5466dd8bf6e04f61f2f908b96aed830722ab65bb563f526d4bc48702d9d51921

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7163654b056d3c01440efa3295539ef0N.exe
Size

399KB
MD5

7163654b056d3c01440efa3295539ef0
SHA1

a5547e04dc318712cca7341623596f340a81181d
SHA256

5466dd8bf6e04f61f2f908b96aed830722ab65bb563f526d4bc48702d9d51921
SHA512

e9af2643e01b41aa1ce1a4a343bac51492577a9c2171ccde2d7a31f7570ce4ef340562c2ba1fa911ef74bf7bcb15ea923a151d6e69ef7d171f3eb3878af687a0
SSDEEP

6144:DogFZ2IJPQ///NR5fLYG3eujPQ///NR5fuTFzAJxf4zh8J7iTv+GwN/:DFFU/NcZ7/NG+nf4SiTv+Ga

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7163654b056d3c01440efa3295539ef0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe

Executes dropped EXE 64 IoCs

pid	Process
3944	Nebdoa32.exe
1616	Nnjlpo32.exe
3684	Nnlhfn32.exe
2276	Ncianepl.exe
4308	Nnneknob.exe
3452	Npmagine.exe
4952	Nckndeni.exe
1772	Nggjdc32.exe
4964	Oncofm32.exe
2824	Ocpgod32.exe
1240	Ofnckp32.exe
2128	Oneklm32.exe
3504	Ofqpqo32.exe
348	Olkhmi32.exe
2264	Ogpmjb32.exe
648	Ojoign32.exe
4092	Olmeci32.exe
2920	Oddmdf32.exe
3884	Pnlaml32.exe
4716	Pdfjifjo.exe
2952	Pfhfan32.exe
2328	Pqmjog32.exe
2332	Pfjcgn32.exe
856	Pnakhkol.exe
2212	Pgioqq32.exe
4592	Pmfhig32.exe
1000	Pcppfaka.exe
3644	Pnfdcjkg.exe
4344	Pdpmpdbd.exe
3300	Pgnilpah.exe
4500	Qmkadgpo.exe
4284	Qceiaa32.exe
3468	Qjoankoi.exe
3332	Qqijje32.exe
1492	Qcgffqei.exe
1212	Qffbbldm.exe
2760	Anmjcieo.exe
4196	Aqkgpedc.exe
4448	Afhohlbj.exe
1380	Ajckij32.exe
372	Ambgef32.exe
4688	Aclpap32.exe
2628	Agglboim.exe
388	Ajfhnjhq.exe
996	Aqppkd32.exe
1104	Aeklkchg.exe
2252	Afmhck32.exe
816	Andqdh32.exe
2688	Aabmqd32.exe
2220	Aglemn32.exe
3416	Anfmjhmd.exe
4972	Aminee32.exe
556	Accfbokl.exe
5004	Agoabn32.exe
1608	Bjmnoi32.exe
2304	Bebblb32.exe
5112	Bfdodjhm.exe
1208	Baicac32.exe
4940	Bgcknmop.exe
2948	Balpgb32.exe
560	Bnpppgdj.exe
1288	Beihma32.exe
2292	Bjfaeh32.exe
1392	Bapiabak.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Olmeci32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	7163654b056d3c01440efa3295539ef0N.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	7163654b056d3c01440efa3295539ef0N.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5176	5008	WerFault.exe	176

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7163654b056d3c01440efa3295539ef0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7163654b056d3c01440efa3295539ef0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7163654b056d3c01440efa3295539ef0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 3944	2312	7163654b056d3c01440efa3295539ef0N.exe	83
PID 2312 wrote to memory of 3944	2312	7163654b056d3c01440efa3295539ef0N.exe	83
PID 2312 wrote to memory of 3944	2312	7163654b056d3c01440efa3295539ef0N.exe	83
PID 3944 wrote to memory of 1616	3944	Nebdoa32.exe	84
PID 3944 wrote to memory of 1616	3944	Nebdoa32.exe	84
PID 3944 wrote to memory of 1616	3944	Nebdoa32.exe	84
PID 1616 wrote to memory of 3684	1616	Nnjlpo32.exe	87
PID 1616 wrote to memory of 3684	1616	Nnjlpo32.exe	87
PID 1616 wrote to memory of 3684	1616	Nnjlpo32.exe	87
PID 3684 wrote to memory of 2276	3684	Nnlhfn32.exe	88
PID 3684 wrote to memory of 2276	3684	Nnlhfn32.exe	88
PID 3684 wrote to memory of 2276	3684	Nnlhfn32.exe	88
PID 2276 wrote to memory of 4308	2276	Ncianepl.exe	89
PID 2276 wrote to memory of 4308	2276	Ncianepl.exe	89
PID 2276 wrote to memory of 4308	2276	Ncianepl.exe	89
PID 4308 wrote to memory of 3452	4308	Nnneknob.exe	91
PID 4308 wrote to memory of 3452	4308	Nnneknob.exe	91
PID 4308 wrote to memory of 3452	4308	Nnneknob.exe	91
PID 3452 wrote to memory of 4952	3452	Npmagine.exe	92
PID 3452 wrote to memory of 4952	3452	Npmagine.exe	92
PID 3452 wrote to memory of 4952	3452	Npmagine.exe	92
PID 4952 wrote to memory of 1772	4952	Nckndeni.exe	93
PID 4952 wrote to memory of 1772	4952	Nckndeni.exe	93
PID 4952 wrote to memory of 1772	4952	Nckndeni.exe	93
PID 1772 wrote to memory of 4964	1772	Nggjdc32.exe	94
PID 1772 wrote to memory of 4964	1772	Nggjdc32.exe	94
PID 1772 wrote to memory of 4964	1772	Nggjdc32.exe	94
PID 4964 wrote to memory of 2824	4964	Oncofm32.exe	95
PID 4964 wrote to memory of 2824	4964	Oncofm32.exe	95
PID 4964 wrote to memory of 2824	4964	Oncofm32.exe	95
PID 2824 wrote to memory of 1240	2824	Ocpgod32.exe	96
PID 2824 wrote to memory of 1240	2824	Ocpgod32.exe	96
PID 2824 wrote to memory of 1240	2824	Ocpgod32.exe	96
PID 1240 wrote to memory of 2128	1240	Ofnckp32.exe	97
PID 1240 wrote to memory of 2128	1240	Ofnckp32.exe	97
PID 1240 wrote to memory of 2128	1240	Ofnckp32.exe	97
PID 2128 wrote to memory of 3504	2128	Oneklm32.exe	98
PID 2128 wrote to memory of 3504	2128	Oneklm32.exe	98
PID 2128 wrote to memory of 3504	2128	Oneklm32.exe	98
PID 3504 wrote to memory of 348	3504	Ofqpqo32.exe	99
PID 3504 wrote to memory of 348	3504	Ofqpqo32.exe	99
PID 3504 wrote to memory of 348	3504	Ofqpqo32.exe	99
PID 348 wrote to memory of 2264	348	Olkhmi32.exe	100
PID 348 wrote to memory of 2264	348	Olkhmi32.exe	100
PID 348 wrote to memory of 2264	348	Olkhmi32.exe	100
PID 2264 wrote to memory of 648	2264	Ogpmjb32.exe	101
PID 2264 wrote to memory of 648	2264	Ogpmjb32.exe	101
PID 2264 wrote to memory of 648	2264	Ogpmjb32.exe	101
PID 648 wrote to memory of 4092	648	Ojoign32.exe	102
PID 648 wrote to memory of 4092	648	Ojoign32.exe	102
PID 648 wrote to memory of 4092	648	Ojoign32.exe	102
PID 4092 wrote to memory of 2920	4092	Olmeci32.exe	103
PID 4092 wrote to memory of 2920	4092	Olmeci32.exe	103
PID 4092 wrote to memory of 2920	4092	Olmeci32.exe	103
PID 2920 wrote to memory of 3884	2920	Oddmdf32.exe	104
PID 2920 wrote to memory of 3884	2920	Oddmdf32.exe	104
PID 2920 wrote to memory of 3884	2920	Oddmdf32.exe	104
PID 3884 wrote to memory of 4716	3884	Pnlaml32.exe	105
PID 3884 wrote to memory of 4716	3884	Pnlaml32.exe	105
PID 3884 wrote to memory of 4716	3884	Pnlaml32.exe	105
PID 4716 wrote to memory of 2952	4716	Pdfjifjo.exe	106
PID 4716 wrote to memory of 2952	4716	Pdfjifjo.exe	106
PID 4716 wrote to memory of 2952	4716	Pdfjifjo.exe	106
PID 2952 wrote to memory of 2328	2952	Pfhfan32.exe	107

C:\Users\Admin\AppData\Local\Temp\7163654b056d3c01440efa3295539ef0N.exe
"C:\Users\Admin\AppData\Local\Temp\7163654b056d3c01440efa3295539ef0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\Nebdoa32.exe
  C:\Windows\system32\Nebdoa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\Nnjlpo32.exe
    C:\Windows\system32\Nnjlpo32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\Nnlhfn32.exe
      C:\Windows\system32\Nnlhfn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3684
    - - C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:856
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        34⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3332
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        36⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1288
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        67⤵
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        71⤵
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        72⤵
        Drops file in System32 directory
        
        PID:1412
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        87⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 396
        91⤵
        Program crash
        
        PID:5176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5008 -ip 5008
1⤵
PID:5152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
399KB

MD5
e99a2879a8027ca693b0fb08cfb1ee4a

SHA1
623421aeddc22cfbe22fc6eda102ce7d25bd2a0d

SHA256
af71397d0adacf7ccb8b1a7113264c6913f554f05ac1f35f5cea7ba887e8b4cb

SHA512
0855974bf778c33d971832045ae7ba967719fed6cf788677cdb315b0a99078b757a214b5a4c658eb85b19353a8d0906482a3bd7a12c0bac3d17d7a34dc1e9498

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
399KB

MD5
cb81678e745ac21839c1ac336195c30f

SHA1
27fa35f97222a21edc681aa7914d2aecbc706fb9

SHA256
96666790bd80c6db0dc5fa2a37bdf418bf51383e07db634d32a4fe19ba0643f9

SHA512
57690e691ec37576d17342e14e8b23388e38ee6a0a863ba8315b19f1da490144b033679d11c823c4fb04d1333e15b623f6c4d9a33d01a6ab65a6577583710307

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
399KB

MD5
f887aab0822b93fc4f7f560457fa0a2a

SHA1
cf855411f31068d84767ff3d5667f914da126da4

SHA256
ca49b4ca403d134bd28685e583c3d38184b52d4eee4775871d908e4296b15b8a

SHA512
e473475a076e17144d64742e1c74de68e09235bea3a618bc71b66c444a49b227f47272c1868e80cf431355b82aabc97422766f53a4195fd416f799e32c4f972d

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
399KB

MD5
e29ed8ce5628104e99c4b98a3368764f

SHA1
15a7870e7d9a553d12ddbdce8a604fe0e3a3cf81

SHA256
438967a91ca13301670f2afef3f0ee475ffcaef240b618958041d4cb714f9c1d

SHA512
f97aa7b50a74fcf7b97152187850a4ad5ea53cc376ef435f8c4a6d177dbec7da9268c140572a88a4c7575b10cec084909133ad311152a1e075ffaaa562bfe7f4

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
399KB

MD5
a7dbc08e7d2ffaac7b4feb8f3b0282aa

SHA1
85851fd5d8c2d1923010bbdc301d0d7876a464f3

SHA256
303d2ecdd77b9ce773303ae15b107a8f6f155ab764070c2e8ed0ea4d61414ef3

SHA512
818ec7ef26b95a17863870ff398640c84f4381d02f15f9d595d9ea7f7802eb8bb079045b00d90bed1c5c383e20992fae7b6c770ca659cfc00dec27010ed9a7ab

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
399KB

MD5
28fc1432a74c911941f3819a62e6af77

SHA1
a6a1f72ee85db7a3468735c1a5a47ef97bf3473d

SHA256
49f1f57060bbd4aa82c29fb7ecfa520dd0c523f48f115e33959ff5db527e1a1a

SHA512
338f5bdde70ed0132ad2b2266019835f080f495fb17bcd0f67d60b97ac93af8f4e650060e66131d289391d487515b99fd123f7fd4533ccd997fbbf0076ca78df

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
399KB

MD5
ed7a3e4de65aaef8415a21a0cb18aa8e

SHA1
7343c6f377a09eecf6eb1d6ac752e26ea3ff27b7

SHA256
10379b1ba0237fcbe946e94f70b1573a8bf1ca05969ab73c2c2c0bea91bad7e8

SHA512
df9a021dbcf7db6bc4df8b38f9d74e061f53e8d7c98af2b750f229e9b76be880f9681cdebdf7284d8201ca8f523ee7d63e3f9a0217ed767c0e171daa4f4db0e6

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
399KB

MD5
a4ce9a506f0b314c263973e41adbd8cf

SHA1
d7e741e4e98bb45c561be5838f320a298231baf7

SHA256
8d0e057500f22aefd026ccefdf6d134a462e49f1c4eebf2d3a0a011ea11d8a01

SHA512
b5c2f0f4bc78e631aabaf4c7ff25dc11825e294a12f359b7a4bfb743be06c816849df3011ef9a8222acd81ff2cf863464530be60263f215552c0fe6c8566f00d

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
399KB

MD5
1eb02cfd844d3132e0ea9ae923a31f87

SHA1
38238e056235cfbbee0f766adbd12b83e91d121f

SHA256
c3eb4d6a6c07168bdb9987b4c062730b6468ac29ab34f397ba20b0c9b9beef74

SHA512
2c410e2c40f50e47fbaf8d53192146fe982759b92d143134d6b7160e638d2b8f9c8909d76a1a17e154716bde4520019c703fde98e31f9a049249ac1578617b16

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
399KB

MD5
503e956fe78915b01e3a71d2f4d771eb

SHA1
9e293048a528505881d95fc1e04c0d8caf986580

SHA256
af496756cb1b6529351cb076030d66832044495db8fda047f8601a6295cbf98d

SHA512
ecb312b07119dbecc3c5a078cdbe0a5625a763a0fa1f50afdffe90c97643c12d22a19ab426f06186f541a331f973e523bc2b0c8a9642fab6ca9ddb37745be192

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
399KB

MD5
5be3a0d74013bd6b591f7d7f692d8934

SHA1
544f8cb9d557cb076b3a74663bc3c3ebe91433b9

SHA256
82e7eda3c855776a5a25888b0e81bd59ab84af9510d4e61227a233145f6be6fc

SHA512
df4f96d2780e2e6ad6281a9308bcbac26333e28f74952a7a2811b2624d669198301976e43b728674a1cef8dbdbb22017fa390b7eed129763814a9275d5d17070

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
399KB

MD5
9bc86263a979742f6fa69f2f5f267e86

SHA1
adfb38dbee3e947333864835b154b0b5754920d0

SHA256
b238309a67651e19cc1ae0bee343b26169522033e561282401735cce6d967b0d

SHA512
4b812eb7780aa2a300b2c271b2fe0bd6da2a5d521d7e16ce234f6133cd5c604cc92a3e540dc62f19f05ae2760c99bf178c51d655ba7f5ad4d0e373179040bfe3

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
399KB

MD5
38927b902f3d5962e6aa23fd01b37db1

SHA1
e32ae80b702bafe0ccc79d8c9cf84e6ba72d9894

SHA256
f5b3f65f09b651ca7d7f8465a4c11e9010a057daa77d7ad95c13dd799efe391c

SHA512
6ae390f4997e4e8486c5e2fadb417757356ff384b8f0d5243ff854333f54cb2c8dcbf1cf6b4b760a2c8df0073de5f15dec550411872c38815ebe3d613369b44f

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
399KB

MD5
39592780decc160aa88427d2bdb9bd39

SHA1
59c3aee4e6b5427379b20a1edc0ce80cb5eb9dff

SHA256
99b793a121cd0f71d3ae1ae95b4dd4a79964db20d77c65d83c19ae744cc763cb

SHA512
fbad64068840267417b1a9d24c533fd02f647866a76e38450e19c2289f1d6447a41775ba5d979f626f5b0f3672bef3484d4278c29e06209990fec4029dffd9e0

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
399KB

MD5
dca79ce7de0d0f55ca6eb933f009169b

SHA1
a6ea6b3a9a63f00ce20c43226b332e34e6dfe730

SHA256
b9cdde569a6415eb717e98bb75292af1b7dcbab8d9830f35dd219223aa6fb53c

SHA512
493921bb55722b3722a0c9fcffd14a16eb061751f224a00f506df00b911d884f20e6571677fc3411fead5a52153d189069c444ffe38680c0f1b816dfeb25fac8

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
399KB

MD5
5866e289671313bf7d1c9f7eb83f1854

SHA1
63634bba389cd8866ddb791e62f5a95bbd33b185

SHA256
bcec023a7e17cfcdabf6a3b4c1cceb6822457dae98faa87ea340244e930dd1e5

SHA512
b9e83aedabf9f100b436489b92baca892257c8418196514fcae10d988b9b2a7d0f3efd7bea4a61daf0d7802e44e830bd1132c537aae8b15cfbdac3d7ce92b058

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
399KB

MD5
7a882f16b0cb47d9e3878cbf8b5f1486

SHA1
d48e5f688010729eff3817da8c63c38f3e55bee4

SHA256
cef2088e68ed87751272afe4d21c96b006fff83af96460ed0348c6639334ad75

SHA512
76374a68f414a990113324c6c2d83502f8dfb2a7f87b5d32e1ec592d19466905c64bc2e9310ac9cf41f052b1ec5a57428dcd75a381ddee0bcb936dbb0bcef0c8

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
399KB

MD5
d40734586b5840f546ca88a8379145da

SHA1
e3e4db5b46a9cb9717ad26903ea1d7acf10ce5ae

SHA256
4d8fa6b91003fc1ce1249bdcb3bfade26db2d679bbdef992d1f3e1a99a041eba

SHA512
556275d34fc8d90bf1e91ab81045da9e0ed922b2fb06ae5aaad368d23bdfe513b23c075dbdb21ea79f33eb4654a3fbe327e1aa69e0d3148f34a468488efa7546

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
399KB

MD5
e9f557084681fc3f8ee4d13c87afe107

SHA1
a38338c6e85d295860b9af4a26767c2398ee8c65

SHA256
c04fe5c7fd3bdda6e4f20fbc6031d698753148fd9189a1afb666633c0dd13175

SHA512
95b0cb72dda50c73d379d4234fb46407c37901e7ff0278cc6ccdcd2bd318623e7e6b015238a5d02d5f6dd98c3d2167297f07190565f9a16dabe70a9c1ade329a

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
399KB

MD5
2e4500fd9e9fa309b28a79eb771c5859

SHA1
6c56e850eece6b395d7272fbeb09b563d4403b2a

SHA256
eac1dc150c2585930626d3cd305ec3c61d24293828f96f774f60aa595904456f

SHA512
dd191524ef1e6c0621c9adc90aa3d0b5ec97d52655d41c2d9b1358a4fedbd2a205badffcc9d62479163f58cb3607a727aca33106e305fbe735a96bf2b31f1654

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
399KB

MD5
7c537c1fe060ec3e6eb98f5dbe8b31dd

SHA1
ce4553f022c61f8c8a5453e8353e33f2fd12f9a2

SHA256
e726e14314eb53197c6449c7cdf711bed2a9dd40a78400766fafac7547b8a221

SHA512
7bc919c6d99c92ff76c61399c152451496b3b121dfe57ed4664aadd4e4f8638f74da7c3cfb3fa6a8fa10e7a83604f8b98183cad92209b40c97d7710a66132bd3

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
399KB

MD5
5747e552029ecc0ed3e29aa63bd008ac

SHA1
2e9f5cf75a4ae485ec9a90eea49aa0f8f47ab1e0

SHA256
99969da57012ef858189373ef4551a63d988e48a84a9870c8d71450cae04fe9d

SHA512
5c290168e035612d7c6a5c78b90a875a66f870cc161b68e854f24094188632fc60e2aca637eda3d00bf37decbdb6acbf2ebc1d2cc81820f9d44b2c7f720b3174

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
399KB

MD5
d4ce372e0ae7f661bd2d531243eb5f0c

SHA1
07f8a6641ad3e67f9647843e61ebcabb07001dc2

SHA256
7e6288c7c82cb6d0dd01f5684bbf07ca12442f837a9333980e0108a85b6e3e8a

SHA512
58c350969261edc18d68b76ce17bb2b6b3fd69515422a2d60a7bd08ae3b2e6c51eec96ffe5caec6a3b11e5459221e02a7300465187659af4592e469ea3b7dbce

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
399KB

MD5
8029d1354f408d01a4705f44470cf5fc

SHA1
5f3a5f2bc1415495afbca26b2cd4ea60cdf41c62

SHA256
fb82ca09a4d10f0aaab7dbd3ad365f254e6684858d30bcf77856a2f1b8112957

SHA512
a7c7122437e8b649be8734ed4462f01a919910cefc7b6fcac36adb9441029be91662839f6aa13d8205a52af141e7456e883285cc4f1925eb17a49527030cd3e5

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
399KB

MD5
030141c272368472916a779968f96927

SHA1
e310de8ee02fb560e4e28ce166ccb73b51247cdb

SHA256
cb2cc14d0032119bf515b7e479ae8cbbd446c8d368e6fc6a6a276f35d1814693

SHA512
a0e5737a7a7c09c49008a8dc0385fe394cad8c63945c8dca8b60ada3fa403a1f31bf34b8207c0e091de6aa466cec1e883f844e6ea44758b286394fcac86f7115

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
399KB

MD5
9f17af79ccf81d4ea240a62c07ba64e8

SHA1
fb09f100d12b11c54d2829b2a6412bf5a05fec2b

SHA256
49b7d3076c18943d5e588e3880bc2eab2db7e35876a974a9e55f82d0c8bea573

SHA512
c5c45bdd9546e3f8c4088fac54dc38f30a3cf1c73ed3efe7b6c8e1d4110c26d78aa3975a42c74601239681ffaa05c0924689a1dac89a04dbe3ce02f9ccc3ac4e

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
399KB

MD5
ea80531c7e1ce964d3fd96a7c47b6fa5

SHA1
d97f7d3c3c457d0c310f096e729c916ed689623f

SHA256
c5a17bba3ba1aaaad4fefb859f965060a412322573024ae5f244b789b8632f8f

SHA512
8c1a3be678544bc2cc0d62628d1eccd74bffa236fac3d39097cfa244d857baf8e4276421b3ce3bc67eb0c0ddb6e506223a49fa26d1f3bec55f4c18ab9d84d11c

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
399KB

MD5
86796af670427f5f04278eec7c5b69a1

SHA1
117b341ca0bf1514e5103e3aaa62480d22262211

SHA256
19a8e2304ca9729fabe2181af5ad70a68caf0c4dfc19fd5a3cfaaaeb3fd5c9c3

SHA512
89caba7bcc19bd609f9f7dc331db78325e4085bf635a99c388a8e5e46f493f45a3f0f5dc49fec1c114f85ba18e5527adf4e98a24e9fd79dc6d21bd99af7ed8c2

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
399KB

MD5
588630297e9620fc25ac2edc4ed5f65c

SHA1
79663952a63af064f46fc4bad82eb6b255faed65

SHA256
bbb0d65d846f1f97d6b780c9554c8e6b1510900218173b5a8b4795aa8528a19c

SHA512
c013b9a607e74dfeb0fa93392d1b289d2aa7aef2d8ad3ba1a2f8ee04af8625ca9b564dc559405b75326c2623a242a1ef4fe23aa541bb0de39f5c900b2e05ba74

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
399KB

MD5
2f017b25fc20917a7b9191d078f14dfb

SHA1
33e56502d6a883c1a6e1dbf5e9db90cbd9e913f3

SHA256
9e67ba2e3cc6bcaf92a2f69c2e46c0ba5276ee78228753dfd5dfdc9eb1a319bb

SHA512
0db38b6b17d0b17099bd7fbe171a48c10625f1e68cc370f5de149ca9efb947b282c53b2a5be044aa93de980f109d6ac8f931db08d807fb56f1d7d66bd205d3a9

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
399KB

MD5
83c3b765e804e36c95e5c2cf8bf20b57

SHA1
1ab688b1ac8bccf8c2d53c805bf8182bc450c8ee

SHA256
21f7a5c6db13be7e6c793944ce3f41fc19f9deae83eaa589578fb2ec46362eb6

SHA512
40f683af3664b886d29fdf1320830354b74553344d89a29f2e59fa5568615f67160a7eedc809826798d3f14fd384a75c81e2bef27989da6a0ba4ed6fdb9094b1

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
399KB

MD5
44b85f0d748c9f0e426483b3fc0d56ec

SHA1
4980e587d26d0b81b607c28e50e65cfa43acc59f

SHA256
da5fadfca9b363e287a522943700b5011dec119fb22930a5d4a93ff8e6f5c2f5

SHA512
1f466717e28eba091b6e2dd73c2eff82c4853edf499eff41559ddaedea51b0e6c1ef9638bb54564e627984f87ec044e193698106f3bd2846f978c8a01a1ba233

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
399KB

MD5
a959d70e4558bb540a52b64ade8adae3

SHA1
e97f2635959de0942aeee6cf0a5a6c1427f83c3c

SHA256
043ae7e220d2998ea1ccb16e09824b4f9229ad8c3ddacf6472ace5f62b84a117

SHA512
877aada36c97eea029810e737f9f012eca8718dddf7ba4bc1197e07c70423fa5aea28825022e4c0a6af1835288351ed32f0a1a54ee67d8179e3f84441f2edb55

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
399KB

MD5
b5c2adebfed9d97928c5fce18547f476

SHA1
f2b2fba14edf9b6cdac446bdb04002b05ef71869

SHA256
58121cd42fd320436200ef63b862f9fed07b5055959e86fb9868fc5a4f8817c6

SHA512
0c57cf7b46379f5603ffda236ad1e34ef35783aacca1c9630f249787eb40c87a5748714637b0bc46431186fb08b30ab001f26f60a4340db0e19dee861042c7a1

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
399KB

MD5
acf406f11f0bc4f237bc503535374471

SHA1
46cb80f9f05ae48b1d9a9bd3d13f18b9484dcc22

SHA256
b2a56cf82afd42d710396ddda5456d8f81d8a017cf39ee14bfd7b74d79736c87

SHA512
270e52554b357952f0d33acf1946110100523d003a615b125e16e821ad567ebae2a5219af470b4316e295c34c0a12258c4ec8de7d8fb9adaef1c05ad5e7fca0c

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
399KB

MD5
f883414174d1f026562968848dcabd20

SHA1
a372ad9b05137e1c55ba9a0a69699a699ab6d71b

SHA256
75ae7ab3506463398471807d06265122838f22f12729458b8c9c8d4fb9b85468

SHA512
4ab81b298468466a0f5ae742423cbb00af4c2003e51e32f1cc3cc545abfe355ef814dd05b8b08a0ad6b35f136d8e4e430ade60990ea731725a492ce3fe599b1f

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
399KB

MD5
ce9d5e90b51af34a607d45ec8d6d2fda

SHA1
be5c7bda988bac1e647881b250b065e3dfd88c9d

SHA256
f943e43cfb5e4a4f030049c62940d031715517263a5ec6089f9410a62b70f612

SHA512
3940bd0f5c250d1136414a55761534269b3f0365e262b6d6477068fd8dd8e34df31205057da1c03935e78406c6e96f3832833c3365fcea3811f8a552c594bee1

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
399KB

MD5
7bdeb9f3f832bd4f5c8f4939f17f6230

SHA1
bf9f590129f521a76dd821f66533286434ca53a0

SHA256
cded75c8bf8b5b26cb90553b913628dd1c989213bd23fe059eec5925e50b377d

SHA512
328d6a4ccd0890013571d92e6dbbd9b64c9a82b95f812b525b64dd30fc13df0dbdba5f62ac509141c77c100c3c1474e82d6c5502a1e6bf74ee9b791d7ecac3b4

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
399KB

MD5
55ac1d8ae2549d98856736a687e29192

SHA1
d79336540e1efbe329dcd217f07a5a6be3a1afa3

SHA256
42ca27416f67799e8cc09e32afdf4567bd70107b479d596d60981be20842722e

SHA512
c0f0bb607648f50be5847d2cb9c1aee115b509d2a7d8565e6fd68d00460c53d933744e1c2ea24404425e0c78f6882c66127665ffef929712bc5ed6f38784ebc8

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
399KB

MD5
57b749d385277c21a6001205d20b47f2

SHA1
2a2f74303925ea6fca89a4b1b5210dc88e8f3e76

SHA256
0af8ed0ae30baa57068e572fc24ddeb95604f4357a3b5fefd7ba01fc004d3c5b

SHA512
908f8f0fe7a5aa42752af69015bc0db691ff1b359f988937e3df353022d5ad6fabf9359e72721759f28f5e0b9d304503d679107a309307b13c8f6a0dfa9e3eda

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
399KB

MD5
3e71bef89bfbbd0c357b9b0f1b336504

SHA1
010f68b228cd36c1b0fb82728109586ac07a6b96

SHA256
d7a1266729ac188280d94bcfb191958aac6b1b63ef2155587b16f86bb55559fc

SHA512
56a6186f574314f9c6da8c4ebe7e21c8587f7a188ae5ee3809d709a1315c62174c189adcc00021c3bdb8ea68ad7b55ca9852d30fba9160025b1e8f1ba7026959

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
399KB

MD5
4aa6404bc2d6a2a4f4fb928632c121f0

SHA1
01228c3faa8d8988a82e67c3f9ad57de53322435

SHA256
d62223342ac990b2bdd43d170aa9a7203be0ff1d225d5ffa82bcc94689513f59

SHA512
4c6350c8bc50e22dff32eb9a9aa581ecad2503c3af3ffb1846bd3a9946309b3122d0cb119e351b3486a1ad8794a99228f58138328c5b89f9282a5bd5b9f21c43

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
399KB

MD5
013ef84cbac73f16081edbbb46f948fd

SHA1
0d7edef95c9cc30708e77ad4fb93a0e75c46866d

SHA256
3ed96f3b5632c4532d4d0e7126c3617322dbf38cae8e3ebd5006a4258c9f10fe

SHA512
10aaf0aa472b4b07ad8467908a116f825541b52a2916a354b428ecd4f4a42e18c0c126028cbdf346fde49342f86047e34762f6b661ae724dfd30aed94c5e9cc0

Download Submit
memory/348-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/372-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/388-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/560-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/648-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/856-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/996-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1000-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1104-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1208-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1212-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2328-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-618-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3300-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3568-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-628-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4688-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads