f7619bc833531a37f67bc86f99569d4e7317882a56aab40d57e963f7b617180f

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45258e84a3333c2e89cebc19cc5f6d80N.exe
Size

128KB
MD5

45258e84a3333c2e89cebc19cc5f6d80
SHA1

26e366c83ed7b08f7e4516b6907cd33ef2997bae
SHA256

f7619bc833531a37f67bc86f99569d4e7317882a56aab40d57e963f7b617180f
SHA512

d5edbf0afc13f8f95ad63dd3463a8b33cb2700c06f53135625842845ed8830d58066812132840e9fdcbbe522ceedbc984df58566ed384c29a7abea267ca8b122
SSDEEP

1536:yUGYczdrm73LVp42GL4PjZT6YahQ/WydP7RQDbRfRa9HprmRfRJCLIXG:EYirmbLVO27bZuYkyheDb5wkpHxG

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe

Executes dropped EXE 64 IoCs

pid	Process
2904	Ngpccdlj.exe
3544	Nnjlpo32.exe
1972	Ndcdmikd.exe
2584	Ngbpidjh.exe
3508	Njqmepik.exe
2884	Npjebj32.exe
2116	Ngdmod32.exe
4268	Njciko32.exe
1208	Npmagine.exe
2016	Nckndeni.exe
860	Njefqo32.exe
1224	Olcbmj32.exe
1220	Ocnjidkf.exe
3504	Ogifjcdp.exe
1456	Oncofm32.exe
4688	Olfobjbg.exe
3172	Opakbi32.exe
396	Ogkcpbam.exe
1476	Oneklm32.exe
4368	Olhlhjpd.exe
2132	Odocigqg.exe
3536	Ocbddc32.exe
1120	Ognpebpj.exe
3940	Olkhmi32.exe
4564	Oqfdnhfk.exe
4596	Ogpmjb32.exe
4612	Ojoign32.exe
3140	Oqhacgdh.exe
2032	Ogbipa32.exe
3276	Ofeilobp.exe
2652	Pmoahijl.exe
3332	Pdfjifjo.exe
3264	Pfhfan32.exe
5036	Pnonbk32.exe
1780	Pdifoehl.exe
4752	Pggbkagp.exe
4420	Pnakhkol.exe
4496	Pdkcde32.exe
1400	Pgioqq32.exe
2128	Pjhlml32.exe
4904	Pmfhig32.exe
4708	Pqbdjfln.exe
1452	Pcppfaka.exe
4896	Pjjhbl32.exe
4076	Pmidog32.exe
2252	Pcbmka32.exe
2952	Pfaigm32.exe
3024	Qnhahj32.exe
2912	Qqfmde32.exe
1144	Qgqeappe.exe
3820	Qfcfml32.exe
4524	Qmmnjfnl.exe
2972	Qddfkd32.exe
3896	Qffbbldm.exe
4428	Ajanck32.exe
4500	Ampkof32.exe
4380	Adgbpc32.exe
2440	Ambgef32.exe
4608	Aeiofcji.exe
4964	Agglboim.exe
1952	Ajfhnjhq.exe
872	Amddjegd.exe
4576	Aeklkchg.exe
2752	Agjhgngj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Olhlhjpd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5968	5876	WerFault.exe	194

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45258e84a3333c2e89cebc19cc5f6d80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	45258e84a3333c2e89cebc19cc5f6d80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	45258e84a3333c2e89cebc19cc5f6d80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 2904	4936	45258e84a3333c2e89cebc19cc5f6d80N.exe	83
PID 4936 wrote to memory of 2904	4936	45258e84a3333c2e89cebc19cc5f6d80N.exe	83
PID 4936 wrote to memory of 2904	4936	45258e84a3333c2e89cebc19cc5f6d80N.exe	83
PID 2904 wrote to memory of 3544	2904	Ngpccdlj.exe	84
PID 2904 wrote to memory of 3544	2904	Ngpccdlj.exe	84
PID 2904 wrote to memory of 3544	2904	Ngpccdlj.exe	84
PID 3544 wrote to memory of 1972	3544	Nnjlpo32.exe	85
PID 3544 wrote to memory of 1972	3544	Nnjlpo32.exe	85
PID 3544 wrote to memory of 1972	3544	Nnjlpo32.exe	85
PID 1972 wrote to memory of 2584	1972	Ndcdmikd.exe	86
PID 1972 wrote to memory of 2584	1972	Ndcdmikd.exe	86
PID 1972 wrote to memory of 2584	1972	Ndcdmikd.exe	86
PID 2584 wrote to memory of 3508	2584	Ngbpidjh.exe	87
PID 2584 wrote to memory of 3508	2584	Ngbpidjh.exe	87
PID 2584 wrote to memory of 3508	2584	Ngbpidjh.exe	87
PID 3508 wrote to memory of 2884	3508	Njqmepik.exe	88
PID 3508 wrote to memory of 2884	3508	Njqmepik.exe	88
PID 3508 wrote to memory of 2884	3508	Njqmepik.exe	88
PID 2884 wrote to memory of 2116	2884	Npjebj32.exe	90
PID 2884 wrote to memory of 2116	2884	Npjebj32.exe	90
PID 2884 wrote to memory of 2116	2884	Npjebj32.exe	90
PID 2116 wrote to memory of 4268	2116	Ngdmod32.exe	91
PID 2116 wrote to memory of 4268	2116	Ngdmod32.exe	91
PID 2116 wrote to memory of 4268	2116	Ngdmod32.exe	91
PID 4268 wrote to memory of 1208	4268	Njciko32.exe	93
PID 4268 wrote to memory of 1208	4268	Njciko32.exe	93
PID 4268 wrote to memory of 1208	4268	Njciko32.exe	93
PID 1208 wrote to memory of 2016	1208	Npmagine.exe	94
PID 1208 wrote to memory of 2016	1208	Npmagine.exe	94
PID 1208 wrote to memory of 2016	1208	Npmagine.exe	94
PID 2016 wrote to memory of 860	2016	Nckndeni.exe	95
PID 2016 wrote to memory of 860	2016	Nckndeni.exe	95
PID 2016 wrote to memory of 860	2016	Nckndeni.exe	95
PID 860 wrote to memory of 1224	860	Njefqo32.exe	96
PID 860 wrote to memory of 1224	860	Njefqo32.exe	96
PID 860 wrote to memory of 1224	860	Njefqo32.exe	96
PID 1224 wrote to memory of 1220	1224	Olcbmj32.exe	97
PID 1224 wrote to memory of 1220	1224	Olcbmj32.exe	97
PID 1224 wrote to memory of 1220	1224	Olcbmj32.exe	97
PID 1220 wrote to memory of 3504	1220	Ocnjidkf.exe	98
PID 1220 wrote to memory of 3504	1220	Ocnjidkf.exe	98
PID 1220 wrote to memory of 3504	1220	Ocnjidkf.exe	98
PID 3504 wrote to memory of 1456	3504	Ogifjcdp.exe	100
PID 3504 wrote to memory of 1456	3504	Ogifjcdp.exe	100
PID 3504 wrote to memory of 1456	3504	Ogifjcdp.exe	100
PID 1456 wrote to memory of 4688	1456	Oncofm32.exe	101
PID 1456 wrote to memory of 4688	1456	Oncofm32.exe	101
PID 1456 wrote to memory of 4688	1456	Oncofm32.exe	101
PID 4688 wrote to memory of 3172	4688	Olfobjbg.exe	102
PID 4688 wrote to memory of 3172	4688	Olfobjbg.exe	102
PID 4688 wrote to memory of 3172	4688	Olfobjbg.exe	102
PID 3172 wrote to memory of 396	3172	Opakbi32.exe	103
PID 3172 wrote to memory of 396	3172	Opakbi32.exe	103
PID 3172 wrote to memory of 396	3172	Opakbi32.exe	103
PID 396 wrote to memory of 1476	396	Ogkcpbam.exe	104
PID 396 wrote to memory of 1476	396	Ogkcpbam.exe	104
PID 396 wrote to memory of 1476	396	Ogkcpbam.exe	104
PID 1476 wrote to memory of 4368	1476	Oneklm32.exe	105
PID 1476 wrote to memory of 4368	1476	Oneklm32.exe	105
PID 1476 wrote to memory of 4368	1476	Oneklm32.exe	105
PID 4368 wrote to memory of 2132	4368	Olhlhjpd.exe	106
PID 4368 wrote to memory of 2132	4368	Olhlhjpd.exe	106
PID 4368 wrote to memory of 2132	4368	Olhlhjpd.exe	106
PID 2132 wrote to memory of 3536	2132	Odocigqg.exe	107

C:\Users\Admin\AppData\Local\Temp\45258e84a3333c2e89cebc19cc5f6d80N.exe
"C:\Users\Admin\AppData\Local\Temp\45258e84a3333c2e89cebc19cc5f6d80N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SysWOW64\Ngpccdlj.exe
  C:\Windows\system32\Ngpccdlj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\Nnjlpo32.exe
    C:\Windows\system32\Nnjlpo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Windows\SysWOW64\Ndcdmikd.exe
      C:\Windows\system32\Ndcdmikd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        30⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3332
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        51⤵
        Executes dropped EXE
        
        PID:1144
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        56⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        64⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        66⤵
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        77⤵
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        85⤵
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:544
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        89⤵
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        94⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        103⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        105⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 408
        111⤵
        Program crash
        
        PID:5968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 5876 -ip 5876
1⤵
PID:5940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
128KB

MD5
2c67b7e9a8a5bd6e958b5f6dcb01ca04

SHA1
3a307db3cdc2f33334c3b3776bce621ba852c35c

SHA256
e1969a6740ca8da14817314433e6942c6640ca775f4a90dc576cbf69c9f652dd

SHA512
8cd47d3cec9169093dcb54eae7b6a059b81eae6dd674f42ab8f4bfc054973917bf24576784b6077afc4cb5d99a5d2f388bd393647dc0501b432c3e80f4424ee7

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
128KB

MD5
148ff840521d99e3a2b9407bbb0ec08d

SHA1
075223578f5ea529576e72f6b14d9996872d54f0

SHA256
b0d0be7fc4be00916ed30cc2dfe794a1bf31c4b032ddd84e81b20740597d248b

SHA512
668c32339c7e9cc70f10a053d9c018ee7a4279a10cf1d02d23fc575b0cfb5168de8f946c36c1064750c8db437cd48f973760d9ce2db71a1546bde083be75edb3

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
128KB

MD5
88abbe940bc224c078743141f06a2cc6

SHA1
45ac44b6b4ab35055d7a79bd054e05a58473fb75

SHA256
b0a26acdca7864c9fc3690ab72f06b847104948caeaa083bdef95711c8e0f0a1

SHA512
c9bca9d9e1bd4499fc44ed5f462fa009d59aafe18f19d3c39ebb4557bec6ca3fce8b6723eaa33d00ad3f55b78ef6b3c30653fde72b3b78909b1d654dea6c0c94

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
128KB

MD5
58dbc9afaa4cf65bff6d19821199f154

SHA1
06b7bb30aca82061c852c32b1df4f4b7c1e6407c

SHA256
30b036d4721d5d8c6277008751fe31a311945c127d262fc10af9a08a0e8c83e0

SHA512
11ff522fb735e8aa27dead94bb0b2ba14ea90f4515d530e71702f1b7c683ad738f3c8572a49c1f8770b7b80a8d9e05903b885acbb6b85d77af86f8c52d124c73

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
128KB

MD5
2d93e1cf713285cc29058cb85dd453e8

SHA1
32c1771a76617a5dba0c21729560705be153adc9

SHA256
a5620d2abb76b458dc91a69879e16d1a9ceab290a7ba72d41bdb2e0e82b43539

SHA512
f357a0ecec9fb54c2c1a2daaba5b9a99fc42dc322a96914c6a03e1738e75b15c8eb9cdf24e815f85f45628c72916a5944610d414b41f08459d22b62f6ca4e37d

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
128KB

MD5
652c6b258d027e1c1d4a195c67c9227f

SHA1
e80728b6c91e2522fc02c97556080217871d54dd

SHA256
0755f138a4d1df51d7ba9bf310e2ed8847be3f52dc1c37f933cb34cbda79cc07

SHA512
19b2f44328b44557bb4d2396d35054cf655ca1cbaee0aa4625d3832134399cafa96da440c6c1f47c58721be82a495cdc7319d0f48fa16fe45aeeb54a9e80481f

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
128KB

MD5
407f5c87d867d6daa6f5a91fc8534fe9

SHA1
ea335419eae5207991fcc8dfffae2c138007209d

SHA256
f270dd70dcdc1c2d64d4e992e91a33415f63884e414dfb4370d4444ad680c123

SHA512
c62938a3eb7c7066cecebde7193f08299ba5b45c14a4de4a2bf48a7c44c383692d83f3b5608cd844b631d3f8332d00badf0431427859b174ae3ae2de2b5edfe2

Download Submit
C:\Windows\SysWOW64\Gbdhjm32.dll

Filesize
7KB

MD5
a4f2e14b65caf96e77011ab2c865e322

SHA1
7979b89521e5474742dd6dbcdd28f7f2a419bf9a

SHA256
de9caddd08481e490413bc4177bde9c315b87e240c79caf4480dffac8eee0ea4

SHA512
c2d28b858a0eb441fd2357a01988f5b4d8d0080ac7dfcbd8d538a443724ff4f2707e6c73dcabb7b8b1fcd81bbcad71ec922cb6d637e0f481dca3f7c122f858be

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
128KB

MD5
1919deb4e4a6b9ede629cf293bbf1823

SHA1
93531a7dbb7dad0c1abd5f261473c40385834296

SHA256
14875e977da912d6d62ba89f1244b9ba2fe20ca88b8eac956c4998f16df85f4a

SHA512
dd6870427f23a4cd746d5c63cc545209dd4555a6c9b5a28a81ebc61a4e3bcea2819bdf7c7a5eaefd48953e1e6d0214f5e79c2dec7161e869929ecdbd31c5e567

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
128KB

MD5
9190d49f9925c1771c1ea3174ae2938f

SHA1
a20fa9a4fb7fd23c94511ef36fe7c3bdbd5c569b

SHA256
67865af64898b5650920d5e93154f3ab5035b0b2dfbb6d91eee2017b5e61d6b8

SHA512
764602261cebd93f96273ae3add63b2d0a162c19f624000b2f69385dd0d94e7a8efb4a0ebcfaa89e9919a29678239267a02d1a2b6e120c68091a2bbb45b253ae

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
128KB

MD5
ae6981b98697759e028db8e04f973203

SHA1
f5db533668a8c6f14017ecafa691214e429d7950

SHA256
1cefa859bafc3262db2cfbe3bf06dedb5bd6a1287da0cc879212cf74057b512d

SHA512
22b2e3765ae0c4fb44e6cd266b2473f7c432e46bc149e13712997b64bec5514961760c7e2268a88b73bc7aa9daebf7c991ee941051c3b2cfb5e5b5d7c17957e3

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
128KB

MD5
3d9d4ee1c4efbceb1a55dff7a18ebab4

SHA1
abe5896d3de634349e0ed4961e2ebaaf12028bd9

SHA256
1629ba16893c0ac302d366c9f6c9d69c5cb818c16080fd48ff9a92582ce51bed

SHA512
e3fc564776d830136421e1a0f9a9e64fc5de5ca2ea142493bed72a0dfbbda3838d8087dcbc4aab6f687ba21c432403157a9606c8f30c4ddec05b2c721b692523

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
128KB

MD5
e75b9d2aa098a2afd2415a2ca5ac7825

SHA1
52768ef44342bdf4a6c8a14e23d75561d1126674

SHA256
69ce341fce674139e144db2b81671fc791718255a474fea9b38c411a4011f9b1

SHA512
1306f5a5fdc4e365453314158482e80e2bf976ce83c15235c01f0faeb876b0cc861d0030270ecdc5f7340f1f0064de82e0eef33497fc5ea2f0afde08b8cdbfe2

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
128KB

MD5
78bd6e92bd6d24619a2a95756af6af1a

SHA1
8889c7b62cb44b8326ea61cda50b6d9a24f42b05

SHA256
117295277dbc8c945ca3d4e867ff2798381796394323bce5eb74d4137eb047a6

SHA512
e5831d95306fc2409674d47c8f732d26bc09418b5b8774f3fe4dab12776e4ee7336f71b2c432659fc888deb58ba54c8ba1d19f60b2e31f9e7f404d0158100d47

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
128KB

MD5
8857562aabf34cf7179c279e4e9326e7

SHA1
697877bdfcb921ac73a63004be9a21b3383fee86

SHA256
f46f3674235a2d2684fa0afe4239abd69f10107e9ad3be604da5e7b2867a690a

SHA512
76727a1bec8bc14ba986dd579305481126da840f1e331b0adfb4511ff56ed1e9fa22b0a0066a916dc00e2e50afbeb975f0fc007aa7b89fee92682b72066941d9

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
128KB

MD5
8cd57abd98d5efd183e04d2dbb0ba1dd

SHA1
7c6757193e0a9d739058daf2b837dbd2c183e85f

SHA256
ef1426921ae2a0bb591e5740174c63e8e8bc3c5ea5f6de27c0336679e59a6a3d

SHA512
4e103f15d3d441cf073dbceeae4175bf38acb96e9dd517117199befbab04ed041a504296f454eb88072c0372d4777fad7d86b17e86aae7c57505e63af6c98809

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
128KB

MD5
df6f178b2ff51e5e5e159d74be82f82e

SHA1
82ce949ae3ea8e467bb08108f2c90f787dd0329d

SHA256
3bd27346a0e33307b03488b56493636052fc59de0d3ca5db19819d5dcd67626f

SHA512
5cc1885bffc3937c04a6815fca83fcedb0837b43b219681036f3ad2762fdd750c697b1ab2c01f1a8087389154b2dce9e037888243754eb1a7d401499543085b8

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
128KB

MD5
d88c671a887de88076c1a63c4fab7da5

SHA1
2e249d260cdf6d5e1c089e448ece123f3cf354b6

SHA256
2eb286c2afb4d7632a7410e8f6740df19bcbf4fe5e9143aa0b8ef0ce80692783

SHA512
0b930db6e8544c87731ff4a4796de47f70f54ef4a9636d6302f0b52e66b347f6282543fe5950bfdf26e08088e0753f246d0e1409ebb313074b64e6c3c4ca0543

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
128KB

MD5
fd841ddf1c92513fca24572de2c20d80

SHA1
9bce5ae68551704582db0f82916d988ecc51d2c5

SHA256
b1fd6eca9461ff538d5dc376afa99fc27fe437f6427d13339d74e66ad32f4a55

SHA512
d98f057ac92d501b73580975e0f54f882d972e9593d070e50c278ba099e54e653e1822dfaeb890f858986ea7a2ab86bdc9fa7a1a15075e615e753e3b097d142a

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
128KB

MD5
83091972ac4ec40d666bffba1a53dd87

SHA1
0c05456897972a66a58dfc7f9d69902067854f3b

SHA256
935ba0ff4a9cb828d12b7a17469fce1a9682d6faabc12c1c5c094c0596ed4885

SHA512
03381e7fb501f1c3c69c2af122296a5301d089484a383bf3313c51629bb24aaa7d39f4cbba8dcca1cd5a9f60045ab678e997f6b4d1507cededf39aa26beb9235

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
128KB

MD5
0987d48cf826cf4dae592dbced8efc09

SHA1
ec0de5728007ee2426aff9d0b067127a02c89a6f

SHA256
e24d9279f79f642da7996ef20ca126ce42e781c6336fe2c73ff0a5b988f34376

SHA512
14584d6c1cbc39a8b9c7453f64e964573bad3af72ed4c0f1d8133a4f1acdfab47777a26149e8be5e576a259d378db20a6ab594d292a347ae933b2c66688ff24b

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
128KB

MD5
8f0731774ad047b6f981ef326a46186a

SHA1
aa11acc6a46d74fb658785a42ef90c233621047b

SHA256
0d114b6718ed3b170cfbbe1330e96b531b45b7b22e56cbc14749792b04e88b92

SHA512
50b25b7a046f1cf63f01f1842c39bf02944bfd3526ede5f62157b12360e01fdf641d67c246df3369c718ec4d3610adf72417e4b4916380c4ef01579a60b033b3

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
128KB

MD5
d75ed2486faf901e1680e5a238a0d515

SHA1
ffddf68496c567d93a84cc191b8d0d28a25bc19d

SHA256
b930122fd40c92b50c017746b5f88aa8552c1824b7d5d59a01b25616336348d7

SHA512
08169ea5cb53a0abe32f3d912b632b4c0f1b99d3bd5f24f6997e90ee4d583c5dabc7c69d3b06a232416f3a40c2616b5ccaf31bec79086b05f0902a257712a407

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
128KB

MD5
5d4fc40cd07b13c8bc28e156b90f341b

SHA1
8bbd8e6d0c5de3eb884c0fea0d35d52eac77bb12

SHA256
8dcae5aedd0d432d3401aee2b7c3a5f6b14d38130fc6167fb28aac7489abade2

SHA512
08540ae6bce0e3d9db6a2c701bafbeaa4ac9a20869d3d09dfaaaf8afe7bfd303a354029ec87df1a3f3e16f25c36a409a385ea62e1f7977b10630b27210ee4823

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
128KB

MD5
42bf9258ccfb74272494a89d971e9128

SHA1
fbbdb19f6f7be7a770e800288beccf21bd09a225

SHA256
a9f8a5131d15d4fbb1286c7468d46ec97c745e91344f1a7615e845c0e6cea88b

SHA512
0a97b3c1002a83d5b3e3d3463b8ff87ed539cb7465782894fe986c67437640c84290e2069c86539c28b8efbb69b8cb62d2fa3e531a75d50c1adf5ba3f776c3e6

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
128KB

MD5
8a63dba54722dae721a5d600f2f34197

SHA1
691fae2dfadbb635303c34d91cae056e6eb16b12

SHA256
4237684038513be884377c11312ea610c7336826e658bf687f2e83fe43097e4f

SHA512
a71c7a82d486931624ea33ce3c8c97f87f237c12a07d7b9a969576a99f4ee65b43d2677ddb09e3b59b3f9f2585861981f83be61203f1b68d715080c4a39b3fda

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
128KB

MD5
98e07ccdf198d59d9d921262c234835a

SHA1
7153eeb37804920c2e047f702224b6b14211d819

SHA256
99ffc7497e72179cf330e55364310508f11a9e6a0d6d9a637ea632bd6217894b

SHA512
2a02991dfcf8fd4f1852a96ca0c3c5cdd0a2bf097ab8029db14331a8e96893bd3cfa79855e33c3ce6413c779627aff9f2dc07b06d1b258bb1e759108f02fa622

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
128KB

MD5
5e0f4ea2b47995baf02fc0fceedeb45d

SHA1
1b55db18f111859bdaaf2f62a3d3d9cdf82bcf58

SHA256
1978e8d09dddc6a8ac3acb8d421b320179835541c380a1ea203da9fb782da260

SHA512
a36ebf85fa387994f7aaa320e7a913a633717158012744573038c7027dc13e926341926b69df41b51486531039ca7b7775bb80d270f3225e41f3d0e9bc9301a0

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
128KB

MD5
e8e3d77790f178f08e76f6d4c6fce965

SHA1
a7d2b586296ae9a5bacf0b41f5de11fe40c93aad

SHA256
e2f8494c78a644ad188e128bed720278958c1fd0ba912f27961f081b6ae3f42c

SHA512
c16b27c2571449d7650447b9a11b8d6db3c31b2e08480e72605407bd8ad04caf05b5ae6f2dfda20b42d4599ed8229fcac0f9adc531bb5b48bc976d6ed071d532

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
128KB

MD5
a5e31684364d371c0591bb5347ace085

SHA1
45f0a73bc795ed10d62c8f87a025b3ce8fd38ec4

SHA256
b21f7f5c3c072ab28d93fe58850f5f7433242788723c2db7256d63b1a4700670

SHA512
7303500cdc2206346458f41dd9ba3ba60565c70ce255f72733e3e459ea9901775db901c9768564895d5c31cb5c47808961c284e02f7cb9bb8b8f157ca56245f5

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
128KB

MD5
3814793f174a6feaa5bf6d9aeac9361a

SHA1
2c0e974ea77cca663801fb8b1838b6b0ad6fd343

SHA256
f31232fbf0c7efd56593fc7b6780e5b6fe856571b3a992f6508a92221d6830b5

SHA512
7b4424aee097e2d93c56d7bd10b7cf70b81d1e7078345db9b1d4b42c46ac67b29a33a907de602926f9f7544124fb72d6838dcd2cacf92c9930fe02be2ad64cfd

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
128KB

MD5
f54b80dc175bc8bd766ad4011135dbc7

SHA1
e112bbaf24a10227f4ed38f1c52d30baea3bcca5

SHA256
a3e50a87002e8088a29fc2375bb6b195dad7f5c7c7e72c272bb90d25841f5e76

SHA512
da398894e345186e418b65c0e8bfa398fc5750a45c98b0af4a90ba95676d466cd63a0f0ca13caef25f4e8d6432ba721d33f6ee2033905b9daf6c9731e86453e0

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
128KB

MD5
269ae1c834971d11a379ec4d882fab8a

SHA1
0be9784086bc3be782dba2d95832830a6c98b18a

SHA256
c2c4b9247925bbd1a79ad7317bc27dd4223828efd9c4a0e4b6ef3452b6e56083

SHA512
25a091f05e189d48d9a189efdc0b4e1512e8ae6bd7c8f437b3c1dece036a9a979c4ca488ab109b5b47316c2906ac640a9a720d5f976e861903f8d42ba0599d46

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
128KB

MD5
4943bc050119bf1d4cf0df03f772cc78

SHA1
7a76aa21567dd7c9ddb8dcafbebd9cf19b13adbf

SHA256
c01c882695b5283063c7fd4bc20e4ae884b2baed6409b3235edbc51a2d0aacaf

SHA512
af66bffaea309905bad2527207bf356ded2e46a144a8ea787ea618f348214d442f9603dbdb0c7fe6887b49c6b08f3933a55013f86a5c356057e82ef956d1f3bc

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
128KB

MD5
e0d32d585dde804420d851723931a864

SHA1
a5f8e59d05b29409b5b2d871ab18a96664a6272d

SHA256
3c985aff9454506b577e9c4c5b58d46a634c049e1ae60c910e14f9e61429bc9a

SHA512
8710c2ae5ca0313f519c64bd88f6f383aaafa891f3d7e79c89adc44243b107cecaa0a9dca518501cb312ebe9a71511d0dc290686274170d1bfd95182c1adfffd

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
128KB

MD5
e2b3314c7e5928b56654cebfed1f7024

SHA1
72c5eb70626a139de5788e5199ffa01114235c94

SHA256
4cfa8f5db5edc21adcbe7cafb2f96c24aad930f2bbe50617bb617837d26824d1

SHA512
0c4f2d2564e80c2e40b12f7e01cdc37d1861bd6a6415adfddb2a99062ada09ed2844d6b743f24b4402a698357e121589a581725e99b56788be96ddfe71d53a91

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
128KB

MD5
9a13159b8cea0c24c7894519590b4030

SHA1
d0dfa6d396a945e6ee43eccd51ef231948bd50ce

SHA256
6b7aa36210f33738158dfd39e2062f3821f62c9e986aab2670c36c873dbb38f9

SHA512
26bf56bc37a3467ab2259121598135a5a8c2d12088c9bd86ef9603fbc5757eb3621757933afa841c35c3dd6b67d4c0191c0e621ae003f531fa5fde703d6ec4cb

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
128KB

MD5
1627958e7036449bef82c502aeeb0510

SHA1
99975a52b790f798aec79ebef6a1fd5b2ccf2749

SHA256
1ca556fc574fc70a9261b58d42e0f4114b5e6d6eafbc25e57c2154a6fb8e4485

SHA512
9dbe9a638abe028b7a848b34e45baa025ffbfa5d18b2c6c59e68307100e75ddbcb46fc2d2d334f6827676f73306304bf9e9e611825f47d3eb19ce2c01c298617

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
128KB

MD5
5098c6da4e9f12e6bfd04f821d3f6d55

SHA1
c58e6e203ff2f9bbc5216b037b894a87880d63db

SHA256
bcc979567979038f1227c5f589ba3dd5afed1d32f109a623cfaffd636eb6faaf

SHA512
3437544bec7162b7139ec3dc20d69f723efc0a6c72fbac4cf88be177fcf2217bf78a6f0f0d9c71af07138ebd7b434b0025240ee9370ac27c04f4f82cb9279646

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
128KB

MD5
05c4e5e924bb95946ff79933d7d457ec

SHA1
f660160d05d1c79e26e38d7277f1594778bd9765

SHA256
606b85c63237488e71e913ee8755397c5ea2b8fb5e26c16ff9dc8392dce4292a

SHA512
cf9dbf789eabbdb642b3b1406f67e1da08b57977f17e4c05e8643590d0425f66fea6d74df569acf0499e0d09226ae63ca8d97a78e80dee674e6918d514e71a03

Download Submit
memory/396-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/544-580-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/632-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/860-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/872-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/920-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1072-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1080-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1120-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1144-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1208-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1220-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1224-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1252-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1400-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1452-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1456-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1476-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1780-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-433-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1972-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1972-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1992-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2016-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2068-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2116-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2116-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2128-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2132-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2252-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2280-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2344-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2440-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2584-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2584-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2652-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2692-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2752-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2884-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2884-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2904-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2904-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2912-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2952-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2972-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3024-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3140-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3172-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3264-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3276-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3332-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3356-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3412-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3416-591-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3504-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3508-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3508-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3536-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3544-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3544-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3820-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3872-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3896-392-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3940-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4076-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4128-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4268-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4296-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4368-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4380-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4420-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4424-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4492-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4496-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4500-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4520-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4524-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4576-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4596-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4612-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4688-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4708-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4752-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4844-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4904-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4936-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4936-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4964-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5036-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads