ba74bfd49807385851652ce60cbbcc1304ef712cd824fb1bbdb9fc66630bb383

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40f85a0b722ba64011ac847c1f4de550N.exe
Size

314KB
MD5

40f85a0b722ba64011ac847c1f4de550
SHA1

5505301c17823662aa8cf5febd660ec211d47f54
SHA256

ba74bfd49807385851652ce60cbbcc1304ef712cd824fb1bbdb9fc66630bb383
SHA512

7bf5cde3258fcc2111599c015109355c1d3fee277db8175edbb510d2e443f7519b4c4e50d2f82900057f7ff0e9103b203c51760d5e3f2c31d98aa17977f3d9e4
SSDEEP

6144:P7npYWejnfj6MB8MhjwszeXmr8SeNpgdyuH1lFDjC:P7ej76Najb87gP3C

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	40f85a0b722ba64011ac847c1f4de550N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe

Executes dropped EXE 64 IoCs

pid	Process
3920	Nlaegk32.exe
3320	Npmagine.exe
5028	Nckndeni.exe
4048	Nggjdc32.exe
3116	Nfjjppmm.exe
5080	Nnqbanmo.exe
812	Olcbmj32.exe
4696	Oponmilc.exe
1404	Ocnjidkf.exe
5024	Ogifjcdp.exe
1144	Oflgep32.exe
1532	Ojgbfocc.exe
2500	Olfobjbg.exe
3512	Opakbi32.exe
4412	Odmgcgbi.exe
4276	Ocpgod32.exe
896	Ofnckp32.exe
4756	Ojjolnaq.exe
3564	Oneklm32.exe
3780	Olhlhjpd.exe
4460	Opdghh32.exe
4964	Ocbddc32.exe
2868	Ognpebpj.exe
704	Ofqpqo32.exe
3624	Onhhamgg.exe
5064	Olkhmi32.exe
2732	Oqfdnhfk.exe
2636	Ocdqjceo.exe
1820	Ogpmjb32.exe
3656	Ofcmfodb.exe
4764	Onjegled.exe
3956	Olmeci32.exe
1412	Oddmdf32.exe
3064	Ogbipa32.exe
1028	Ofeilobp.exe
4720	Pnlaml32.exe
1944	Pmoahijl.exe
2264	Pdfjifjo.exe
1760	Pcijeb32.exe
3880	Pfhfan32.exe
4968	Pjcbbmif.exe
3372	Pmannhhj.exe
4200	Pqmjog32.exe
4516	Pclgkb32.exe
4464	Pfjcgn32.exe
4792	Pmdkch32.exe
3796	Pdkcde32.exe
2532	Pgioqq32.exe
1584	Pflplnlg.exe
4316	Pncgmkmj.exe
4008	Pqbdjfln.exe
2700	Pcppfaka.exe
3980	Pjjhbl32.exe
3640	Pmidog32.exe
3480	Pdpmpdbd.exe
1716	Pcbmka32.exe
3140	Pfaigm32.exe
3540	Pjmehkqk.exe
4632	Qmkadgpo.exe
5156	Qdbiedpa.exe
5196	Qceiaa32.exe
5236	Qfcfml32.exe
5276	Qnjnnj32.exe
5316	Qmmnjfnl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Oponmilc.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	40f85a0b722ba64011ac847c1f4de550N.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4468	4228	WerFault.exe	221

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40f85a0b722ba64011ac847c1f4de550N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	40f85a0b722ba64011ac847c1f4de550N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	40f85a0b722ba64011ac847c1f4de550N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	40f85a0b722ba64011ac847c1f4de550N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 3920	4876	40f85a0b722ba64011ac847c1f4de550N.exe	83
PID 4876 wrote to memory of 3920	4876	40f85a0b722ba64011ac847c1f4de550N.exe	83
PID 4876 wrote to memory of 3920	4876	40f85a0b722ba64011ac847c1f4de550N.exe	83
PID 3920 wrote to memory of 3320	3920	Nlaegk32.exe	84
PID 3920 wrote to memory of 3320	3920	Nlaegk32.exe	84
PID 3920 wrote to memory of 3320	3920	Nlaegk32.exe	84
PID 3320 wrote to memory of 5028	3320	Npmagine.exe	85
PID 3320 wrote to memory of 5028	3320	Npmagine.exe	85
PID 3320 wrote to memory of 5028	3320	Npmagine.exe	85
PID 5028 wrote to memory of 4048	5028	Nckndeni.exe	86
PID 5028 wrote to memory of 4048	5028	Nckndeni.exe	86
PID 5028 wrote to memory of 4048	5028	Nckndeni.exe	86
PID 4048 wrote to memory of 3116	4048	Nggjdc32.exe	87
PID 4048 wrote to memory of 3116	4048	Nggjdc32.exe	87
PID 4048 wrote to memory of 3116	4048	Nggjdc32.exe	87
PID 3116 wrote to memory of 5080	3116	Nfjjppmm.exe	88
PID 3116 wrote to memory of 5080	3116	Nfjjppmm.exe	88
PID 3116 wrote to memory of 5080	3116	Nfjjppmm.exe	88
PID 5080 wrote to memory of 812	5080	Nnqbanmo.exe	89
PID 5080 wrote to memory of 812	5080	Nnqbanmo.exe	89
PID 5080 wrote to memory of 812	5080	Nnqbanmo.exe	89
PID 812 wrote to memory of 4696	812	Olcbmj32.exe	90
PID 812 wrote to memory of 4696	812	Olcbmj32.exe	90
PID 812 wrote to memory of 4696	812	Olcbmj32.exe	90
PID 4696 wrote to memory of 1404	4696	Oponmilc.exe	91
PID 4696 wrote to memory of 1404	4696	Oponmilc.exe	91
PID 4696 wrote to memory of 1404	4696	Oponmilc.exe	91
PID 1404 wrote to memory of 5024	1404	Ocnjidkf.exe	92
PID 1404 wrote to memory of 5024	1404	Ocnjidkf.exe	92
PID 1404 wrote to memory of 5024	1404	Ocnjidkf.exe	92
PID 5024 wrote to memory of 1144	5024	Ogifjcdp.exe	93
PID 5024 wrote to memory of 1144	5024	Ogifjcdp.exe	93
PID 5024 wrote to memory of 1144	5024	Ogifjcdp.exe	93
PID 1144 wrote to memory of 1532	1144	Oflgep32.exe	94
PID 1144 wrote to memory of 1532	1144	Oflgep32.exe	94
PID 1144 wrote to memory of 1532	1144	Oflgep32.exe	94
PID 1532 wrote to memory of 2500	1532	Ojgbfocc.exe	95
PID 1532 wrote to memory of 2500	1532	Ojgbfocc.exe	95
PID 1532 wrote to memory of 2500	1532	Ojgbfocc.exe	95
PID 2500 wrote to memory of 3512	2500	Olfobjbg.exe	96
PID 2500 wrote to memory of 3512	2500	Olfobjbg.exe	96
PID 2500 wrote to memory of 3512	2500	Olfobjbg.exe	96
PID 3512 wrote to memory of 4412	3512	Opakbi32.exe	97
PID 3512 wrote to memory of 4412	3512	Opakbi32.exe	97
PID 3512 wrote to memory of 4412	3512	Opakbi32.exe	97
PID 4412 wrote to memory of 4276	4412	Odmgcgbi.exe	98
PID 4412 wrote to memory of 4276	4412	Odmgcgbi.exe	98
PID 4412 wrote to memory of 4276	4412	Odmgcgbi.exe	98
PID 4276 wrote to memory of 896	4276	Ocpgod32.exe	99
PID 4276 wrote to memory of 896	4276	Ocpgod32.exe	99
PID 4276 wrote to memory of 896	4276	Ocpgod32.exe	99
PID 896 wrote to memory of 4756	896	Ofnckp32.exe	100
PID 896 wrote to memory of 4756	896	Ofnckp32.exe	100
PID 896 wrote to memory of 4756	896	Ofnckp32.exe	100
PID 4756 wrote to memory of 3564	4756	Ojjolnaq.exe	101
PID 4756 wrote to memory of 3564	4756	Ojjolnaq.exe	101
PID 4756 wrote to memory of 3564	4756	Ojjolnaq.exe	101
PID 3564 wrote to memory of 3780	3564	Oneklm32.exe	102
PID 3564 wrote to memory of 3780	3564	Oneklm32.exe	102
PID 3564 wrote to memory of 3780	3564	Oneklm32.exe	102
PID 3780 wrote to memory of 4460	3780	Olhlhjpd.exe	103
PID 3780 wrote to memory of 4460	3780	Olhlhjpd.exe	103
PID 3780 wrote to memory of 4460	3780	Olhlhjpd.exe	103
PID 4460 wrote to memory of 4964	4460	Opdghh32.exe	104

C:\Users\Admin\AppData\Local\Temp\40f85a0b722ba64011ac847c1f4de550N.exe
"C:\Users\Admin\AppData\Local\Temp\40f85a0b722ba64011ac847c1f4de550N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\SysWOW64\Nlaegk32.exe
  C:\Windows\system32\Nlaegk32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\SysWOW64\Npmagine.exe
    C:\Windows\system32\Npmagine.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Windows\SysWOW64\Nckndeni.exe
      C:\Windows\system32\Nckndeni.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
      - C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:704
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        26⤵
        Executes dropped EXE
        
        PID:3624
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        27⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        45⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3796
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        58⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        62⤵
        Executes dropped EXE
        
        PID:5196
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        67⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        68⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        70⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        78⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        83⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        89⤵
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        91⤵
        
        PID:220
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:316
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        93⤵
        Drops file in System32 directory
        
        PID:3544
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2440
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        99⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        100⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        109⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        113⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        118⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        121⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        123⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        124⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        126⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        127⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3332
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        136⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 404
        140⤵
        Program crash
        
        PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4228 -ip 4228
1⤵
PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nckndeni.exe

Filesize
314KB

MD5
61a30f042e4e7e68db736cd6914dcbbb

SHA1
a9edcc33317252077505b661fb66ebdec39fa9ad

SHA256
77bff376b777cc16f0ccc4ae7f107a844df4aacef0440f8bb4ebc2b9a90966ba

SHA512
4ecb50c077441d698270d24cc58f9522d5e32007747955cab4e9b48b89c553dc0ca138e77d01188fb14a2ef6ed05673f8969f36e4045a5db7ce0eb532195d2e1

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
314KB

MD5
771aa8221c4d065a797cb448f359be45

SHA1
a48b9f62d5aef806ea580523db4c294f7e8fd4c6

SHA256
9ca9062d0f20f0fae820c4cfeaa6f4f016a7a0da7cc6c23793213a6dc5e69808

SHA512
aabd2b0aac4768b257f1e58c73c9f4b9e8800169940449d63cf27de7894061be157455924ad44721ea052fc88ff37bf9a9af4b4ce69443e9028e5bc3d5d0b61f

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
314KB

MD5
95d3fe4132bf7453affce50e09a8b414

SHA1
4de8c9944f3b6c0c4a4e1548ebd9852001cc56a2

SHA256
67cdc04a4ed03fcc5486e39fc6469b2a2ea63aed515c3fca1349ca3623cb79ee

SHA512
c97466f3dc221d249fcaf1781a1ce7737f61805434f071993394b22930f6b534cba98176c1abcd034c4065da7a112e6d6d56dc1d0d8f6c8e11dc0a76f7ee8209

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
314KB

MD5
bdc0c499b5b08b3592ce8caa4b54ce76

SHA1
1806ab73ff2d9cdd6bda42648cd4bb9049478800

SHA256
18d60acbf5bcb19281fd5b0521798920529db287aba4b80c535a8fcfa6c888bd

SHA512
0823faeb547a4e894b6cceedf8a29a021662b504cff90a949157383cd18079cf277968fc5aefabc2f993d76b40e2c179476abd7e23e0aaa536d270caa9134eeb

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
314KB

MD5
38334533cfb80eaf8a6b281e50b8c489

SHA1
6edc33c381b37e6cadc60a57b5f54f2f7a7b754f

SHA256
bfa433c94ef6b1ee4d627113e172bec3c73420eee562ed44b524dda20d171c99

SHA512
d3ab851c59f409f04be587c36f61fed6071a41c31f63de9769d43d7128e69e85c6177427bd6077bec67884be79f919bed35a2fe73ec67b3c832852e635d6e0ad

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
314KB

MD5
3b1cd54d9408ce4c22f11fe3f05493ee

SHA1
eec70b24d58e5409655f5ba47f141b88a26a83cc

SHA256
b3b0525a3b37d8dd1c345ac5d4802d482fb38e5f38e6a9629e60872db6b343c8

SHA512
858280a00e930f8364f35f96da0bca312fdf30d4d5139a4b3d8edc3a4ba2de870912bc92efe5438198bf6073709455d3c70b77f2d408127b6dceacd319d9f395

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
314KB

MD5
ab963e7a034b0d0fda5becd2fef481b6

SHA1
5d498835448328fd79568828fd7399b42225971e

SHA256
1894c6dcffbb14ca4e4a8e214340e057236694b91b177f8aae0ee6d5d0ce701a

SHA512
6db9ac1b6484d3b09ec251bf7a83378c3d21afbbc4b66a1c4acc1b3e65db0d3275dfe61d340691e322a11c8e7533017c9cee808f590da9d30046fc1864a33efc

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
314KB

MD5
a90e3d9f37462c4360a583c3966a8eb2

SHA1
1d31197225459629021d5d822a397235d7a9e926

SHA256
c94194ca2e491012208736d55f745f5bb93bd25f126f7a4db460a06e16f815c6

SHA512
c500db45102f1c26efec55d52c599a618dce72be2507d222052971d4e8f90bf5fdc748399c7eb9bcf33501bf163b577e4937c93b94ac8bd5d606f392f96ba126

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
314KB

MD5
237c1977834c55442da384c38a2f74a1

SHA1
627fc99bdf8bc4b12a7b70711a5a0abfda942ec8

SHA256
e01117f263631b97140ff30c9e4f83fb6e4e1cc84c7148e37d96e4d2ffc063f6

SHA512
41b8212273e956a2fc29dfe5874c44dd36edc5e539192559b21205154c49e83b7046f8a997a2af4daacf6ea2c0f846046d856342a538914f560a97186149278a

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
314KB

MD5
aeabae37e1270a15e7b6a49290c999b8

SHA1
ad94bc2c3422c05fa06757606c99a0dc3dc60284

SHA256
be09c89e83a7acc7950413b383ce2d387558ba86f18a3376d12a2ee60143c812

SHA512
406f191950e0bbd3d2d3ad2e39a4b91cea80f70690915bd7aa4c48610963e320da6c2383862620e91f6b663d3587c7ff359e04a7d1ed1f18b583c03525e67cb4

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
314KB

MD5
5e1af9788bacd28c06cdbc56a5edc428

SHA1
ad7c09af2622b7959f4a8cb5fa4090935987eb0e

SHA256
28e87750ad87434707c7687b32864a2f6ff723210b793e6a36d06f609b2d25dd

SHA512
5625972f7ce46b0e9cd9540b3ac0ec7af36c83cba1ebc6f6449810c4398f9914db3439e8d68e340fd3d6e3bc6533051468dddbb3e7e5a8cae5637cc18e20099d

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
314KB

MD5
15f605a54793fc057fc3796ab95b00f5

SHA1
97d00b17ae75cbdc1dfa599903ee2f9e4a87fb9c

SHA256
2c8a5be8b0b8d63a4b98301e6616616eb8028f312a4199280b6cababb0038739

SHA512
2aaed4cf3f85cf87c0427e68f4d2a0fcedea393ac482d2ae90264763d459b8a830023eb2bbcb169490e02add7d102fc05b15da88f2c72c42dc82fb66adfed0d9

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
314KB

MD5
f797d1d1bd5cb049015bebcd889e5bc9

SHA1
055fe28494283227f4f9211931504633ebbb09f6

SHA256
db3b5efc3a35b0a44ce342fd790aba6fb778c1076068e0a8f9f91481b3dd51b9

SHA512
25f5af0f89262af3894b659993083ab26748cdb00b11cf0b831812406e0c855df92699c51f4b392a71d56877ae5fd4b5a9bc231602463c855b7098e8b5ce9b27

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
314KB

MD5
676f79e74f9bfd4be2ee2530018f57df

SHA1
6ec9ba0721f828f1483a493a6aba35ed13c77521

SHA256
78290c5ef12795aedea6fa0bec812ac57e853b91c2b077c856b335fddbcd17ea

SHA512
1d11209c859c94cd2d0a92244bf2a1e910b485ab684c859b63ce30b263a5fafb303c0d5322ca7ac349bed849e395ecbf71127ef31e1b3f621d5084aa21f2534e

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
314KB

MD5
2eaaef0725ce5f3eeb89dbea23a72fc3

SHA1
9c88a2e99ab0b5b8091bcd6b638d305d99b77b9a

SHA256
3a02212fe1800098c5f7a8ee68fca5ac6f844d9234e46df21943b5f08042c281

SHA512
6d61dc368461887f204db5601992c1d1bc8a82db0e855ea0ddb008ab7e4482182f3024c266aefa129aa4dfe3239d25304beadb773ba5d6f91fed7e688bd57cc4

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
314KB

MD5
c329a0407a1a0995b562768d8e8ddc7d

SHA1
05af150b51883d3e085d135140cadad13f11e35a

SHA256
eafec703ec6103cab8ae3f1ff284b120e29a73c827ac8ed880893f27d1a7edda

SHA512
53dc033d1b518f2ff3d5420d737f2dcef040253b24bc0cd816bd819624457a34c4f6284d52a576c011260e8c99688b6d5a43c8339403bf65f58da760e3318d6a

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
314KB

MD5
21b0824037c284b59e53f0dafacc501a

SHA1
8df31b9d508f40fcf7fcb8aed3d879361e45c845

SHA256
df8d6ca2921879c365325544b67990dc3242c21ed2430638a4a1d369d3249c4a

SHA512
b2b7aaa5a5e2defb22bcf82110534e0397394db5c569633dff7ca66fd6c1f759363f70ce3f9fa3964955cf3bc6d262c889234dca4d6aaccb734720bce8304b86

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
314KB

MD5
c38b8e4ac2d78834ade5278ea2ffc6b5

SHA1
485b19cd1f3f8bca0802d17bfdcf2c7250738486

SHA256
a8b96538d9aa62e55fd346a2df65d60a50f5d961d9b3b1527742e445c8b1ca05

SHA512
2ab1e3ccdb435a7a6a7efa8d1e142e3419354c3cad89a2e2b01f663a2298d67bed447af6a758e64882a395e897968444b4cf663bf331f47a9cee4ec04cc29616

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
314KB

MD5
77607f9399127635937471d3ecd0c3df

SHA1
e01663dca00d51fb93aa57b87461372b7be14725

SHA256
194d4c91d5206653e7cfc063f79342f4bb295008fb94eb8745d9b0a053994c5b

SHA512
7ada6db8ee2b26671bd70013c2fc3cb9c7f053787aeac7231f865ff4ea4f98e64f00538073f2568bd46d1801e5ab597a510c09ded35204f135e2af27fae30e4b

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
314KB

MD5
9d9b5905b6c2fb3c2f097ab3def18817

SHA1
87517c3fc03349f87dd25f58aa66fd88fa2fd9c4

SHA256
18786fd9874b769770e45962e6180ad2c4ead23cb45c0c34a7b3ecf9548a0987

SHA512
ce67ecc97a9a837666f3d44c80a91c4a7b1f7ffc2607d7a81058b780c6c7a19a9c459fbb038c8ef21c66d33a1cb73057b00bedce63d2d53f937dfa7b2c519aa4

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
314KB

MD5
2e3dc912211bf11e5e10b341bd6cb147

SHA1
d0815af8acd8ecd6a89d1beb59850cb332b2d7fe

SHA256
f36a4bf050b84ccd699afbf6bea29c50324c88eb61694e82375dac98645b439d

SHA512
feb95b8a988373daff7edda5419d9a3194741bf831900c71eac660dab2a56de5a573ceb2f372658e41ebd011d364cc2993d430ef920755b68f035c617e5aa499

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
314KB

MD5
895184ca972e140cf2a6241979e435a3

SHA1
40c3d405c36f997ce7ef2532924fa438dd2c9303

SHA256
6dac3129a77606676bd6ba263c4abb219d34f80b617e92253bcf5e9da255e441

SHA512
b0fe262dfbd0daefeefd087ca2669ecbf7b35d302f7a7ae179dcbeaf142b68369c7ec752cba71bf03f2e7d9da6918af890b725a655483a99b26b44a84ea11f13

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
314KB

MD5
4333f3cfb8e129f011561da1250a7657

SHA1
4c2c0b419ca97f0657c7916473f4609158d9c2e1

SHA256
f9214cfb192e7a2f661e5e43d66bda8dfe85806280924dae10b3721dd9d4ec20

SHA512
3b02617ec738dec5b7e451886513fa36c3aa0284ebf440ac2cbab40d8cc0b41a8852e915fd4f54bc14e5842fa16be19a1fed76aeca552cb4ac5a166f7c8a3d4a

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
314KB

MD5
f84edf00d78b449ab6affeb4fc843c52

SHA1
990438ed34a773758a92f58ea2b563083d2a4115

SHA256
0ee1cb7c0df20c56c5491d63bcdffe5b5cbd288f3ad1242034f1ea77634164e6

SHA512
63c31ee7d2c50351e584101afe164aeb92154b3d9f4e9368214e22dd57da4c72731dd9d657041836c5351dfc039592a73be6a09205e84b2b83399387a18504b1

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
314KB

MD5
a006462d60d1a32e9543ee13679f334f

SHA1
1aedb6b1720bab7275f183bc5430e51da67bcb8b

SHA256
aeb574d4704bf2df31f8c673db7e0bb3544df99f8c8582f38843bb2ebfa43048

SHA512
e3e86eb6704d639fa83f477116f4e55ed305513743d6cd4d6b771191ef0128cec66b0b9dfe66fddeeaca0a511d0a1780064abc43f0ff847012e12905e0fbf3f9

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
314KB

MD5
8c49a76cbda6c874010e9f70f2d17ff2

SHA1
c5a3eba5265349aabf1a2cb080c8be83f17ec5ee

SHA256
8a5a7623d624ca710b43db6b24931dfc0c6563a74b5b0a83d2a48e41ed937a7b

SHA512
90ce2b9310505c44106ba82851f6621be817e6a6d1cf1ed36e01e6a439a7031c656845ca77a60b5c2f0b16f0fdfb57ef9263f98bba89fccea660a3051723f7d7

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
314KB

MD5
37943026e3f4d53f1b4023a5f0ade2c2

SHA1
12df462cafc0add7195f5c8f812aa9e43241c2ae

SHA256
1f7a63c4dae1fef4817c729172b00d087427ae00d31244e3e6ee5379fdc6dbdc

SHA512
dec25f5f8fc62c237d07aaecd1366fa5bca239fa31d23d0918528623c2ae8d882e67311600df9d9fd2e3e7c81a83b6d92a239badf915c6165f483654ef42cf2b

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
314KB

MD5
9fb48bae076019f311870e563acaebb9

SHA1
e1178c1706ea373cf6c8f06dad4501abc8a54407

SHA256
fb1710e617b69abcd9e5c8c116eaa22cad94e1b41ab4fe11014445f746958919

SHA512
0479a50ec6b38dd02c65bcbf84168daf316c41151a1a855ecdc8eef3779a808661b9484a537769d2c1c62cc087ac537c5c6c3f8083fd527a89b77136c48ca823

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
314KB

MD5
cc7ed721d6cb0e6ee087a80caaeb8638

SHA1
d46c4f0d6bef276bae6e52c3d407e295a60d8cf8

SHA256
687ef74ca5a90efc6c15a0557cbf377f676b6718add49d7a202fd6048641f37b

SHA512
1713982005c5fc6f5f047bb12aa93e857e0f93b88a6c262deecfa96c2abdec27c5b1597dff55903217202c0f20e83d0696fb7be80a625d8ff2bac75c9d7ce767

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
314KB

MD5
5680035114d29f9996acb89ee6535d4b

SHA1
ee3356aa6e3372218430b6ed697b483fb6534404

SHA256
3a3ebbe021171cd9068ae6a861bb7aa3cecc9fc376cd47762589dd697c68bce6

SHA512
b3ecf1f6abfc48f9c7387cedcda14b716f895a1793386219c632bddd1d5b8143ddc0cebe37b97a53c1943c5eaa9cf7b1b3648b8f8e406886a340aee1fc689bb3

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
314KB

MD5
d102cec0084d19edcfc5ac1ff20ebc58

SHA1
09a9214908a825dcd77498dfad1ff375ca0a96b7

SHA256
3d8c0a9d8fc508315340b404972246478ca2e372cb42860c48f4fb0b056c4962

SHA512
a958f976b9774864d6495437ee6e08f6579ee0688d82ffbe12ed4dedc060dfc0efeb756b582595c197564d66263d630fa52f125f260c987fcc7d2c85c66cbc23

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
314KB

MD5
57c6b389962d6cd1d723a36397ac42e3

SHA1
4b32af53b42c8eccaed262a1c4f37e146b5fbf1d

SHA256
ea7ccd57b6aec3ba7f3af4437cf0e06108ab1028e0ff86a19e4453853655fd0f

SHA512
0ab7d75ab8a40ba70a849e6ea8db11f1560d48dd4cbb2086b7a6f1922b515f5876561c9b393f5ee05439c8e58995ff8c6562eb6575af122f0a80e3ea94b65343

Download Submit
memory/220-613-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/316-619-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/704-198-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/812-61-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/896-141-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1028-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1144-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1404-77-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1412-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-101-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1584-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1716-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1760-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1820-238-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1944-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2264-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2500-109-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2532-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2636-230-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2676-589-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2732-221-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2868-189-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3064-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3116-45-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3140-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3320-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3372-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3480-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3512-118-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3540-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3564-157-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3624-206-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3640-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3656-246-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3728-607-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3780-165-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3796-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3880-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3920-557-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3920-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3956-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3980-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4008-375-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4048-37-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4148-601-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4200-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4276-134-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4304-595-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4316-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4412-125-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4460-173-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4464-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4516-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4632-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4696-69-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4720-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4756-150-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4764-254-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4792-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4796-583-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4876-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4876-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4876-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4964-181-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4968-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5024-85-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5028-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5028-570-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5064-214-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-53-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5156-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5196-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5236-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5276-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5316-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5356-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5396-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5436-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5476-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5516-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5556-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5596-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5636-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5676-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5716-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5756-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5796-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5836-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5876-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5916-545-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5956-556-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6000-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6036-564-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6084-571-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6124-577-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads