a54b37269927a89dc5a943c287f3b7a0f153b288d5646990fc00a5ef0f2c72bf

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

325432d603b087a54b1fe3e820337750N.exe
Size

59KB
MD5

325432d603b087a54b1fe3e820337750
SHA1

bf471a1853461ad98a87389338283254060f6c87
SHA256

a54b37269927a89dc5a943c287f3b7a0f153b288d5646990fc00a5ef0f2c72bf
SHA512

2da62d64ee52220d80728c58331448362a371e20a40cbeec8db87c3cc5317a66ef1f8a5c9384e65170349ff01bcd6a16cc55a61dc9d9623069750010ad0503ce
SSDEEP

768:sp23rSZoq66YVz/aG4xLXj+5vgUsADsPLbsH2oYco0Z/1H5dA5nf1fZMEBFELvkC:q8+ZT6Dz/CjuYILHAcoG7kNCyVs

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe

Executes dropped EXE 64 IoCs

pid	Process
2664	Ncfdie32.exe
1532	Njqmepik.exe
1756	Nloiakho.exe
4752	Npjebj32.exe
2628	Ngdmod32.exe
4840	Njciko32.exe
1656	Nnneknob.exe
3548	Ndhmhh32.exe
1064	Nggjdc32.exe
2672	Njefqo32.exe
4000	Odkjng32.exe
3284	Ogifjcdp.exe
1116	Ojgbfocc.exe
2924	Olfobjbg.exe
4780	Ocpgod32.exe
5068	Ojjolnaq.exe
4052	Olhlhjpd.exe
4852	Odocigqg.exe
1972	Ognpebpj.exe
2448	Ojllan32.exe
1356	Olkhmi32.exe
2260	Ocdqjceo.exe
2248	Ofcmfodb.exe
3784	Olmeci32.exe
4092	Ogbipa32.exe
4080	Ofeilobp.exe
3360	Pnlaml32.exe
4820	Pcijeb32.exe
3464	Pnonbk32.exe
4564	Pdifoehl.exe
4492	Pfjcgn32.exe
3456	Pnakhkol.exe
3232	Pdkcde32.exe
3244	Pflplnlg.exe
2640	Pncgmkmj.exe
3596	Pqbdjfln.exe
684	Pcppfaka.exe
3736	Pjjhbl32.exe
3036	Pmidog32.exe
716	Pdpmpdbd.exe
4232	Pcbmka32.exe
768	Pfaigm32.exe
1224	Qmkadgpo.exe
4568	Qceiaa32.exe
3080	Qgqeappe.exe
3432	Qnjnnj32.exe
4856	Qgcbgo32.exe
3124	Anmjcieo.exe
2680	Ampkof32.exe
4244	Afhohlbj.exe
2308	Anogiicl.exe
116	Aqncedbp.exe
4440	Aclpap32.exe
2044	Afjlnk32.exe
3100	Amddjegd.exe
3756	Aqppkd32.exe
4192	Acnlgp32.exe
3580	Afmhck32.exe
1832	Andqdh32.exe
4072	Aabmqd32.exe
1408	Aglemn32.exe
4524	Ajkaii32.exe
3168	Aminee32.exe
1748	Aepefb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pnonbk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6028	5888	WerFault.exe	202

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	325432d603b087a54b1fe3e820337750N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	325432d603b087a54b1fe3e820337750N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	325432d603b087a54b1fe3e820337750N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pnonbk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2664	4956	325432d603b087a54b1fe3e820337750N.exe	83
PID 4956 wrote to memory of 2664	4956	325432d603b087a54b1fe3e820337750N.exe	83
PID 4956 wrote to memory of 2664	4956	325432d603b087a54b1fe3e820337750N.exe	83
PID 2664 wrote to memory of 1532	2664	Ncfdie32.exe	84
PID 2664 wrote to memory of 1532	2664	Ncfdie32.exe	84
PID 2664 wrote to memory of 1532	2664	Ncfdie32.exe	84
PID 1532 wrote to memory of 1756	1532	Njqmepik.exe	85
PID 1532 wrote to memory of 1756	1532	Njqmepik.exe	85
PID 1532 wrote to memory of 1756	1532	Njqmepik.exe	85
PID 1756 wrote to memory of 4752	1756	Nloiakho.exe	86
PID 1756 wrote to memory of 4752	1756	Nloiakho.exe	86
PID 1756 wrote to memory of 4752	1756	Nloiakho.exe	86
PID 4752 wrote to memory of 2628	4752	Npjebj32.exe	87
PID 4752 wrote to memory of 2628	4752	Npjebj32.exe	87
PID 4752 wrote to memory of 2628	4752	Npjebj32.exe	87
PID 2628 wrote to memory of 4840	2628	Ngdmod32.exe	88
PID 2628 wrote to memory of 4840	2628	Ngdmod32.exe	88
PID 2628 wrote to memory of 4840	2628	Ngdmod32.exe	88
PID 4840 wrote to memory of 1656	4840	Njciko32.exe	89
PID 4840 wrote to memory of 1656	4840	Njciko32.exe	89
PID 4840 wrote to memory of 1656	4840	Njciko32.exe	89
PID 1656 wrote to memory of 3548	1656	Nnneknob.exe	90
PID 1656 wrote to memory of 3548	1656	Nnneknob.exe	90
PID 1656 wrote to memory of 3548	1656	Nnneknob.exe	90
PID 3548 wrote to memory of 1064	3548	Ndhmhh32.exe	91
PID 3548 wrote to memory of 1064	3548	Ndhmhh32.exe	91
PID 3548 wrote to memory of 1064	3548	Ndhmhh32.exe	91
PID 1064 wrote to memory of 2672	1064	Nggjdc32.exe	92
PID 1064 wrote to memory of 2672	1064	Nggjdc32.exe	92
PID 1064 wrote to memory of 2672	1064	Nggjdc32.exe	92
PID 2672 wrote to memory of 4000	2672	Njefqo32.exe	93
PID 2672 wrote to memory of 4000	2672	Njefqo32.exe	93
PID 2672 wrote to memory of 4000	2672	Njefqo32.exe	93
PID 4000 wrote to memory of 3284	4000	Odkjng32.exe	94
PID 4000 wrote to memory of 3284	4000	Odkjng32.exe	94
PID 4000 wrote to memory of 3284	4000	Odkjng32.exe	94
PID 3284 wrote to memory of 1116	3284	Ogifjcdp.exe	95
PID 3284 wrote to memory of 1116	3284	Ogifjcdp.exe	95
PID 3284 wrote to memory of 1116	3284	Ogifjcdp.exe	95
PID 1116 wrote to memory of 2924	1116	Ojgbfocc.exe	96
PID 1116 wrote to memory of 2924	1116	Ojgbfocc.exe	96
PID 1116 wrote to memory of 2924	1116	Ojgbfocc.exe	96
PID 2924 wrote to memory of 4780	2924	Olfobjbg.exe	97
PID 2924 wrote to memory of 4780	2924	Olfobjbg.exe	97
PID 2924 wrote to memory of 4780	2924	Olfobjbg.exe	97
PID 4780 wrote to memory of 5068	4780	Ocpgod32.exe	98
PID 4780 wrote to memory of 5068	4780	Ocpgod32.exe	98
PID 4780 wrote to memory of 5068	4780	Ocpgod32.exe	98
PID 5068 wrote to memory of 4052	5068	Ojjolnaq.exe	100
PID 5068 wrote to memory of 4052	5068	Ojjolnaq.exe	100
PID 5068 wrote to memory of 4052	5068	Ojjolnaq.exe	100
PID 4052 wrote to memory of 4852	4052	Olhlhjpd.exe	101
PID 4052 wrote to memory of 4852	4052	Olhlhjpd.exe	101
PID 4052 wrote to memory of 4852	4052	Olhlhjpd.exe	101
PID 4852 wrote to memory of 1972	4852	Odocigqg.exe	102
PID 4852 wrote to memory of 1972	4852	Odocigqg.exe	102
PID 4852 wrote to memory of 1972	4852	Odocigqg.exe	102
PID 1972 wrote to memory of 2448	1972	Ognpebpj.exe	103
PID 1972 wrote to memory of 2448	1972	Ognpebpj.exe	103
PID 1972 wrote to memory of 2448	1972	Ognpebpj.exe	103
PID 2448 wrote to memory of 1356	2448	Ojllan32.exe	104
PID 2448 wrote to memory of 1356	2448	Ojllan32.exe	104
PID 2448 wrote to memory of 1356	2448	Ojllan32.exe	104
PID 1356 wrote to memory of 2260	1356	Olkhmi32.exe	105

C:\Users\Admin\AppData\Local\Temp\325432d603b087a54b1fe3e820337750N.exe
"C:\Users\Admin\AppData\Local\Temp\325432d603b087a54b1fe3e820337750N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\SysWOW64\Ncfdie32.exe
  C:\Windows\system32\Ncfdie32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\Njqmepik.exe
    C:\Windows\system32\Njqmepik.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\SysWOW64\Nloiakho.exe
      C:\Windows\system32\Nloiakho.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        39⤵
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        41⤵
        Executes dropped EXE
        
        PID:716
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        56⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        63⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        72⤵
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        85⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        89⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        96⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        109⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 404
        115⤵
        Program crash
        
        PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5888 -ip 5888
1⤵
PID:6000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
59KB

MD5
51ae9e9ae4682230c7acea2174aec6c9

SHA1
d4c629436975a96c08015f3d3736c977cc92f4b2

SHA256
7d2c7a86e2279413d9a9878e64009b1e4a9e932b07c7ad321464b2beeb9c7593

SHA512
694e418708d786488bbeda98ada137d03fc20977b8e85e066f0e644f78666d4340669e1591f04034efe804e9e541f36beed686e736567261ba655a60e36d0b53

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
59KB

MD5
f4a512f3cc13df8db05f2e225726ae2d

SHA1
042c42ba2424497a5525b7ee68e3f376f264a87b

SHA256
bf70647feb1b9c62cb907308a5cc6f3030c978c88b0e767a87f9363940f1984c

SHA512
3ba2310fcd1a8c42ca81ddda71c55be0593793d80e1a02a34fdb23bc7d29cce53b611eca83ced0c38ddf5d87165414261e657f49094573cab4c9577d182eb1a1

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
59KB

MD5
86eaced18f615191d87371aaafc5064d

SHA1
530eb9c5c5e1ac0c167d1c742151695818834ccc

SHA256
4d1a1e9bbc984a45c83be84e89dd59189539b770c56c3e513d68cbd0d53876b2

SHA512
30a5da9b584fe0c01376fcfdb6da8b749917b70be85c8e771a48ae8a11bea9d70a6d32b79ae50f4464cf242a82b64b5fa08656df1897269c6600189e50c5502c

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
59KB

MD5
b060ffa4ccc4f239ea898652e1b9dd8c

SHA1
de43b1189ab97ae075fdb99caeafaa4b06fb65a4

SHA256
c01effc3aeb0960e0e8a132328e895bf5be9c1f2e3d034fca1585f4fd4b1b4fb

SHA512
9b7450ebf2858aef4aee9cee7818752604ffba4eda68df3de04e54354c5379c3ed61e70f28e1734e75af100ecd81f07739c10828a9d61d7928d5e633d32a9b49

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
59KB

MD5
369c3f37e320bb5f33a21fbe54aee1c4

SHA1
3ec14792cdf79af4d09b66f9c72853c61b503fa0

SHA256
0187b743b25a97503eeb3314423eb577a3ed4c810c6b29ef76648cbda5fd1dd4

SHA512
a85cfda4b2713de9c8c2ca9577ee69a2aaabde82527a7dccea6565c7bfe21d8d806d55cc3962182aa2a1751571558e766c9335261b90e6d134fb24dbdd5c3827

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
59KB

MD5
eb6fb2c8350a37a84f9a9f7a857a4c3b

SHA1
0278ec24b2d8e6f407999f71eba9debe1eddbcd7

SHA256
2e2b781608ba19a8e12b9031af14e36348112e7d49fc4678288f990d87209346

SHA512
13aa4347c247f7b686c573cceb4b4ac55111aee7ba6b36c56d5deedeee74c52df3209d9e04f3cd69a89b43e73333aa4460f49479ffdce2d540652a421c980ea4

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
59KB

MD5
0b496cbc1f4075c27477d19ef3ec15d2

SHA1
d14bb6febaead1d20cb54386a0f1e48729727aa9

SHA256
b8fb807e7e2f2806d0996ff4c60a25a633d3343cffcffcab425ed6e2e8f91df8

SHA512
44a19b634e437dee5fc51c5da5a0f15bf4bf6a6c5bc53984ad481c70e16e21e68da06315a184e5a46bde8061073641be92025a06a34a5e25c1273eed46b5ad86

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
59KB

MD5
093b521b33d8e2933540915ba339d3f4

SHA1
55072ff30ea22fe5051dc96a1fb2043927f04ae0

SHA256
9c79c8624e9bdbf8743cc18f94bab8e37040958dc94758d55077707205a30cd5

SHA512
d72ccdcdb39e575bdb3466bb4a962a2c8eb854243bd4b506dbf61a48b950deb0ad03e1c69779419961dfdf89104c203583877f6241829e55f53285e1878d989a

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
59KB

MD5
f64988c97d933c27cacaffe8c0eb59b3

SHA1
79acba6b13b06e36e1d05a03e294b6ae74eb7879

SHA256
3405bdc5ec5fb790805814646a2b0674a13d3937312aad0b54feca7451adb3d8

SHA512
f0f038a4812ef839cf203a024f6614378b90bfa6943ac40f847a2ee10e795f48b8469664f52884b11df8091ea140517ca21b23cb20a7f1aa4bfbc3c905ca3b6c

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
59KB

MD5
b72623d95eb6891ede24b978df1aa395

SHA1
8409bfe678dbdf10c8247c55b7b21a0aeb4e0b37

SHA256
68c9bee5ccff4fd8f2682259abd56827130ee55fec584c1fd4a254be248190f9

SHA512
c7f45f2c6123f6a21e4734ebeccfc449b928643a829397ce5dbe5ae3c4d5c3db34dccd59e87e942306b6672a4448c363934df5c09d92d4eb3b4519ed3b1c3172

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
59KB

MD5
db41c1e441e77d99b0a838a591f35503

SHA1
d7eb60e6b0e8cad882876dcfd2eb45bb14f85f03

SHA256
5ba34058bf7fe455fcf1db6b05234bdd2032c1d5d2353cea60a67a7537ad6fa0

SHA512
6a77c949ed6b4c8ea81959eac20f2893c5b508883dca2fe497eb9cbdcfbffa81a54b807e630c20752d67aef494e0bdadc8dae78cdc7108699ac0ac6b140c22c0

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
59KB

MD5
10c3e8fca6262e639443c7be4d60344d

SHA1
ebf4637abd10208770d707024c167d94613a086e

SHA256
c493e57192a1c80e94535188c10a92c5fb7a1c31974a7d5cffdb6ac1135575a2

SHA512
1d7841337aa5e0591ae4dc07d82199268658283ffbb51ebe9c9ec047e49108819eccf74b7ae0464727aa1a20fda63078a9cbcb8e906b3f76e0909f7d4d23e6a4

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
59KB

MD5
90045f2f3f73d108d4406b4e332bc858

SHA1
282d1270a213005668b6346f65bb5a08dc7b809f

SHA256
ce25293e48a9e5cd42a18853c251dda58dfb38cfb3ccf03f09459bb619bd2751

SHA512
44f2876197ffa30cfa49b8068ab1d3686f2ff2eb63b40b52ddc32cee8c8530776978105f1237d03a108ca7a1b6b6ba208e1a86da6a57449d9f285018691c6676

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
59KB

MD5
b2349c14a346abf39da6881a05a9ab4a

SHA1
e6f6806042a976ea59845ec1fe9f4b96444cb47e

SHA256
e81a5ea07598feb3d6044fe8bbfbfaec2bd47c56b2efc104cd80ad742e5e5f5e

SHA512
903aa6641f8413c1995978a9eb533d04301eb2b2249544762cf3c0077f6bf991d7595d6a21d18a73afaaf069dbbd6e4e4a8c0ef6954423f977070a92ca568227

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
59KB

MD5
3f898c0bc9657dc3b8f3072f550198b9

SHA1
b972109e97fc848f2eb85bcea563047037d76bcf

SHA256
8c6d63d67ee2c83f7f086227043920bbf2cade87fabeac5a95ac37752eb8d73e

SHA512
7db07b6e5a8bd8be1f7f073c4ab9169321f25e7e8039b65405cb93923ee35bb58826dfe3e4aa57febcb4434c6b1138d6475506da59fb7b09c90c4f8b75281a93

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
59KB

MD5
053aa27c153bb859d8e19444acaf6e06

SHA1
104e8ec492e242853a5eae3c4e07c93a67c3cfee

SHA256
717a68ca8e4413edec0dd8d49a86efce746483dad5180b463eb4ca7731eafe4a

SHA512
236276c39eb29ec83112c7ebfeecdc6bb965475d8942ec5cec472bd6fe673493005455b99cc9ebad571c4d9f31fa32424dc8ed1284151b81b4e175d76e944183

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
59KB

MD5
911c193b1f5a0fee9bdf15bb29120f86

SHA1
3fe5f82ba0302a952eb8cc9ed7906b97cd411ca6

SHA256
0ebc41289497c22c8ae893134f21b5c2a9cacc43daf76c579f561dd93d807115

SHA512
cffd7fa5c91e8e6ca3153a59f1a562d8647d30c2a43553fd5f4d829b546881e7f96a830fe0fb3b233496905a6a4e43d08ba30fd3e22cb7d9d809cb683526002d

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
59KB

MD5
38af92937d3aac4ef54a79483f86579c

SHA1
d63b4efa6266e516ae79ecad8787cd069c8cd224

SHA256
ce44ea78d598255ea4aae388be3b3b33fb0f2351c4917fbe57a62d0a464c3f45

SHA512
140ee66fdd15b7ff5706285c87ac60d13411f7a07ee8d82adfb2b8ba462b4f0b4c398098b3a888cb5c551bb0154ac621e42d7d97a99bdc7adc683765e38b832e

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
59KB

MD5
d1bb1e29ecfbb68da151c92579918557

SHA1
d16c687f0aaff6ce2e40073ede628953f151338a

SHA256
ad34f8a048bf7ca147d7c3ac3c2836059502ed469f68396ced3ad57f56febcd5

SHA512
ae0172dc006a707f4427969e0baf5532479b01bebe82c3ecd862ab814516a3303e857357000f0fd21d1da92fa958752e29cc5ed82454308a512dec61167bafef

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
59KB

MD5
d750c6424dea758ebc461c7a871473aa

SHA1
be7e93951b15a712f0cc64d320ffa1767b650120

SHA256
1c2cef4588e76489dfc20cc21db4b8a08d8a6ce9852d7a55708bf4b47f447010

SHA512
347dd397ecb648cc72d16148d1239b909c8e6e0a3108472a2c77ac077bcd3b875503caa850452faf853dc23d3714c48aa3d32a6c8ab13257f221bb1a5c0c7e3a

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
59KB

MD5
8667de382909efa7bf9efbd698cb0075

SHA1
c5cfc2abaebd887371f8521c0539b8b76162348a

SHA256
b3c5a6d5892358f39ba10a14954a6f736ddcd842087502d20a7527fe967a7243

SHA512
03ff336a6c4988602d5e131c9128e454007390bc85cc5cfeff7a64dfd98d39fa7d9f949627a06bf9da1fe7def8706f82d4ccb50d059efbb0c752732ebd6701b5

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
59KB

MD5
2ad5ece65234c11a8153b4d6574b71c1

SHA1
cb316f8556cb16fee2f8992f15ac301ed6ec86d3

SHA256
2cdad12751fc4266f597628a12987aa55d7a94d8affde3125fcfd93c113ed07a

SHA512
f090593fe8cc2f9cd1791592c86720edeb7cddd713de84337f6d31749f262f38d72f237ed700903d3f4b586e72bd0718dab101834f2bf445f843e7c61bc5686e

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
59KB

MD5
474a539b757a49ab5235a13b1fe16394

SHA1
3eef8f4d4ff57fc3aadf7bdfe3758e130506dbd3

SHA256
52514501249549de536998c4367ec4ff3e1167faad900e218ec2bd7d1038e16d

SHA512
ab012ee669958f36d307f154f1b314319a6a99e8144c3c560caaee09b7fba4d127152f860d333f425e6afe563d8449dc737e48c430e9f3bd395391ca32e41c7c

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
59KB

MD5
2c9e5a8ecd42097b1bf731c42e3bcab2

SHA1
af48b60e982f65a98baf46bd94fc2c5277630ce6

SHA256
5e1e1961bb42bba33a9feb9f7c39256a5a83059a9437c4c06dee94c23c7e417a

SHA512
2cf8d200fcf7fd456c785582978441180a5ce4c552d2b9ccc2a7c508764d1595b07d5e03dadb08e83921dcb4198372b22943c3a299808057bac567b69caebec6

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
59KB

MD5
2e8a829c56407882aeb02afeb4b9eb71

SHA1
eeed654f05525cdff72e0d887d0cb5fbd27daf2c

SHA256
216bbf7715c5ecdf4bfa19d94ca33e9427dc502d0e6e70d4e284b64fcb62d469

SHA512
47734512569c0f2799cc800cfb8bb554b92bc7d0c2df4e3fa297227bf95e77919bde0f3a4f4b4970af4c432ad2fb300992ab6360469cdd585c50851e6b8ac6f3

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
59KB

MD5
47adfc8f7a47d13fcd68ae05a87e0f4e

SHA1
da7830dac591f90b153ee7c90422128eabc46b36

SHA256
d947ffc1ecb0f00786f82ab751640099458cf3c0d66db9d0f17dae1f8eedc655

SHA512
3c55618214ad6e82d542900f1981a8eb55e409dd3794af22ff3769d051ee1b523e1494936de09827ad465120082744dd7591b6ad470bf11a5b2f264d13f9b293

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
59KB

MD5
d716d062d5d3cace2d9dc285adb397af

SHA1
7f37dcd7d54158760a37e1eab845188ad561f672

SHA256
3e45ba30fbdc0e0f4136db55ad70c19a2ec73111049027e9a37e1e5323b91476

SHA512
28b66d0590393c299ef56332438ff8bca97f424734413ad795a24c63faf8b992fc28ea216f8f076a977b35836d66432363942fe1bb450ec2d289173763f46f83

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
59KB

MD5
4b928870ed136c5ae76d0046b6222a96

SHA1
ce28e65b1dc089db335f162e34a9167bbe11b28e

SHA256
074f6eb14398c1b919ac52cb1c102ddf3c0fc34c8dd1e279c246ac7c40782ad3

SHA512
cc5f9f8d6d1f0d076f9d795b6c0418b7cfbeab5f0c28ba98e822b0898198a2fee959f931ee88d7aaca002a39e50540b7a2ce7d3bd0714e82051f918c2e2c047e

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
59KB

MD5
c5320cc1205e1a432b8b95073c2a0f33

SHA1
adad17950545f59548edfd7911d1524f647d8508

SHA256
9615a465e580349f9733794b7fcf8817c80fc98f3f7fe86b8e750cfd61bcce6f

SHA512
39bb9db20026ac307aa42692043f1589a80dd2a164371b527bc05c6b64bac8a7733f9b3408aec086779a5a4d737997a73573dd6ae582a08b56deb1ac93459afd

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
59KB

MD5
1d75e0583b3da36bcc190510a8081fe1

SHA1
c8f1854ffc146d20420919ba48e449085758cac0

SHA256
e153966e1f8e1bb0a163d4ff08791829b120960d59a5d04054cd98646007d1e4

SHA512
6a651f91a389de31e35f0f92668f16802bfbdf4fb21b027e15c08ac1c1a3a226471276627723292217b0338953f7e7923576d5df2ea9c3b8cf63ee68738da8cf

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
59KB

MD5
50905ed4c920a5a450065d57b3a75fb4

SHA1
29092e0d580b2887337e265e8ff947f7f7666fad

SHA256
cf3be5998b6735453dd12d9f2bbe45990b40e20c3bab93f8841179d4773d83ad

SHA512
86b2f3db3b8ce45e6cc2dd8a41d80fe985cf8b0082603a583f661f10d149f3072b68d3728a92eed0dd2137b2fb9ae61204b45d384b82c4f510c3703b33098a65

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
59KB

MD5
d90d4f27c55c92329c6c9c7de83128be

SHA1
fc5c5620d9eabf31283acae45d8201deb51d73ef

SHA256
b43e01b4f68ce9c82a22c5ba666e743e2a38fa74a567439a64d7b3f704c61f7f

SHA512
4dccd198918ff7be638d63873c9434881417c076b2989576095ed8811361ba8e0b34ebc18602f68e36a8962452b59a7b432aa8182643ef66e6b3e9eb5584c1dc

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
59KB

MD5
a16bf0fdf28eea7856a0aa7b9dfde11f

SHA1
83dff290f31c7d8e2660a665f8522c378da3444b

SHA256
e6c10ba7097842c8781eaf21e149fe7f4787c378e4ec26d62dd6b6981c692112

SHA512
9c313f52deb6344757b12a3e7e428a7131729018ee019efbb8eaeaa351da16492c6639e63afc8a41571e671a7a33106a9293a7bfaba84160129393e86aa3d64e

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
59KB

MD5
c3dbbeecc757867fd16dfb889aec6135

SHA1
9b1293070910ecd0f3c17e5fe24b6cfe41c45052

SHA256
b3de3ccfec7155cdabc9f6fec0ac2db05332d73e3b76ab857162fff84a68c649

SHA512
d7452a8a2fe132b8a6c1bf58416ab04c0b1596fe3095846566993ed5df6d9d74a73c0a74a0e59128f3ca4e6e50154172f80d9cd1c32706cb8a82eb83f6118212

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
59KB

MD5
239eb6a23f330911c00b2d690597fe99

SHA1
5b5cff308d4a2318dbbf12631e55063aa1717d19

SHA256
3c96ecd4e2fc9814090d2d00d00ff0825ce7eaa9fcfc74e980ac95af42dc73ee

SHA512
0522a860c708b446d787abdbabbcc9e57d1a9edbe98261f6c4c034be3407336ceb1f11897f8429b4f811bc52711bb7b9dc512acc0fd6768f138f19ead974e7e3

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
59KB

MD5
732e4de5c2f7f30bb18a858d99ad9c56

SHA1
24e99c358f43de7a410c646761daa099c3a032e5

SHA256
315b2c679cd5a1614d9b3de71b42b7b5b35981a48bf21d455e4a3377da1bea72

SHA512
cf5e7c0110f658c62acc9b1fa29bd3b4e4fb284d27de442d4ea35fcd7dc7564529ce91966b0c0a263a1863a3842a30c78c16ccb7b129c2ebbb3e6ad85890b49c

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
59KB

MD5
575e4018bd53b298345e4ffb69d293fe

SHA1
22496447f0f9a1dbffa00754ba1db871a185777c

SHA256
41559557e1d28564068d17959e19e7a9e49555d58e6f7257e66affa6cd5472bb

SHA512
a4068a04110ade53ccf686203bad0be47e5f7e6441365840baf2364cd3de4fa82ef6085fabbd352f7ad8fe3776f888a3168236a235aff68d8e8da74e46638df4

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
59KB

MD5
019d0590f45daf9fc533d01ff9740ad0

SHA1
d974ade2149605a4105f38bc58722b682d9298fe

SHA256
01a01e1fc719185f80368f1efd7a7f2263ee728d5a3367d4d327ab8ed14514f6

SHA512
8c97add984a412b8103ac4ffb5f46f954a5a10d6c9961f18563637da83dac041407287f496b54cc2e12be73f8329e2d71ced1345d57dac032c0f7e3e72dadb31

Download Submit
memory/116-380-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/436-508-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/684-286-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/716-304-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/732-472-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/768-316-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/848-502-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1064-71-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1116-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1224-322-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1356-167-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1360-460-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1408-430-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1432-559-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1472-552-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1532-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1532-558-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1592-489-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1656-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1656-592-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1748-448-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1756-565-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1756-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1832-418-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1972-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2044-388-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2248-183-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2260-180-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2276-478-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2308-370-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2448-159-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2628-39-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2628-579-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2640-274-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2664-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2664-551-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2672-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2680-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2728-526-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2840-466-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2888-490-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2924-111-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3036-298-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3080-334-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3100-394-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3124-352-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3168-442-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3212-454-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3232-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3244-268-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3284-95-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3360-216-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3432-340-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3456-256-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3464-232-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3548-603-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3548-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3580-412-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3596-280-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3668-514-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3736-292-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3756-400-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3784-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4000-88-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4052-140-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4072-424-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4080-208-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4092-204-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4192-406-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4232-314-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4244-364-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4440-382-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4484-520-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4492-247-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4524-436-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4564-239-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4568-328-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4596-532-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4752-572-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4752-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4780-119-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4820-223-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4840-48-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4840-585-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4852-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4856-346-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4956-544-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4956-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5052-545-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5064-496-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5068-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5096-538-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5136-566-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5196-573-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5308-586-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5368-593-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads