5a330

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
49KB

MD5
c20fd27a4d79490687ea78ae555d135e

SHA1
fc81452f6ca03fc0d853198b35cb68163e629c8f

SHA256
d746b7163fafad943098bf912ef55f563ddb289f6856face0ac0ce479a4b8532

SHA512
5fd97288771bb7738fe039087254e1ddef55d8c909988bfeec8340abe60bb28de65a47915af2099e055a21de75279f923c9ed199d3463ce6fc747f233d568afb

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
49KB

MD5
f50dbe119c21f6b0c056987dfb9e73f6

SHA1
41c4018a72653ce291e109baa9382baf93315a35

SHA256
f3e4308ae52badcd72baa7ea0de18a7c857fecec1e2e69bd20c1884fe7f16307

SHA512
c82c53b4f62428ae2ac7483eee8fa71ffd9be2bb5864ef5d2562a3d8e1afcf98b994cf0f60e71efbc7b13a7cf06fb032fd9649f57ad9fdbc7ba29048bb166a96

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
49KB

MD5
f5a9afea55f55a47172a53e5057b10ff

SHA1
1eab67147c930c134970a69f4ffa940fec1f5897

SHA256
e67963b722372510f7789f2ad55e7e5e4b07b815e41d8c78b6124879646bd349

SHA512
a0a56af862f8fc5443193664dce70d7eceeb2c568391c4911efeee800cbfa6ad66faa05c7f0a699d2cab043c8b71fd6722458d4b48601a295c1ae9640a286378

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
49KB

MD5
e47a584209c38ce9215a93628ea3bbf3

SHA1
fedaf1aca493c2282ce1e761fad9005bf45dd7eb

SHA256
e66336b76a31ec8e9deffdf48b34d3a1c6200a40726f0445bc0b22f3cab7f964

SHA512
97ad0de806964e2b983cf2e0491b5966f364316e31f79a963a728391fd2de1df1404f6f268cedf634274c7622b469079f5ceded5755cba3bda8fa8681a775e5e

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
49KB

MD5
4ef434176201f0110da4edc9756ab64e

SHA1
c097aed72a7161cace201f6964c308808024e700

SHA256
dfe8ef3bc8f61b5d061932887eeb16f58bbf60285ee4169f4497fb148536ee53

SHA512
489a71c873af39ed30a4c0f5f24d58023c29bbdebdbdd72359e1778b53fab4d98ca4c982ed974e7d5283c7b82c367d6d2495d4c7e44b0a639135afa637b2b0a9

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
49KB

MD5
8ee0242b6fba21dee56213b1242f7d20

SHA1
2cd6cad341aa02362309c02454c2b8c2afd528a8

SHA256
97cb71635b5310f4451fea0e20583d614fe794f6c8ae2311c6f4e088293107ec

SHA512
521f716a3d69578252f399115b91493f8db36a4c84702952b22a20885d330810ae52ffaadaef54df4d2ac3039e52912efeb6fe6725ac77853c164e6610efd18d

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
49KB

MD5
d818e50efcf63a9ef0ab90fde738f2c4

SHA1
00a088f0c8c5dce18b963f2ccf4b3361582cd206

SHA256
ddc15f81c840419819acf4be606b2a1406345d8b3fc935795fc807afbde3cd2a

SHA512
2e90e8f8f7f457b39035ea3067ed6640cfa53cad8b0f8cfaf6df5be2f141215b8c55afd0c3429ca002c6b61a42c4ca00bf283f269cb70fe39fd5303e2d4363d7

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
49KB

MD5
91aeae8701aedcf92fcecb1d5bea7604

SHA1
89cec19a512573ae69fea3f54623f7363af509b5

SHA256
9e169c29fc32e68712ea147fa7b85de04b7f57449b17418bd6769d2236741ca9

SHA512
e11c1934d1bbcf47a8916b10dddf9817c1715129f51348aa4367ada94aee1671852cc1f2a525474210e80ec902bbc854868e0b3f753c5794da74f874ed595297

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
49KB

MD5
d4a38857c9efbe8a7b140b689d114272

SHA1
027d9936d4b6722e44f4b64dc627568725589d7b

SHA256
4ec502e13c7a39b460447dfc9f901f3023c696e3ee78441b0f5f539c93431cf7

SHA512
fc5e4118ced6c0c43c91dc50cd1500e9989c74ccae5ffe16745298ad38ed0c6cba9468a7d2c483bdd5f1d49a228f49bd41f6611fe5cdcf75005232ac80fe6ba9

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
49KB

MD5
0cf078e8e4c607f533d5e84843747b37

SHA1
49f2a7f3fc202e54fcf3cbb6efd1871e90d30f8e

SHA256
0fad1f609205b1bf1594f1f548ffe4208b3528c072401968a9fe316eac3423ca

SHA512
90b6f0f203703b9f818886237f0b778053b1cd50c4f0218b72de67dfac2ffa0b6e1f45ac1ce29e5b79a76a183b278bab3b6496f0a60465da74e9ab496bb03f9e

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
49KB

MD5
c2660200ad914baf473950ff95071d75

SHA1
387e6e0d771dc8d42f59bd883f2b627bc18c05cc

SHA256
ae062149a3d520c18c33861482fea3da11cb36a3222c3b6b635b1228f60c8cee

SHA512
c18413dd6deaaf61654173c9e8acd274f485d5fcf69bd65f69414b1f669cf7c874e8f1fea78801a54e3323ca59eaf2af108a3cf39e1ea4527a473a130003545a

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
49KB

MD5
52c2738420c398c4c598a77400aaf466

SHA1
1e86b17417aaaace5e89ea2d2bc68897048686c5

SHA256
b2f689f0a249bf2c2f6e53f9e1c12b33424bfb2251e1df0d1efc66a827b855aa

SHA512
9a98de985ae9807590efc753fa8271fb3e603b0d99a991bf4c2c7972bea95de86373d9e6c2c9b1df0dd00cf4f4502dc8fd79b5c3fa8204656574a8ee1d7e9beb

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
49KB

MD5
4b598e5de03948bafe6ec05626826fe9

SHA1
82d330882ef1df969defbd77b3549103de588872

SHA256
2c6c88de3b113d0ecc643a0cde026ba6d6f69b4f0fee42fb94a0f42ca1997392

SHA512
49492c8f6d374742e8b17665d06c3e2e55161e3c17e19582ba5675bc6d372f33af8f7cd1da7be0455b81f1ee1e54494b2ffce18bf72cbeee72db4137801a21d0

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
49KB

MD5
a79ac7004b93a7e30889235815f1b7ae

SHA1
73e83516e8206cbf288a2803dba8bf0ff5980ede

SHA256
a383c75d5b70306722dcdf2edf8adf88b1af6acb331faf9f708eee4ce739b7b2

SHA512
dede55ae1840ba248356012632ef1335fdc322d570ce5c6cf19070c4dfefb0b01b785690ea73fef5b74b24174bcbe1597ea4dc5f4b224f4b97f807a6e022da25

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
49KB

MD5
548ec524d20e677f399ecae05a3c2220

SHA1
bc963bd311187f3291a36ea4f32e11102a310d8c

SHA256
e6902317a9cc2c70fb799148a58f2a0c15b9e35afccaa4c2f4da1a97f8e681bb

SHA512
d6c847ad67208746761b9ad574560807646a581489f26b121a9eb43612d9e7cea65caa5cc469cce4a3d9d231fcaedf0b1963f2e0ea536e0ae23602bc07f8edd0

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
49KB

MD5
8a42627e71458ca41fcb0bbd8566c5df

SHA1
56aaf3fdffaea238098d64ba9dbbc1947c5464f0

SHA256
b68767f0007ece6d9e6a4228b81029031d2458605e7da6f27a8d5f2427eed6b4

SHA512
c6cc806d3fe697284a56b215f0d4a77441f5bb0f76c827dad40338c8a8e84d0882d16ef608844d46f176d12caa997c62ef606cd2ea133a385121524abaa6ba93

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
49KB

MD5
0bddebced04e9397320834e488d4e351

SHA1
6eced1757ac9a47af0bca3e72404c24c76e08749

SHA256
7e91ddd4e68a3ca55e4e919b58f0354826be2973a5194766d614516633e90eef

SHA512
619d2046fa813c7498541c169a905bbe736cf603fe90d3a2a174b2512f6dc066339a7f46da8d17278bca8dfab62f74280fd4ffb5bdc34420d57a6c3c5810b11a

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
49KB

MD5
cd1335a581ea220afb8432dc5bf5531e

SHA1
6c3d5551ba23bda42cff25405270fd4482b27b61

SHA256
ed219538334e2b4784bbecc89f88e9ef0829291e1af980b32f71f08d87864962

SHA512
90a21a0b59a6af4714d00645e69bae2a279347c547053bc451e4c3634698a9d2141420f79c63dfd9ac76fab2d2fc97fc900370d38285c60630de031a1d97822c

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
49KB

MD5
91be523417d2748eebc90a6000e7e1b7

SHA1
6a49b8c7b395c06ed224b2277dc70aef8c6320b4

SHA256
5f6905a149859467165d07db592ea1bccc4c8c169931ee6bb8de8ef265f083da

SHA512
72a116583d8469079c0e7e96edf43007e143528e380071d231b2f5313c65d6730f4f01186ea6e2bc4672e2179990ff96294ecab53394d653be41df857aa646c1

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
49KB

MD5
898e8b56a4759c19227f9a58b5638b5f

SHA1
96c622c17c43569bf703e59b7779a553a7ed083e

SHA256
29261d1d75a80ee7b3a03246d362a97c9048065dbe8e150ff18b45df3ee95021

SHA512
55a3ed9ecd3232081d6942971064fb86c757914fa823e531f9dec9a3e1c7567a25607ea3a65911bceeddbdb6f22caf107aaf9e0eb31aa39b9ee6108d9aadc6a3

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
49KB

MD5
458aa9b552b24d159568b8c4b36e2478

SHA1
d4930ab233586ec4223277cfbbe0dbe3ffad3faa

SHA256
455945abbbf49e777becb74895e264aab15310844640f2cc15444ad56e50e0f6

SHA512
3a929c0bfaa2ac5dcc6598bde5ef188d1e35f94d529628e8f28f2f783a23f91481afb43ab605a1b0b81e928c75939aea06b742032e189d9a324f492974a05056

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
49KB

MD5
c8ea6f3d669019d09c1a8fc0bea65309

SHA1
02d27c4de2075304f430b10e1ed32881377c0fe7

SHA256
5c9b1080d3966f92d57b11ff087ba79593abf4aeecf6dec5111e8c4d8aeff487

SHA512
2a0f054f924ec0d427552af6968213e2cc4272021ea11b1141aa709ff7a6f0dcd5f7bb6f0eee00c0b00e0c79fcb583d67eabe850a6a8c3dc625a2fff53b3cb07

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
49KB

MD5
f4ca3170bdab0a09d1b7a1fad2e987cb

SHA1
e644112ce2d52272f20fb7e0337c04cb87e5d159

SHA256
afb610d2f61b853a1ec056a01f2e854da6e81ccdf0bdbdddcd1f1f4b1e7ce7a7

SHA512
a06e630c074fa467357beea4cb26d8efe11d4a124862dd09ea6c6a6b436ccceb4b543dceb1181998939b5a1412077ce463bf443b125cb9aab360bb43b4e796ca

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
49KB

MD5
bf4d78c3d4722dec221bf3681332f85c

SHA1
914b1dbcfd26df334274284305ffcb0a9c206235

SHA256
6ccc4f220d643efd0316d6c43a849b698968648647fad774c21fbb71bdfd2fa6

SHA512
79df602f130a418549f4e4fd32e8784254219107554fda482fbf86c9afc9a86bc2bcd1c7ce55fd647835744c12cb14bca5d24feca6645d5b674d7bcedcff61c4

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
49KB

MD5
84ba86376b42dd2038be8265538f3789

SHA1
2868585459a24b895657fa35cf62212e03c7e790

SHA256
5a8ec6b7b52a65be27b28e1c6d67a30f74e0165c582bfff58879db61aa60c64b

SHA512
e48e0a6445c6d68f608a6483a1bb1b100c98c08feaa44c717af32fbbbe826cf8f94ac27511ae8a04835464937e1e98c3958a8daebedc41b77d9e1882888e15b3

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
49KB

MD5
3c7827b0058e21bcd0d0706caa4e91cb

SHA1
d7c9f08d4a72201fac99aa1efd545a24b75f3992

SHA256
3208f3e4e36b7cf629a5329fba9d81ffe26e4d080e02d80f896eabd1c7d33aa8

SHA512
71ef148d73a4a92fb941dedc36f8e1129d8d4d6c9079e4ada87b7225ad03794de343caeeb145d5c1e8c82c4948dc0c11b03b2283585666a254e81c942e9db12a

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
49KB

MD5
fff67a9915ebde89d0a6ce16106c7ba8

SHA1
39ddea3e314f435bb4480cb387dc6987a4b8b615

SHA256
ee937eb55c52b6263c888767ed82c247e26818b62f62827275d40eafb984cbc2

SHA512
1d53542501528258b90d074820c5680c46bc9cea6ba93336a17764919a676109dd512df244cf703b7abb6dcaa1af4b0037ff9bd7609e31393eb897b872f8945d

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
49KB

MD5
f549903d055457ab1ea2e95827433b3f

SHA1
36501d8293dd018b037c0631dfb6eacd5e8ac4e1

SHA256
2f003f950e06707e0d7964a2829b7442ef182e5969b21f37af1d831d1d607099

SHA512
e9e7687d8b0780d052724266cbbb50cdf0f9823262be147c5dc2546096a137286133b9663da5ad4687ba090bc3615505362bed302a7ec929aee2e3fe72378311

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
49KB

MD5
9f0d3ba2e5b23aaa97ac678c753459cf

SHA1
8d0bd7acc3b6c59a2f7d1b4506d5d02a0cf76225

SHA256
427ad89635767c5b417be25ebdece18d2c33bc8dccf1ba126b61849efc11053a

SHA512
ce0985150bab7c84798b3f8cf97a703d4cff7ec10559b5c43349e621cfefa3f283194fd0776aa2d4dd766930e595e1bcfe10104bd678ff3c172350f7f1ce47f1

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
49KB

MD5
6f0cc6d4e34d0150afb162e811097cd0

SHA1
6683f43c92a29190427ad22d89c5369f4fccf47c

SHA256
725bdb9589743b613f65167bda43fb37c2ded5ecf0a4dae04691c8779834b94a

SHA512
acb6626796ac985d0819fd2d9c06be68a8e8f74775e85cf0b96b741735402af3bf04992e0e6b5c927e30fc5578c0fe8112e72045dcf4e40480deb4b52c5403e8

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
49KB

MD5
d500cc4022f572964a893098a23d32f9

SHA1
9a9efe7a36121bd4f9842c55bc14b5ae891a89dc

SHA256
aa01361e52d1b7b7662da2b6f8b49ef5e3c40f03013d6deac15487a2ecefe983

SHA512
30fe6945cb11fa32d88bad5d26ae8adde670c6360e0177ab9fa0b2ce2575d9f73fa36797c5b0ac48b9aa5a8fe6888e79d6ca1483fba50e3c05faede42329a09c

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
49KB

MD5
78ffeb7746f2f1dc312ec997aa7b0b5f

SHA1
fff5d9f5cd096edded0eaaee83b942758d49f7b9

SHA256
4e4fb1cfb9fbb01e1505636f23048c182d932571b30466f9e1ccaddb6b093c28

SHA512
2f1fde78e3f45e1d3599d7368b7d617e2eb07bdd9d60bf218ff860a3a76fb37e0f2cb73e9f8e5d20279184a9fe8f44b114e5c63cc7278475218ab1bddc99da8c

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
49KB

MD5
50ef4555d5181daf2f68f2838f52da6e

SHA1
5bb34f0eff5e14a586dba8a2e20dd57f6731d123

SHA256
4f295079753bdd66e7ef7f976e6ceaaff2afe8a110a3da4235037798d347ac2b

SHA512
5b8944af49b9d2dc78391aba3b363f940569632bbb4837c2ac2f4bf7c4a10c8873ff3f55ca730fef52c74cb7b8349416d5b8d6d9152a537152708083f8f9e86f

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
49KB

MD5
7ec42d6e2d7f427273c8d183e73c3e6c

SHA1
d17720e86b2083fed5d268880d4d1bb62faff2a3

SHA256
04792ca203caabc80889105fed5e99135b49b0af94c4a5f83cdc016c0074ed69

SHA512
9a555d1df033f977e1331a10e26434101f1b2c960f870f240391b45dfc7e5cc6ae8c871304b934da568450f3bcf1a7bc20ad52c80aca9700de6bb8d80a0e4e4c

Download Submit
memory/228-160-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/452-335-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/536-305-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/548-468-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/832-293-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1108-371-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1208-176-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1400-431-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1432-317-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1464-462-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1524-528-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1564-510-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1584-486-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1604-480-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1656-281-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1720-217-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1820-192-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1940-450-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2124-341-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2276-315-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2340-291-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2368-128-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2384-437-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2488-589-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2488-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2648-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2648-554-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2692-137-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2700-232-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2716-241-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2728-279-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2736-353-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2824-534-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2824-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2824-1-0x000000000042F000-0x0000000000430000-memory.dmp

Filesize
4KB

Download
memory/2908-389-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2912-575-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2912-40-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2948-377-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2980-112-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3116-568-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3116-32-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3156-273-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3192-88-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3272-184-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3308-419-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3412-80-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3444-72-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3504-168-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3512-541-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3536-516-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3732-474-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3776-120-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3788-359-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3976-395-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4048-444-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4080-425-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4148-365-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4216-492-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4272-347-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4276-401-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4336-438-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4348-248-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4372-407-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4408-209-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4424-153-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4440-96-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4448-304-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4460-329-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4500-144-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4564-502-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4584-224-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4588-522-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4676-24-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4676-561-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4688-456-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4696-383-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4760-535-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4768-263-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4820-547-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4820-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4828-413-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4888-504-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4912-200-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4956-104-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4972-64-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4980-257-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5048-582-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5048-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5104-323-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5160-548-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5204-555-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5260-562-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5304-569-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5368-576-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5408-909-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5412-583-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5456-945-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5632-938-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5736-900-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads