be4a4280142d5ad6ce0e7f589caf092a562eebd39e65e30d617d87d3cf5122b7

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 09:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a3485be9f40adba5ceb1bc28c4e77890N.exe
Size

80KB
MD5

a3485be9f40adba5ceb1bc28c4e77890
SHA1

c75d741a7fbb6116cefe3d80b51f8a5472f04cc5
SHA256

be4a4280142d5ad6ce0e7f589caf092a562eebd39e65e30d617d87d3cf5122b7
SHA512

bf9fc4e811fe90edb3afd4ecc94e11087f5a412d7f25a19cd1a9590f8af6d49b4ffab8eb1d4de7c1e693955914d11e4c3b7d6d3332373181fc60a38292f9a3af
SSDEEP

1536:pqSQHK19VUmsCo7lme0TvVnoeQMEtS2LVaIZTJ+7LhkiB0:pqSMK19VUihoEkVaMU7ui

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a3485be9f40adba5ceb1bc28c4e77890N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe

Executes dropped EXE 64 IoCs

pid	Process
1140	Nlmllkja.exe
1320	Ncfdie32.exe
3208	Njqmepik.exe
3392	Nnlhfn32.exe
4168	Npjebj32.exe
4924	Ncianepl.exe
3192	Nfgmjqop.exe
3128	Nnneknob.exe
4688	Npmagine.exe
1052	Nckndeni.exe
3936	Nfjjppmm.exe
4660	Olcbmj32.exe
2592	Odkjng32.exe
336	Oflgep32.exe
2288	Olfobjbg.exe
4200	Odmgcgbi.exe
4296	Ofnckp32.exe
4680	Oneklm32.exe
4852	Olhlhjpd.exe
1756	Ocbddc32.exe
4840	Ojllan32.exe
1348	Olkhmi32.exe
4240	Odapnf32.exe
820	Ofcmfodb.exe
2188	Ojoign32.exe
4744	Oddmdf32.exe
2160	Ogbipa32.exe
4364	Ojaelm32.exe
2236	Pmoahijl.exe
4536	Pcijeb32.exe
3168	Pjcbbmif.exe
1652	Pnonbk32.exe
4236	Pdifoehl.exe
2524	Pclgkb32.exe
1232	Pfjcgn32.exe
3992	Pjeoglgc.exe
2740	Pnakhkol.exe
1220	Pqpgdfnp.exe
2180	Pcncpbmd.exe
1608	Pflplnlg.exe
5016	Pqbdjfln.exe
4280	Pcppfaka.exe
1284	Pjjhbl32.exe
2572	Pmidog32.exe
844	Pqdqof32.exe
1548	Pcbmka32.exe
1964	Pgnilpah.exe
456	Qnhahj32.exe
4932	Qqfmde32.exe
2492	Qceiaa32.exe
1120	Qgqeappe.exe
2988	Qnjnnj32.exe
3480	Qmmnjfnl.exe
3620	Qddfkd32.exe
1260	Qgcbgo32.exe
1132	Ajanck32.exe
1992	Ampkof32.exe
2920	Adgbpc32.exe
3068	Acjclpcf.exe
756	Afhohlbj.exe
620	Anogiicl.exe
1488	Aqncedbp.exe
3956	Aclpap32.exe
3544	Agglboim.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Njqmepik.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ojllan32.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2152	5580	WerFault.exe	207

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3485be9f40adba5ceb1bc28c4e77890N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 1140	1256	a3485be9f40adba5ceb1bc28c4e77890N.exe	83
PID 1256 wrote to memory of 1140	1256	a3485be9f40adba5ceb1bc28c4e77890N.exe	83
PID 1256 wrote to memory of 1140	1256	a3485be9f40adba5ceb1bc28c4e77890N.exe	83
PID 1140 wrote to memory of 1320	1140	Nlmllkja.exe	84
PID 1140 wrote to memory of 1320	1140	Nlmllkja.exe	84
PID 1140 wrote to memory of 1320	1140	Nlmllkja.exe	84
PID 1320 wrote to memory of 3208	1320	Ncfdie32.exe	85
PID 1320 wrote to memory of 3208	1320	Ncfdie32.exe	85
PID 1320 wrote to memory of 3208	1320	Ncfdie32.exe	85
PID 3208 wrote to memory of 3392	3208	Njqmepik.exe	86
PID 3208 wrote to memory of 3392	3208	Njqmepik.exe	86
PID 3208 wrote to memory of 3392	3208	Njqmepik.exe	86
PID 3392 wrote to memory of 4168	3392	Nnlhfn32.exe	87
PID 3392 wrote to memory of 4168	3392	Nnlhfn32.exe	87
PID 3392 wrote to memory of 4168	3392	Nnlhfn32.exe	87
PID 4168 wrote to memory of 4924	4168	Npjebj32.exe	89
PID 4168 wrote to memory of 4924	4168	Npjebj32.exe	89
PID 4168 wrote to memory of 4924	4168	Npjebj32.exe	89
PID 4924 wrote to memory of 3192	4924	Ncianepl.exe	90
PID 4924 wrote to memory of 3192	4924	Ncianepl.exe	90
PID 4924 wrote to memory of 3192	4924	Ncianepl.exe	90
PID 3192 wrote to memory of 3128	3192	Nfgmjqop.exe	91
PID 3192 wrote to memory of 3128	3192	Nfgmjqop.exe	91
PID 3192 wrote to memory of 3128	3192	Nfgmjqop.exe	91
PID 3128 wrote to memory of 4688	3128	Nnneknob.exe	92
PID 3128 wrote to memory of 4688	3128	Nnneknob.exe	92
PID 3128 wrote to memory of 4688	3128	Nnneknob.exe	92
PID 4688 wrote to memory of 1052	4688	Npmagine.exe	93
PID 4688 wrote to memory of 1052	4688	Npmagine.exe	93
PID 4688 wrote to memory of 1052	4688	Npmagine.exe	93
PID 1052 wrote to memory of 3936	1052	Nckndeni.exe	94
PID 1052 wrote to memory of 3936	1052	Nckndeni.exe	94
PID 1052 wrote to memory of 3936	1052	Nckndeni.exe	94
PID 3936 wrote to memory of 4660	3936	Nfjjppmm.exe	96
PID 3936 wrote to memory of 4660	3936	Nfjjppmm.exe	96
PID 3936 wrote to memory of 4660	3936	Nfjjppmm.exe	96
PID 4660 wrote to memory of 2592	4660	Olcbmj32.exe	97
PID 4660 wrote to memory of 2592	4660	Olcbmj32.exe	97
PID 4660 wrote to memory of 2592	4660	Olcbmj32.exe	97
PID 2592 wrote to memory of 336	2592	Odkjng32.exe	98
PID 2592 wrote to memory of 336	2592	Odkjng32.exe	98
PID 2592 wrote to memory of 336	2592	Odkjng32.exe	98
PID 336 wrote to memory of 2288	336	Oflgep32.exe	99
PID 336 wrote to memory of 2288	336	Oflgep32.exe	99
PID 336 wrote to memory of 2288	336	Oflgep32.exe	99
PID 2288 wrote to memory of 4200	2288	Olfobjbg.exe	101
PID 2288 wrote to memory of 4200	2288	Olfobjbg.exe	101
PID 2288 wrote to memory of 4200	2288	Olfobjbg.exe	101
PID 4200 wrote to memory of 4296	4200	Odmgcgbi.exe	102
PID 4200 wrote to memory of 4296	4200	Odmgcgbi.exe	102
PID 4200 wrote to memory of 4296	4200	Odmgcgbi.exe	102
PID 4296 wrote to memory of 4680	4296	Ofnckp32.exe	103
PID 4296 wrote to memory of 4680	4296	Ofnckp32.exe	103
PID 4296 wrote to memory of 4680	4296	Ofnckp32.exe	103
PID 4680 wrote to memory of 4852	4680	Oneklm32.exe	104
PID 4680 wrote to memory of 4852	4680	Oneklm32.exe	104
PID 4680 wrote to memory of 4852	4680	Oneklm32.exe	104
PID 4852 wrote to memory of 1756	4852	Olhlhjpd.exe	105
PID 4852 wrote to memory of 1756	4852	Olhlhjpd.exe	105
PID 4852 wrote to memory of 1756	4852	Olhlhjpd.exe	105
PID 1756 wrote to memory of 4840	1756	Ocbddc32.exe	106
PID 1756 wrote to memory of 4840	1756	Ocbddc32.exe	106
PID 1756 wrote to memory of 4840	1756	Ocbddc32.exe	106
PID 4840 wrote to memory of 1348	4840	Ojllan32.exe	107

C:\Users\Admin\AppData\Local\Temp\a3485be9f40adba5ceb1bc28c4e77890N.exe
"C:\Users\Admin\AppData\Local\Temp\a3485be9f40adba5ceb1bc28c4e77890N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\SysWOW64\Nlmllkja.exe
  C:\Windows\system32\Nlmllkja.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\SysWOW64\Ncfdie32.exe
    C:\Windows\system32\Ncfdie32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\Njqmepik.exe
      C:\Windows\system32\Njqmepik.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3208
    - - C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3392
      - C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:820
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4236
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1220
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        54⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        62⤵
        Executes dropped EXE
        
        PID:620
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        63⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        71⤵
        Drops file in System32 directory
        
        PID:4580
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1872
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4808
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2028
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        83⤵
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        84⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        88⤵
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4352
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        99⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        104⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        105⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        111⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        113⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5044
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        116⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        117⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        118⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        120⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 400
        121⤵
        Program crash
        
        PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5580 -ip 5580
1⤵
PID:5744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
80KB

MD5
12ecc8055410218712aef7e0b18eeeb1

SHA1
5e50b16b5d09024ffb27aeb199233dc54e0c7763

SHA256
f653972a26f4fee1c7ce64801c4bad6a572ba5ffdfb7ccc50c742684a1fbf0ce

SHA512
ba7a35d754e52fbc18c2c9146def4c8cfd0bfec5a91a465b930038c3a15c2b56332fd572dcdb85e27cb7050cbfdba437be240e8ccf1825f708f8d71f82b33c48

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
64KB

MD5
b800388c96b88ef9163b7af47d35fa98

SHA1
b7cb6dce636da070410005487ca6ef205e709ad2

SHA256
15873de3f9680cdb9884340affb5e9c6bfb03eff2e321958922764b8dbb19cb1

SHA512
f96a0ab7e1f00897f2da9eeff884b07ac15afc25680b1cf86320cf93d8c22a7a6aaadb133619c701f165dc074d7086249301a9bf75f13f7c1426cfd29e6d7f06

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
80KB

MD5
866a8b98028e075d27d47aa843f3d1ca

SHA1
1632d92ac7b3686fe5853e10c5d5340fa2a99072

SHA256
2e8655165bae31eb6a2ef27ab55a7e32fe4aedb554e5d95d57a1f41c8f54f22a

SHA512
4ec6900954641e59b8d13325f2622bcbf958d0bb16b71e59f1f64b78924ef10d81e16aac73188fc5b5bc66dd4790a4aaabe832c0464a37b8562ef298f5346866

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
80KB

MD5
bec156e42a02518b166d187e68de7ccb

SHA1
c9b9b9a1c92e6e9adbe67c59dc9d9db7f11c4448

SHA256
086057d15f9203a1f421a958a682a656bb1f7094537bb56922149ae78dc2985a

SHA512
e1648c3b22431d434371f6b3ba192cce332d22104614c21ee0d7df6fbbc613bc58b98b71e7370f2ebe9520667d566e74738073f45db175a8c5e05bfe5dc35d48

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
80KB

MD5
db0666cb4b9bfe422f3c61a5f77d2df9

SHA1
d51c366b241760bdd56e2b17bbd80f5c69d28693

SHA256
6f76061b20ceb4474c90da6c5d31eb47b7998f6c1f24dd5a75f7261269331fa1

SHA512
00f172c5e78d3933a5fc04e17f85489a9adf227d85a297d9e7e24bd846aa293d38ff6a53fea4bfe44115695f14e4b7a3102c869726506eafda5e148f820f2297

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
80KB

MD5
9689cf430af1c04b637d657094f6f6d1

SHA1
691be849852e4c2445b2b3771c6969f649dd483a

SHA256
f5b03bae5a9ec32870b79d9fbf6fac86b5c4f5bfb3331e7875f2cc46a3980ee0

SHA512
b31f98f65af27f399d03b396e7db37dcebd6bb1b71258983a227b0d98b3a42bc567f5cb2a30ac60393c25c13faa7be41597a47141e2a2f786d71990df15088d7

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
80KB

MD5
80676f32a6ab0e6fdcf6c72e2dfb7321

SHA1
5bd09eb81491f69b51e110d000c46ae20b4e51a8

SHA256
a02aedd8d21e2a93d5432c687d9e2fcf9d8e49367dd46940fffbc608a00f24ee

SHA512
8888e48523b22203716ebb914b0b31c94c8f97c8aabfc688bfc74f483f82a93319dcf3c49100d16d4f404d6a831da79fa9a967acf06b7f3b694bf1adae98aad6

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
80KB

MD5
29185e6ebe17b501ce72ad70954bcd7d

SHA1
26678b1a768e8619f393628c0dcfbd2228b1075e

SHA256
a3e6cbcd1ac4b3f2b2a773b0e51ac9d4fcfeeceb020e3d6c6a6dbc9fd4de1c33

SHA512
dfd85a79bf71b044c767e0e112b354b0041caf713d207bdc63dfef91b3223072785eb5d1ac21a98e57f3652a26c90a7fd3dd8c4bf327988cfcabd652a16cff2c

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
80KB

MD5
8bb72b54376c903a333797db62089223

SHA1
24df4f6ea3efaac8e454e8fbb86a1f1fe0ce0364

SHA256
0e03184466fe6ffb3ca005246e925720ec0095c474c0f9aab29dab9ce22a0e22

SHA512
cd2a95cf52351036342c21ed201e3aa4e6afb23d64ab52abb09217950f6cbb579001fcb06dd5b173bc375ac9b3762f1facc039ccedae64dfc1461fad9679a2cc

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
80KB

MD5
ca3c3ec8de52fddf759c0814006f1813

SHA1
c19f4626e8627102593ab47eaedf07c2a9227209

SHA256
5ccf38a2f07ddd04cb514dddd0c446b8a0ba823717d9ace6cfafd31fd4072a0a

SHA512
a88b11af019c649300ae86a65f0c5f1e6063fee0e1b8daa83387e060ff2220431dafdc7ae4d39a582eba16fab17bef5d22616109df89e46c870d74a3a63db51a

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
80KB

MD5
79b42e0d58f7f615686b62bcc5531632

SHA1
8d4a1f534e0779c2d3fdd6445876ff954c01d0cd

SHA256
94835f4e11895a4fe742860bf5ecbcc9a00dc2fa057a49b1c417eef064c7f7af

SHA512
2caada076f5287c703f84ac070400ff53c5d7cec596148ebd844aec1b12edefb1dfa01eac60111af3181b079ae549158b4545696cb3b0bb8858b18d6f046bf37

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
80KB

MD5
33eb0f05ba9b8f9c5b4828f754dedd4a

SHA1
12a65c92e849f2ba2a5c970bdd459cf31a239767

SHA256
a55c025f6b161143f21202a0ae1ab982eaa00ccf7dfed4688b55a9a45d653f3c

SHA512
3bdaf4da2c5812e1dad62ad1a7a7c8b2b123ff147f080ff66ffd06a785cdfbfc7370429f3cb0f09b7b55bce5659c03fa70370bd0a6591f493fee196b59857950

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
80KB

MD5
dbe0484dfdcdc26578f8f1ee39be53aa

SHA1
f0f07df2e457058b8347f32c0a563280c6fde58e

SHA256
dc2f028806c80bbb62a6074abe586b4a8b815c4e7ec44407a72af865f821f09f

SHA512
b08578d328bddb4c01e9e2cd636a75647292412f8712429fdb60dcb4c001fcce146f19c86d8c1da686fe4c2cbb580301f7a20790defd56fbec4f95e5db7d6aa7

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
80KB

MD5
13b4876addd1becb8e8b888d832d5cda

SHA1
414bde7c524e9d0f6a7d2efc6797b0d60b4710f6

SHA256
f354fd3e691efb5797e43937d424497dc9bf418fc1761accdf841d0e5eba59c7

SHA512
0f5f2ceac220436e8da59b2a25f223a2bb9ebc47356ba2b8460b2d10d4b43d896cfc83dc61fe70856a0a9d8c04ccfac607f8f149b5b852e1abe6bf8407294c3e

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
80KB

MD5
0b954fa8403e7f2b72f12d6ac57c8c35

SHA1
8b42541fb38b8e798692a24e039a4c3986a4455c

SHA256
540f2fa2352b6fd5a8a4db41b822f6f99d0ff6a7c6502da2c638ac4a5edd597d

SHA512
a5397dcd55fde2770851d3b194bb1bc7fda252d12c8a910479b64a5ac2e53a833df87f19d89b9f54836acb17360e7cfaafe05134ce7f9330a25b4ad1710f3857

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
80KB

MD5
9ececb9c6d3a8edab6b20d38ebbb24fc

SHA1
c8c5b12743987b3f30cc7e82554628a7e9fe7a77

SHA256
d787ba460295c427530b83a99f698dbf6ce943206821ec6922b27dfb8a65eea2

SHA512
e970053a23c50b82f21b1ade12fce935c42cb6fa0ba4c7d0c2dcfe46a2eaf752dd71d83feac845acc4f600a8a0ee50310a144bc242fc0d5025b4fbac35c4a821

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
80KB

MD5
0c43924de2c5a28f26c3f6507a170964

SHA1
181357a27a5902766725aea9c26adcd645a90660

SHA256
eb715ae54b62ddbef9f5753d482959347a14bd318bcfd0574282a6f40c9d459e

SHA512
398fa98938b25d4064ce2416d663624f7b22ddde1b04da7146ad3a22b5c13f833cbda3d5b2798445129d0b02683047da6210f58f336f4f24fc5bb9cc9acf57b8

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
80KB

MD5
46edf98e7d5ce83bfee4725ec88fd3f8

SHA1
0d86003920ba01a720484b105a24b9c39f5f25da

SHA256
ec7f6768abe97d7341656062e56e4f43df090742089a2975b384debfd9249bea

SHA512
db1ae3b2cc1c7d8f18cbe49d64d0b3f4511c3e226339765307a538a7c87204fc8c60daf63d9e47874c4590663cb2c321220e27a80c93abdfb637fc6637f6737e

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
80KB

MD5
b0cc050f4cdc303b88ccf16768b0f940

SHA1
4b6578b20680c306f0a5d4473c54643d9d8778f1

SHA256
aa006f8a78fc90e7f059989762bb3bd5ee1ea2850194cc2af7318fd1ac291cd2

SHA512
4895ed4782030d9bb5448fb09105e818a458da92c1bd0da06512487ad776ffd18d02d51c477495ff4f08b90babcebfbabc1a45d90ffa3d2ef45af2cf1b48c74d

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
80KB

MD5
3556fc08501694e6e8876487e4202c4a

SHA1
9b5302b0e3bf28a1cda3b93ebdbfca703f9c4deb

SHA256
d3c4f978aaf8ed62fe0038fcceb570bd424d95b623e004da10a08c3b3b2fd95f

SHA512
ba8aa6665f168b6cd8c2cb71b18c2432cbb67aa36f02a96e53147f19d152abbd9d1d71555a1059f738e170187c5f8223b8eb2ed34d5c52b65feb7cc56d9cd15d

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
80KB

MD5
5a9be691f4ef8c0dc2311e684131fc10

SHA1
9469a1a31dbfd5b711b6642624594dd11bc47b5f

SHA256
f2f3d5b94c2c93b7798a0ea52ce54d6cb32f8fa98fa8b260671859ea38cf346a

SHA512
bf52154297a7e4c38bd5a2520538db8ba25c686d3fa728a61daf70562b78e512667ec4ee9414465bd9009288c1774e56ec3a7d89b523f229d34592c333550bd0

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
80KB

MD5
c116367cef3674e29a4ab8db64c63f3d

SHA1
417b5070ecbd30c440ecd93c7cc982f5fd33b086

SHA256
1ef7fc16915051c3976c02a3e6fa16770c8b3ae54d58441559fc9fbad6dde82e

SHA512
07ee78170fa7dae326984dd91fe182b845b4d2499bb2c4f18ffc8e2cc784a31ba38f0b9759ce9f70e98fd32155a838ad9e9e782f49eb357af0831f34e25bc10e

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
80KB

MD5
9592676ce79bb2b276e0971b1cf072fe

SHA1
fd58703bf79adec8170e0839e93f15e633ec3fef

SHA256
0e54f8ad7117f500eb9f354c5001199202da9fe96140d0af1325a13936993adb

SHA512
ae421d75cbd16de5271032adbf964cf3f5951afb9a95542b0ba19e2317c87e0c5a15c33cf53b985aea9cafa50addaf569ed998a932d8375ace91543404725852

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
80KB

MD5
6d3ec034f7134c121011f1563b5dc288

SHA1
86ccff20fd31e5db9633cef447b080108dc0a1cc

SHA256
6ef6b5331de05e8ca228de6c9b495a87ddeac864e20fd5358f7850b967ac85f1

SHA512
039f81d96ba8c59f1b5988041c3ea212bd83d1fa716b99d9c1e1eea88a36dc4686b830b26952ba4006b4788ae8be94b1d72ae08fcb0c5e1211f747cfe31aaca4

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
80KB

MD5
233eaa50f4f2564d72d6ba0d06335031

SHA1
31b2778fd92f93773fc93de4d59e9b651b7ddfe5

SHA256
df76fcc707364de8d29d7e358028554f2bf35e50be14be57ad571bdf7e4e7378

SHA512
322079b13a02e373cb71f7cd7c535d5848705e2d7bad6b3409058901c1d2e12ff53e5ca14794bd4c0064381ffbe3adf6410e43105244126474c5f77229d17860

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
80KB

MD5
2bdf80e35eaef963ffd3e5ac066c6827

SHA1
26c161bde601a36ae9a9449b7e8ffb10f11e9086

SHA256
26c75cd512b71da69cb1847925077080a2ab3e692823116cd8817f743e376ca6

SHA512
8cae98814f0547c520e99a4d4bfee226d5308b5cddbf69652bf8e6f40f86cc17d6d20b83b853bdcd36c10a556327e33c1867e12a104cec2d9771e1929bd27c22

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
80KB

MD5
b02d10b4463fc547d761431edf334a72

SHA1
753fbe463536825892827f19d5e81763026fbd6b

SHA256
f724989f256689b1919c31c8350eaa8345d8e9bf3abc6e8c8ec119cb1b2678fb

SHA512
22728c7cc13db03cf02d5b58732ba01a00d48f22a966d349ffb6572f19abc61d84df149d23fa247e6106a6fe7a22c2186f637cd215ecb3a8b2d17ea21becca3e

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
80KB

MD5
26d9f591d5e727f7e818fedd4032ed43

SHA1
b2af83a23f68fe7b2a30c4cdc55087d3eb98b66b

SHA256
5abac960382e0e20db311bb7344ea3d4dc3174a28cb5af1154df1c4228aa84cf

SHA512
9850ec8a0df31db00f643af2050399b4de1bba601fe2a95b7f87a8c7b0e1c28d03d1f70254d9e20a42606a976ec0d8376d77ed3a35a55ca38b03274e81c77b35

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
80KB

MD5
6a320bb1e857174eae987687a3dfac06

SHA1
6519578096e037921b283f19111270a5d57d5da6

SHA256
56f83e6759ec74a265006c602dff21a9fc0a04a977f6cca938f62d3d4da0c279

SHA512
8491492c9b52a0cbc9751bfc64fc95c6998bc01ccc11ee53dcffa62d30ca270c272eb6b879df4d3b12b68bc47a08f4407f4a8fbf010077bc584e900aa34540df

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
80KB

MD5
0878a719c5f046a877c0b6a975b131c8

SHA1
824c51251bb9a33abed9f1b40d8272e24e0b2312

SHA256
2ffeab1b71a5ef1a8ca7c2f1ac3d6ed0b53b31c4bf581afb879fe07d783886ce

SHA512
c3f00bf8dbcd7044e18077b70ea180922f507d3729f4acae26e9f21937fa496810b897097e560cc28ab993ff0a7a49350b23d7df55d1b488e51f9d19896ce9fd

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
80KB

MD5
2353077aa213ad679ade0463e6575f21

SHA1
c7d864ba3fc29438e9d649846ce70d9ca92ee871

SHA256
0b46dc045fbc322f5e1bfa9249b6a81d061a099435bfe1b95d78a4f2834933f6

SHA512
fce22112f434d10c216d9185e8913319a39a2b47e5062053884621eb18e0c187832ded660134e051c4ca86740926b0516f0e6fb5446f800e978230d12618b7b9

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
80KB

MD5
5c3def227e6800271b0d27928a069076

SHA1
f00a08d89c93012f11f3e99d7449de3fdc8c9b7d

SHA256
78652252debc7a551d63e1737e6b46e6312abf0b4d939aab8dcc98a8868c332a

SHA512
76f36e49d69ad0e4dfb046523a4647499f6d84809a2ddea0e01bf5fcd25f7480891c756616dd1dc1c3ca243220197bac60f40092673ccfbea49ff90c872ebdfe

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
80KB

MD5
6bdd38c6e86b676ff1c380873e083d52

SHA1
c29757eb44607767a05c85202ce3977110b1e2f9

SHA256
f4da4d579a96de3019818af427b74e4b5312aa728b21d5ba48bdd6be7cc936bf

SHA512
f83bdcbd610c909bd9f69fdeab54795f484048a7139b87b678a7511cc4dd885d7a53f55e08b3bfecd82393f276496649d3e7bcf4c3eccd1ca6ce93d0fdda4896

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
80KB

MD5
5b938755a72904b3b5157c10a674cbee

SHA1
b1e71ea7b33fa3b18be76dd770273a52ece32efc

SHA256
c411f7ae60ecc00b9332df354c88c2195c916ace0d932a9323e1d9dd1f5ed815

SHA512
ad5b31db677f8f273323c3d6325768af2a40b0a1da02635a34a9091cb169692dd20edbc7c109d1d640bb275c27cccf30f06990e849b616f8f01226c0809be9ac

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
80KB

MD5
982c9ce40b594a5b8ee6a464b6b36941

SHA1
9004943e853aa736376c954d9b698b6a8ed1dd53

SHA256
9b1f79dd6784935d84dc600e0c6b75b0ea2e16ef3ea233d85e19979e3a707958

SHA512
124ad8db96d6186477534c2723437b78d54c9c57870ceea025688eb189b022937e3f8b70d3c5b24d1979b3b92a690ce9668a58bf2da094763541208707d17430

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
80KB

MD5
f7a46b06cfccc84259405c58d15501f1

SHA1
266ce6b1643b4dd6341be1cef1c1d935961c273e

SHA256
985e51039d0dd9d90884aa8dc255ffd578bec6b6e3f5942a095bba411c0eb674

SHA512
e459c4a14c73a304966ca97a370e2fcbc47e3d10cce27252b95767a205ab5d7c230050894cbed9a6a70f1de9e102c0f6799138287cd005ebd12e9e640945650e

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
80KB

MD5
7698102dd03dc7c80f994a892d2e51e0

SHA1
39be125b2791c80a83d4bd950c8c29563216352e

SHA256
31616b4c48379ad714e16fd2bd59838d6deeaff77cf012bc69319ec05f7e47c2

SHA512
82c9ddd3512bd6504fdc2a6bc660435b8a7149b52248351762306c63f5b971a9c01babba00375ed04ad89f9ba09e86479ad07e1c7d427749d1c32b5d7be69481

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
80KB

MD5
dbb53da4506c0d4dadbfba32ce36201c

SHA1
40af8ff3c0dca43cad2936bdc631df78abf81261

SHA256
da1aa55a444614e4e83391d44eaab57ae9e2719f16ab01b8f6050e2dd5ac462d

SHA512
bf781782d517254136c58b69a234e35d4060841e39dd0f91f6f0fcb31faecfa419407b18d9bbe9fff3a08abd6bf1c13152a531796d3192897c205f4827154ba6

Download Submit
memory/336-209-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/336-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/456-384-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/820-212-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/820-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/844-432-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/844-366-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1052-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1052-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1120-405-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1140-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1140-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1220-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1232-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1256-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1256-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1256-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1260-433-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1284-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1284-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1320-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1320-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1348-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1348-190-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1548-372-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1548-439-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1608-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1608-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1652-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1652-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1756-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1756-172-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1964-378-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2160-318-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2160-235-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2180-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2180-390-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2188-217-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2188-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2236-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2236-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2288-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2288-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2492-398-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2524-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2572-360-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2572-425-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2740-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2988-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3128-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3128-157-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3168-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3192-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3192-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3208-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3208-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3392-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3392-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3480-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3620-426-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3936-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3936-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3992-312-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4168-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4168-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4200-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4200-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4236-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4240-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4240-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4280-411-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4280-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4296-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4296-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4364-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4364-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4536-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4536-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4660-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4660-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4680-158-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4688-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4688-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4744-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4744-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4840-181-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4840-273-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4852-163-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4852-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4924-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4924-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4932-391-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5016-404-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5016-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads