291ab258ba199d03dee712f95c06e1d5e74d9c6cfdd287af386af5e07cd692f0

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

327a16c46eda34738f721312684f68c0N.exe
Size

352KB
MD5

327a16c46eda34738f721312684f68c0
SHA1

0c5dad33e228f34a028b99c41650b918959894f5
SHA256

291ab258ba199d03dee712f95c06e1d5e74d9c6cfdd287af386af5e07cd692f0
SHA512

a1308017507ce2f5c57eb66c61d063fae4d62a18a9926bf5f222765ab0da7146cd12aef7ce458c4795f18446997d4e346d7d992c63ea72b69a2c1e690d8a8480
SSDEEP

6144:2e40pOrfRsNrw7KIbLoB3Yt3XbaHJUByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxz:P4LrGLIA6t3XGCByvNv54B9f01ZmHByD

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe

Executes dropped EXE 64 IoCs

pid	Process
2652	Nebdoa32.exe
1616	Ndcdmikd.exe
4180	Neeqea32.exe
4236	Npjebj32.exe
2276	Njciko32.exe
1780	Ndhmhh32.exe
4952	Nckndeni.exe
5048	Nnqbanmo.exe
1880	Ogifjcdp.exe
2536	Olfobjbg.exe
3212	Odmgcgbi.exe
1028	Oneklm32.exe
3504	Opdghh32.exe
372	Onhhamgg.exe
1288	Oqfdnhfk.exe
1172	Ocdqjceo.exe
4092	Ofcmfodb.exe
3324	Onjegled.exe
3884	Oqhacgdh.exe
4520	Ocgmpccl.exe
4464	Ofeilobp.exe
2532	Ojaelm32.exe
2236	Pmoahijl.exe
5104	Pdfjifjo.exe
2492	Pcijeb32.exe
4460	Pgefeajb.exe
3896	Pjcbbmif.exe
220	Pnonbk32.exe
4436	Pmannhhj.exe
4352	Pqmjog32.exe
1608	Pclgkb32.exe
4508	Pggbkagp.exe
4312	Pfjcgn32.exe
1332	Pjeoglgc.exe
2964	Pmdkch32.exe
1396	Pqpgdfnp.exe
3132	Pdkcde32.exe
388	Pcncpbmd.exe
1220	Pmfhig32.exe
744	Qjoankoi.exe
4800	Qqijje32.exe
1976	Qcgffqei.exe
2752	Ajanck32.exe
3104	Ampkof32.exe
2252	Adgbpc32.exe
2892	Ageolo32.exe
3900	Ajckij32.exe
968	Anogiicl.exe
2244	Aqncedbp.exe
4504	Agglboim.exe
4696	Ajfhnjhq.exe
4844	Aeklkchg.exe
3452	Agjhgngj.exe
4380	Ajhddjfn.exe
2808	Andqdh32.exe
2140	Aabmqd32.exe
516	Acqimo32.exe
1380	Afoeiklb.exe
2804	Anfmjhmd.exe
3932	Aepefb32.exe
1720	Accfbokl.exe
2332	Bjmnoi32.exe
3940	Bmkjkd32.exe
4360	Bebblb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	327a16c46eda34738f721312684f68c0N.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Njciko32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ofeilobp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5272	5124	WerFault.exe	199

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	327a16c46eda34738f721312684f68c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	327a16c46eda34738f721312684f68c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afoeiklb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2652	2312	327a16c46eda34738f721312684f68c0N.exe	83
PID 2312 wrote to memory of 2652	2312	327a16c46eda34738f721312684f68c0N.exe	83
PID 2312 wrote to memory of 2652	2312	327a16c46eda34738f721312684f68c0N.exe	83
PID 2652 wrote to memory of 1616	2652	Nebdoa32.exe	84
PID 2652 wrote to memory of 1616	2652	Nebdoa32.exe	84
PID 2652 wrote to memory of 1616	2652	Nebdoa32.exe	84
PID 1616 wrote to memory of 4180	1616	Ndcdmikd.exe	85
PID 1616 wrote to memory of 4180	1616	Ndcdmikd.exe	85
PID 1616 wrote to memory of 4180	1616	Ndcdmikd.exe	85
PID 4180 wrote to memory of 4236	4180	Neeqea32.exe	87
PID 4180 wrote to memory of 4236	4180	Neeqea32.exe	87
PID 4180 wrote to memory of 4236	4180	Neeqea32.exe	87
PID 4236 wrote to memory of 2276	4236	Npjebj32.exe	88
PID 4236 wrote to memory of 2276	4236	Npjebj32.exe	88
PID 4236 wrote to memory of 2276	4236	Npjebj32.exe	88
PID 2276 wrote to memory of 1780	2276	Njciko32.exe	90
PID 2276 wrote to memory of 1780	2276	Njciko32.exe	90
PID 2276 wrote to memory of 1780	2276	Njciko32.exe	90
PID 1780 wrote to memory of 4952	1780	Ndhmhh32.exe	91
PID 1780 wrote to memory of 4952	1780	Ndhmhh32.exe	91
PID 1780 wrote to memory of 4952	1780	Ndhmhh32.exe	91
PID 4952 wrote to memory of 5048	4952	Nckndeni.exe	92
PID 4952 wrote to memory of 5048	4952	Nckndeni.exe	92
PID 4952 wrote to memory of 5048	4952	Nckndeni.exe	92
PID 5048 wrote to memory of 1880	5048	Nnqbanmo.exe	93
PID 5048 wrote to memory of 1880	5048	Nnqbanmo.exe	93
PID 5048 wrote to memory of 1880	5048	Nnqbanmo.exe	93
PID 1880 wrote to memory of 2536	1880	Ogifjcdp.exe	94
PID 1880 wrote to memory of 2536	1880	Ogifjcdp.exe	94
PID 1880 wrote to memory of 2536	1880	Ogifjcdp.exe	94
PID 2536 wrote to memory of 3212	2536	Olfobjbg.exe	96
PID 2536 wrote to memory of 3212	2536	Olfobjbg.exe	96
PID 2536 wrote to memory of 3212	2536	Olfobjbg.exe	96
PID 3212 wrote to memory of 1028	3212	Odmgcgbi.exe	97
PID 3212 wrote to memory of 1028	3212	Odmgcgbi.exe	97
PID 3212 wrote to memory of 1028	3212	Odmgcgbi.exe	97
PID 1028 wrote to memory of 3504	1028	Oneklm32.exe	98
PID 1028 wrote to memory of 3504	1028	Oneklm32.exe	98
PID 1028 wrote to memory of 3504	1028	Oneklm32.exe	98
PID 3504 wrote to memory of 372	3504	Opdghh32.exe	99
PID 3504 wrote to memory of 372	3504	Opdghh32.exe	99
PID 3504 wrote to memory of 372	3504	Opdghh32.exe	99
PID 372 wrote to memory of 1288	372	Onhhamgg.exe	100
PID 372 wrote to memory of 1288	372	Onhhamgg.exe	100
PID 372 wrote to memory of 1288	372	Onhhamgg.exe	100
PID 1288 wrote to memory of 1172	1288	Oqfdnhfk.exe	101
PID 1288 wrote to memory of 1172	1288	Oqfdnhfk.exe	101
PID 1288 wrote to memory of 1172	1288	Oqfdnhfk.exe	101
PID 1172 wrote to memory of 4092	1172	Ocdqjceo.exe	102
PID 1172 wrote to memory of 4092	1172	Ocdqjceo.exe	102
PID 1172 wrote to memory of 4092	1172	Ocdqjceo.exe	102
PID 4092 wrote to memory of 3324	4092	Ofcmfodb.exe	103
PID 4092 wrote to memory of 3324	4092	Ofcmfodb.exe	103
PID 4092 wrote to memory of 3324	4092	Ofcmfodb.exe	103
PID 3324 wrote to memory of 3884	3324	Onjegled.exe	104
PID 3324 wrote to memory of 3884	3324	Onjegled.exe	104
PID 3324 wrote to memory of 3884	3324	Onjegled.exe	104
PID 3884 wrote to memory of 4520	3884	Oqhacgdh.exe	105
PID 3884 wrote to memory of 4520	3884	Oqhacgdh.exe	105
PID 3884 wrote to memory of 4520	3884	Oqhacgdh.exe	105
PID 4520 wrote to memory of 4464	4520	Ocgmpccl.exe	106
PID 4520 wrote to memory of 4464	4520	Ocgmpccl.exe	106
PID 4520 wrote to memory of 4464	4520	Ocgmpccl.exe	106
PID 4464 wrote to memory of 2532	4464	Ofeilobp.exe	107

C:\Users\Admin\AppData\Local\Temp\327a16c46eda34738f721312684f68c0N.exe
"C:\Users\Admin\AppData\Local\Temp\327a16c46eda34738f721312684f68c0N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\Nebdoa32.exe
  C:\Windows\system32\Nebdoa32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\Ndcdmikd.exe
    C:\Windows\system32\Ndcdmikd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\Neeqea32.exe
      C:\Windows\system32\Neeqea32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4180
    - - C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        25⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        34⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        42⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        44⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        47⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        57⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:516
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        62⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3312
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        74⤵
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        76⤵
        
        PID:816
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        82⤵
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        83⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        96⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        101⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5124 -s 416
        113⤵
        Program crash
        
        PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5124 -ip 5124
1⤵
PID:5228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
352KB

MD5
bfbab4f7f5d744cad863a574ab71a4e5

SHA1
48937d8a420f6735ac2dd7987b03a08aa5035430

SHA256
6fed691567df24f6fea7b6852e41b95c70cd33af4cdfd9c62e678151c73ca52b

SHA512
764d5ebe66b508975986644ce62ab3890762cb9800eec51bf8f72c1ea0e1f3af6fcd3d1fdbfc0b2a6b5a4508865638a04bf7941b71cae8d8a3bddfa8811845dc

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
352KB

MD5
596094b177a9863162a71efa25587eba

SHA1
736e1e67631c4b7ab9ad20a9ab334602be07376f

SHA256
78b0b3460296e6fd6240a584f428712affa386853cb3bfc925e3d3dd0845e9a6

SHA512
e7ab94b93078286c2330fe260f37865958d5f0b6dca97496f35d38f300beb77434306775ae55eac97fd12f486c176bcb2395f402629b7342c1f48bddc1c4f3f5

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
352KB

MD5
5c4eac2757af5b8474dbf6a408ca6416

SHA1
9c725b9aab93995005be7f24a57bac89cbc56527

SHA256
bbb45f14b1ec83171c6fe8175cbb3e3f09637295b7c174c645759ee3cfcb9e42

SHA512
bf0fc6130a68fa4ed60c5718b78bfe2585a69e45f25f0f943dfaf0bb5165d39d1ac0282a3a6ad45985f6c521e3b8af9a4627682c5d2b540dc50db367202e8574

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
352KB

MD5
0c8b024e1a542a43daf9cd643920bcc1

SHA1
f0e475b046f238a0e3b8607419709ac3c3813659

SHA256
ed6928fc384f0f905f52ef2c5eb0a703cc0cd703ade0ca9a911d6f99b4f01e8c

SHA512
fd809b71c18a3a3163767c6b7957157d74a7be437addaa4ad99ae7e20c10307174e7725bb931e1bb4b5e650672f53c98c26eb593fa96eda5a15fc08dd386e1e3

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
352KB

MD5
df067a01db40ac5a9e8779364068a1fc

SHA1
74972a8755b98d87616af022297b42314be32a52

SHA256
a895f07a87a677e644943aec5625bb8266113bd491193dfa7d8a8e23e5789219

SHA512
b1da08e6d4493d45d7c3b72c9d6d51a1b7ea9600337579121366586b36845bf9ca9baa6020487b95bc69658caa338d4b8bff7406ea8d073df78418f3b1131d77

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
352KB

MD5
ad7b0fdd11e6bbec478cd9b39b99f3c1

SHA1
9a355a847c8155e4853044b84dfdc5ccca51c453

SHA256
71f40c1d7d0923924be52958396ed6a7db1f421ddb55840fce74b69c9ad58928

SHA512
a873d6a4f3478db26699c753c9635819395b7e6abe4ab69225d5d5a65430a8728e874e0b85ef5040c047cc66f9ad7dd5246b38f03cb79dc44c39d4d0cfc79bf5

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
352KB

MD5
f4f1e7c814d21893186bbf742c0e07d7

SHA1
32b6f44f6f262ac8a33b41a87e371c69156411a8

SHA256
e85fe7d3a63d8e99540d6d3cd09b2fe77fdcef53bb0632f41a3a89012d74c68d

SHA512
f7a3000b80a580a329d03078acc397a28db813cb9c371c48c729157f2a654f6840c0d951f6bcf0c3fc34079a4ac4e4e28ada370a74aa8fe4e3d6a67747a1518e

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
352KB

MD5
218be7b0a4f23fb02fc3af8b92cfe30b

SHA1
84eac93c3a9630a2df53fca2587f48059ff7fc39

SHA256
4c6107275e9cc745b4339ffa595fac9b25627ff16936aa292b0ddddc75a78b9f

SHA512
4c376989379ae395c47ddf1a83c2bad48fd0200f2d32905327fa8eb4ee5f260ec4c1af59973271d369cf0793264355486803a27782db2608f7ea0e277d74f177

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
352KB

MD5
969b563a5e17e1baeed9f8bd440ab83d

SHA1
a41fe117a2bdf8d7676cfb91c65e64e0591dd067

SHA256
8748e425b017f9e3e490a62da7a7d783a95cedf2d771db8f3bddf4ec80d6579d

SHA512
7aace669b1bff33f7d29ade888751877c0dfdd9f952a4c552ee3340c1b3bdf3497fd02328a6566f081ddfc97090d82893f32167cb0cfaa69dc85136d426c557c

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
352KB

MD5
fa50e2cf41ff6d79f0bbaae231630737

SHA1
f14152ac031d6918ec789574c16291ca44d920a8

SHA256
bf8f8c49b42cf4fd032e772486bc3782acd81bac4f02f7e9831c8fbf28568c10

SHA512
a026b77eacf8c5547e1e4e5f148f972197f71629da4ce8f27bba67d1e0bf6024a7a170bdba68e824fda9d52b806d43cac6d88b917c9351e208f4355f17583359

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
352KB

MD5
d0b226da454e6ae58a9278ef5aecec52

SHA1
9fdae4c71d73d9d51659853672e9f14da8619cb5

SHA256
556f567880ce025f5c9df7570be41930a305ef6146fa92884497edfa2a97b23d

SHA512
0e1d8a5c9c03e752e6e9bc8437ba830def387aaad53f9d38364a64f5de6429a429b551d1385aa7a288f3958408f612eccde582b57065b1c1fc40b8bc82132abd

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
352KB

MD5
e34f3a08940683db9c22c09101d56f3b

SHA1
af756ee8107d085323064adb3521e88679da8cb4

SHA256
09d18aa40137281093a1c55a96b45e0325313a1ca55dc046d63b4a9ad30345f5

SHA512
d78a250573ab2ae33d825a258097e3ab868ccbab06ef2fcbde29b359dc4876ad4f3f2da45478144a85c5135a7562bb0a9186bc74bf3be1faff0ec825a816eef5

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
352KB

MD5
cb49d1d40b1ffab27514c350feb306d0

SHA1
1d75ff37c583801b0aa9bc109de87788bf6a67c7

SHA256
8934633c470f6e1bbf112ee44fa967f55497f67e75c358ae5c00f924fb963358

SHA512
21a49cffe45fc57def9a3898e939004d74cc5d884d79e2acb434bae7492fbfa66cab3641f873d491f4e813c67533b83cb2f0ef9f9db2ce2ffe493fd5feac242f

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
352KB

MD5
0c728a0b8a3bf08e5563ed403287adb7

SHA1
7b49f2591d5068c4f2e5c915b164b86e75e63ac9

SHA256
63eadaf68384de47753b09f13f2759c67f2b0b465b0fee46bf824f64654fd8fb

SHA512
5bb8d56ce4c7e301a2cd71e77b1eb8f3986b0faa266e65ab0fd44e42cd144b72459f35e792edd581277b91b679110d5e49eba942d46afd61ae6f5a848964c9df

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
352KB

MD5
c0673133c430cbcad57b7dba2eee1d86

SHA1
fd2b8f0321134461bc550652cbaffb3f61b26b11

SHA256
d4a150aa22d889ae2cfa16c94d88e89ce42ae222e8fb6311eb62abeb7abebe0f

SHA512
e16a994e5414e7134ad189609d54dbcd90d54ece4f1e48941dbad6a3786df874dbaea11dfee2412e79328edec6b3b8e8a4c77faa3e1366b9cd3f7baf585a92cf

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
352KB

MD5
86a5c050aead1872a7b664768bc39959

SHA1
6a8ac88127ee5cbb2681047f0a8d6514adc6b8ef

SHA256
0beca44ccd30596338e3c1d12bf6cc59b320345ecd5bd413cf6f2139ff69ba2d

SHA512
f8465961ba42f40710b1ce9a9c9289bf5ac461250e0f44c691fe4f64b5e555479640cc0e15e6cbea4da5fc23a85fa207d6f3c1e76e4ae31d5180470ecb0e611e

Download Submit
C:\Windows\SysWOW64\Ocljjj32.dll

Filesize
7KB

MD5
89f1508a6c4fba8fbcb272582f0d7b7c

SHA1
e1c72721aa81bf97fff87e8c730bd9f673391352

SHA256
07b67978d0d83c1ea84971798574b0830d5849d2c2d4a2c3279ce45e2da6c225

SHA512
e4adf066bd23fbc897a0a4d3449bc1601036a30dacaeebae4cf6128e143267432b4666268a16e79646590774eafade58c7580f05bd462608586676eca91459e1

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
352KB

MD5
117ba809351d9a9609f5621f8c0fed0d

SHA1
5834050dc7231a7bc2a70e2d5d94b0dff3ee2aff

SHA256
bb485e76f1adb20d41e57c5f376cee8140e63cd29f817c9feff54150f7a3f024

SHA512
b8cb752e3e6d47af132ef5859cbcdfc22aa8b0dc6bd673502c86c040d68d88901af75b3d061879b28b6377fc75d94e712af972b9062da448a44cef333142080f

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
352KB

MD5
f801949e0871e19aae3c4a7b360fa6a2

SHA1
e70b9e3f37f83d25ab20ab6e83e2dc6ba11c2dcc

SHA256
65f20f037acbad76d209264c27881f21a6530180e0ae6dde30b950bf12a508ae

SHA512
e9304a36fa21ae924d74697daefee9c3ebe9979dd14c3f0dfbb772f780b0814ecef855abd9f911c564d31b6e869e4f3baaa9e07809db3bd7529e16244a7bb880

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
352KB

MD5
bb90e7f5aefd450cf00194ab00c3150c

SHA1
5684147c6b7d58b71a1c49d5f3df1ac350db2ac5

SHA256
10f2904c59c031946427da8c1cf3d16f59d8c510bf8ce394f9766fb070d1a076

SHA512
00a32432345a78d2242a444c7aff0e7c209b2a0c016d000ba4cd66f33adbd7b1d15c2ec2ae6a35917c553cd470eb67dffb4846963e0d3742f6aedf5361ac0293

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
352KB

MD5
53f4b3da4e3f470728f9daf62390a281

SHA1
b54d631dc0f370ef278071aff48ba5e67828aeac

SHA256
a913e68e9ca9d53fba74390e55301d5ac06bb31fb11ebe340c8947c47217e84c

SHA512
a193e3b3c79eeb739d8c88bb6525960da422e1a40f27583790fdc5816e1a9cd16cbfbfa693b78bcf7ed55f5ca1fbc027be07b28103369e34a2891acf864d7132

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
352KB

MD5
95b77a449c725eacf75552bff0368955

SHA1
0ed225f1127db5927156c0dcb7c59f2be8453f11

SHA256
d7e6dd76e433c2083dd796a778b6435a790256a7d7c7ef8a6c10c5509d284ba5

SHA512
456436c00a602446d6a01f2fe2a86d62182b358a03f05b3fb601802931f60c2dbb2caf81b299b7baeb6c0a16e9b197eacdc7a486d7b348a49c3524ebc7b2c3f2

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
352KB

MD5
c58d520e83169466bf2f4b1501d13728

SHA1
f83a95a975d163399dc933e0753053eda516e737

SHA256
b19d19defc493e9c8b8488a9244b0e2c168b5cebdec2f6a4072a82b2060f3cd7

SHA512
59805e26fd8e2e4fed4dbf47b3f3551ea086e1d41f00fcd7f85a1a872a4e9910401e0576b88288da2f1235d115347d964646255b781a3485b8d448fe09e184ec

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
352KB

MD5
fe2e29f787f882e377f7b68b221ed553

SHA1
b50ce49513b6de02ab6a190258835804d0ae4564

SHA256
ae4fed91c6f6f66478af4cf0f4e85c9d7ffe9920fc40e42ade3a7a68d7faebc1

SHA512
bd9623e3a046d0fb04d7ebf2fd27c31e01143d2bd59ee35dc9fc1966c19f9e630e6e30e5a4069fb39f9a2f8d052090675af9e475988220eb7e6a7544d230b4ad

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
352KB

MD5
7d00a4c199c741b1537d3666e223ba90

SHA1
d5ca0ea0cb7f3e2581c13431997ed88bb1e1219a

SHA256
b44befa0febf4b3cc262a02dffccf259d3f8207c28da3bf8d746242b3d63816b

SHA512
9be67a70071b1e9a58e21c402b1db5a82fe4852057a94be5e674a4e80d96412ecb2489489589e1189a6d75e8b3ef3cca2892289b60bb36b5f14f47c7a00ee2bd

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
352KB

MD5
7ebb9a7013cf607c03b1ff6415edc6b5

SHA1
ff7eafc1d20bb614adaf881a79707a687355e49a

SHA256
42a9027bb6604f42ff18ef057e0306be711be1d23bd97ed9d84dc5bd9fc34949

SHA512
1cbca015f90b83054e04156c168bc49450a56659cd648af673f0ebcee842db1a9eadaa1dfbe4c03e6ac221a434dd5ba2dce41ba1bdc99e521ca211766e38c6df

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
352KB

MD5
75459516155c3eff198d9bcff77f2aa4

SHA1
a84d8de29e2e686cd90263155440368a7eb43737

SHA256
9575a20b36ee1de472801a2f0a1af526a558553511bc0ad88bf1ab71c5e041a9

SHA512
1c476c8b8d13f3e3fee9f3a66ef31e0720e6909056b49e2504324ef6f233ab73f2dfea63ed46411c87c3ac9007c37f536620933a33828ae01373a06213e12856

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
352KB

MD5
a5c906d9553502e317723f08a0671252

SHA1
f5d7479ee3f0c9bbd714f23115a9234cc8a36901

SHA256
dde64aee4fdf90f58bbd18e2aada451e6747db9e86277935948db7855f12e70d

SHA512
a109bb51900dda9eb8355c6b27bb3f83c157fd9c04f49470bc4eaf324d7fd1b557530943ef75dad035713f5dadef321605c8be9de7b5f39f5322b079cc23cd92

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
352KB

MD5
d9e50509a4a3ce7a4fbb78a84678ced7

SHA1
c4fbc158cc18712cbdf4958a050fa1833d5be22c

SHA256
7df2d18faf6fc50b6b3046bcc01cf446b1e24d04e0cf48547abdc5cde66c777b

SHA512
afbe74ba6942f3c101202fa482fbf9c33e61eedbf2b2b6d4d5173cb41b087b476a883966ee7457e268010b68647cd95d1556100d7ebd46d5d5f4616cb532cad3

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
352KB

MD5
be7ce64ec01d057c452fe06be30de694

SHA1
b8f2f1d65a3bc52f4863f9f1850fe33d983ea48a

SHA256
a57040e21accb4f3b4172528a98a7156763eab9c7697014887a1565ce8640442

SHA512
802720fc8614beb56967577fc4ba428b06e74632981bffd82d08e20c724fb5f0513b68fe21acb38dec84dc568908097c318fbacbc9d31e2fa0232231e12c9ae6

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
352KB

MD5
61d1aa5b222c7ed1d1b6f723cdb9b66a

SHA1
f70317c64b8a0967361e32d1c507e951c7ecf7b2

SHA256
70864be70bb71cbf83565941c5f588e3fb53fcf1bc38273b71002007b3819a0e

SHA512
89ba68ea447301619d8d5923e55b7b2b461328db96a2216a7f231156a8331ea8674b1910662d44147d78f74ac7e9ab67c21e640df92d3ce7fc0e0c6779ca8ec8

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
352KB

MD5
e6045deb7c7a4382b7e6a7d8a0dcf16f

SHA1
d14783da7e1935263fd4a67b7b18ff7d5abc3ef2

SHA256
26f2c8f079e0df8eae57f5f91f2ddda4c06f5200a2ecff1bd23c61d5ed28a97c

SHA512
7343d4315911fa6c24d03e2ec59d3955b7be62c92fc88d5743a75c506b2bb941c65ed170159f43417e27b7848c864ffa254ff6d4773d04e6943fc868d112143a

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
352KB

MD5
2bf24b330adfed5c196cebf61e876ff0

SHA1
94c89820ca67f6ec2db117f602d9767bbf608efe

SHA256
d2cdd9e7684d01ce82d0d48e99c83088732c534b0b199ba721ec2f9a1bee4f76

SHA512
c812e7e594c4dda7bfebe7e61f7cba8a641cebce8cb2a6152ea644e6e46d49b69ece06bb547aeae637e84c1a8e2f27b6cef322e3bc5c27f6cc592581ea2e9249

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
352KB

MD5
07fa22d7704698df1a4cc25f317261f3

SHA1
0866d2bbe8c86f02a41c3c83844428a5cc138e0e

SHA256
628284f11d5750d2707f843e00cbfece5a6d4d90a2e5ad81bac2662679de5307

SHA512
c83d33136b5ba011e6151bc4f72d7af72d07b8366d8d8eb3c93bddfddb96de14f62c7d434a6bc7678f8c7a8f2d4b7f1d91f809d99f41c560d206d869dd39e488

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
352KB

MD5
af0a0b3e90f7fbf9a71ca3656e7d6117

SHA1
6b481741dea78f4f6df1154106fa9d4e1f77e973

SHA256
57c7453a7a0bc73c8089e6726c0537fae7307172c25be1d2e3f6ffff0deb5b22

SHA512
fc37609933523fc5577f66876255f3f9831f63e2172e1bfd00281ffe1327cad51157cd189b602fc515071362cba995534674ae227f87ca6e8cc7687a60552c46

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
352KB

MD5
927c1b3f2fa444a7c62f4718e670df61

SHA1
061b7aa72b8c5804decb1c3b7700f0494248b57c

SHA256
587085ee7d307cd52c9c1042452b3df581f03156bd72076f6330c072a9d8f10b

SHA512
68707901a660411dde4a3a6e8dbeba5007987b2694e7cee71dc431e64463efa7c60aa1e4f8cec2096594bb291918d4f5f7bd427a726ef25f0730cdaef7f21b33

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
352KB

MD5
4845b34d835e8f17bf4783eabe662f17

SHA1
0785b5755364dfdceff22cdb582f2c48c90cd598

SHA256
7ca942063a92878e78da05324154c1b861220390188ac5ab47bd925aeac2358d

SHA512
42c547fff94f1620664802919e8b6e7f5d30ce0b4f395322dcabb2588eecd9945da5c7b908c58ae31ef8cd62915ea528b883305eccc637d90d100500643a1704

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
352KB

MD5
ab21ea875609f974f4ee1aca1e474f4d

SHA1
13d72abe4a637c4e1ce26cceb0f9c1ceb5e26a49

SHA256
780d629c036abd17394fa1d07dbbbf0553c239563412d5100804ba5ca1a1232a

SHA512
8d5a6885c1b4547175e59a7328c04bab6a6a4865605d762d786450c643a68bc8a3ff214c7f4decbca0c8a6e7e4ce19c7f6760938ad14ea4e895288dc7ea7fb90

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
352KB

MD5
5e84c64c6b351f1c67d6d3c7f40bbcb2

SHA1
33ce5a0399cccf80a7f79d28962e7cea0ffa9587

SHA256
170c3d2784efecfc6ac3fc2a9b3db8da7e73891eefd9356e3db44478a628ca6d

SHA512
99e78601c8b73304f6cb01e23448fd0a34b9d427eb6e3c6ad41b60d8de32c231dbdd06331bc41e8e1fe73cb6b6e583f28e9a491bce48028ed6b1d405ca31272f

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
352KB

MD5
b2821019bf78790c4f7bbd7955579121

SHA1
7833b66907f7903fccbb818891ccb264e30b9761

SHA256
488ee7204297cdfbcd3a38ae6a51649630831cd6eda68a40f6746222b1ad8206

SHA512
4d66406f306088a2325d69c4ff1f12d8486110798dd3f23d60b30df99b55456f27de9b68c70d4a64ae30074ad5c5a256c1e7f9ddef7e24a2734222d9936785f3

Download Submit
memory/220-228-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/372-111-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/388-296-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/516-409-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/744-304-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/816-514-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/872-478-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/968-356-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1028-95-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1056-454-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1172-128-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1220-298-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1288-124-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1332-273-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1380-416-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1396-285-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1608-253-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1616-558-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1616-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1720-430-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1724-508-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-586-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-48-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1880-71-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1892-552-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1976-316-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2140-400-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2236-188-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2244-358-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2252-334-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2276-579-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2276-39-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2312-544-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2312-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2332-436-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2396-562-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2440-580-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2452-532-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2492-204-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2532-180-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2536-79-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2652-551-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2652-8-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2752-322-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2804-418-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2808-394-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2892-340-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2920-587-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2964-279-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3100-573-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3104-328-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3132-291-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3184-466-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3212-87-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3312-490-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3324-144-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3452-382-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3464-594-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3504-103-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3568-542-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3788-472-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3836-496-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3844-526-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3884-151-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3896-221-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3900-346-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3932-424-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3940-442-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4092-140-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4180-565-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4180-24-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4236-32-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4236-572-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4312-266-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4332-566-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4352-244-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4360-448-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4380-388-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4396-502-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4436-237-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4460-212-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4464-168-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4504-364-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4508-260-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4520-165-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4524-520-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4696-370-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4760-484-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4800-310-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4808-460-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4844-376-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4952-55-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4952-593-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5048-63-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5092-545-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5104-197-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads