40dad87aa93ea073ef1ba816c9231d2f71f7f1539029126c2b6ad2c80aae71ba

Analysis

max time kernel
131s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40dad87aa93ea073ef1ba816c9231d2f71f7f1539029126c2b6ad2c80aae71ba.exe
Size

727KB
MD5

74b000c49d706a07681a7d81ab03292c
SHA1

8ec2f15a2abb9d35e9d756658365d64f856a06e6
SHA256

40dad87aa93ea073ef1ba816c9231d2f71f7f1539029126c2b6ad2c80aae71ba
SHA512

10ff863ecaba1b098e44901a3324930aa7d8f29eb90868cb7339a95d1e9c39fca511371f706642fc5cc708ad07a940a56bb4bce24d036c3b757009041e03c2e1
SSDEEP

12288:+3s5t6NSN6G5tTPfM5t6NSN6G5tKr/Do5t6NSN6G5tTPfM5t6NSN6G5t:MDc6ufjc6r/7c6ufjc6

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohhfknjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocmjhfjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhofnpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfcoblfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdebfago.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpqlfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abgjkpll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcbeqaia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lamlphoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bedbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cidgdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmagch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bppcpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cifdjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okolfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afeban32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afeban32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbfoclai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amkabind.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ammnhilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcnleb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpifeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfpghccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pecpknke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piceflpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkoemhao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemlhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bikeni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcbeqaia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpefaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmkcpdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amkabind.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bifkcioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmagch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhfknjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpjompqc.exe

Executes dropped EXE 64 IoCs

pid	Process
4124	Lamlphoo.exe
1420	Lhgdmb32.exe
1040	Mccokj32.exe
3580	Mojopk32.exe
2588	Mahklf32.exe
1328	Mdghhb32.exe
2028	Nfiagd32.exe
1432	Nlcidopb.exe
3564	Nocbfjmc.exe
3320	Nfpghccm.exe
2288	Okolfj32.exe
3732	Ocfdgg32.exe
4392	Ofdqcc32.exe
788	Okailj32.exe
1588	Ochamg32.exe
600	Ofgmib32.exe
3660	Odjmdocp.exe
2884	Oheienli.exe
1492	Okceaikl.exe
3780	Oooaah32.exe
4324	Obnnnc32.exe
4944	Odljjo32.exe
924	Ohhfknjf.exe
4768	Omcbkl32.exe
1928	Okfbgiij.exe
636	Ocmjhfjl.exe
408	Oflfdbip.exe
4388	Pijcpmhc.exe
3552	Pmeoqlpl.exe
1992	Podkmgop.exe
2872	Pbbgicnd.exe
312	Pfncia32.exe
5116	Pilpfm32.exe
3280	Pkklbh32.exe
5052	Pcbdcf32.exe
3980	Pfppoa32.exe
2860	Pecpknke.exe
2980	Pmjhlklg.exe
4112	Poidhg32.exe
4796	Pbgqdb32.exe
1680	Peempn32.exe
4128	Pmmeak32.exe
3232	Pkoemhao.exe
5148	Pcfmneaa.exe
5196	Pfeijqqe.exe
5228	Piceflpi.exe
5268	Pkabbgol.exe
5308	Pomncfge.exe
5348	Pbljoafi.exe
5392	Qejfkmem.exe
5428	Qmanljfo.exe
5476	Qkdohg32.exe
5508	Qelcamcj.exe
5548	Qmckbjdl.exe
5588	Qpbgnecp.exe
5628	Qcncodki.exe
5668	Aflpkpjm.exe
5708	Aijlgkjq.exe
5748	Akihcfid.exe
5788	Acppddig.exe
5828	Afnlpohj.exe
5868	Aealll32.exe
5908	Alkeifga.exe
5948	Apgqie32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cieonn32.dll	Pkklbh32.exe
File created	C:\Windows\SysWOW64\Ndfchkio.dll	Cbjogmlf.exe
File opened for modification	C:\Windows\SysWOW64\Pfncia32.exe	Pbbgicnd.exe
File created	C:\Windows\SysWOW64\Famnbgil.dll	Abgjkpll.exe
File created	C:\Windows\SysWOW64\Mkfbmfbn.dll	Cmbpjfij.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dpllbp32.exe
File created	C:\Windows\SysWOW64\Cdpqko32.dll	Lhgdmb32.exe
File created	C:\Windows\SysWOW64\Pbgnqacq.dll	Oooaah32.exe
File created	C:\Windows\SysWOW64\Pbphca32.dll	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Cdebfago.exe	Cpifeb32.exe
File opened for modification	C:\Windows\SysWOW64\Piceflpi.exe	Pfeijqqe.exe
File created	C:\Windows\SysWOW64\Ggociklh.dll	Afnlpohj.exe
File opened for modification	C:\Windows\SysWOW64\Aecialmb.exe	Abemep32.exe
File created	C:\Windows\SysWOW64\Qpbgnecp.exe	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Cboibm32.exe	Cpqlfa32.exe
File opened for modification	C:\Windows\SysWOW64\Dpjompqc.exe	Dmkcpdao.exe
File created	C:\Windows\SysWOW64\Iipkfmal.dll	Poidhg32.exe
File created	C:\Windows\SysWOW64\Nkebqokl.dll	Aidomjaf.exe
File opened for modification	C:\Windows\SysWOW64\Apimodmh.exe	Amkabind.exe
File opened for modification	C:\Windows\SysWOW64\Albkieqj.exe	Aidomjaf.exe
File created	C:\Windows\SysWOW64\Chdjpphi.dll	Obnnnc32.exe
File opened for modification	C:\Windows\SysWOW64\Dmkcpdao.exe	Dedkogqm.exe
File created	C:\Windows\SysWOW64\Dibdeegc.exe	Dgdgijhp.exe
File opened for modification	C:\Windows\SysWOW64\Okolfj32.exe	Nfpghccm.exe
File opened for modification	C:\Windows\SysWOW64\Pijcpmhc.exe	Oflfdbip.exe
File created	C:\Windows\SysWOW64\Mjdmlonn.dll	Cehlcikj.exe
File created	C:\Windows\SysWOW64\Miiepfpf.dll	Ohhfknjf.exe
File created	C:\Windows\SysWOW64\Conllp32.dll	Pbljoafi.exe
File created	C:\Windows\SysWOW64\Mfppnk32.dll	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Adlafb32.dll	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Mckfmq32.dll	Dibdeegc.exe
File opened for modification	C:\Windows\SysWOW64\Ocmjhfjl.exe	Okfbgiij.exe
File created	C:\Windows\SysWOW64\Qmanljfo.exe	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Akihcfid.exe	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Dfiefp32.dll	Acgfec32.exe
File created	C:\Windows\SysWOW64\Qejfkmem.exe	Pbljoafi.exe
File created	C:\Windows\SysWOW64\Bflham32.exe	Bcnleb32.exe
File created	C:\Windows\SysWOW64\Dedkogqm.exe	Dbfoclai.exe
File opened for modification	C:\Windows\SysWOW64\Ofgmib32.exe	Ochamg32.exe
File opened for modification	C:\Windows\SysWOW64\Apgqie32.exe	Alkeifga.exe
File created	C:\Windows\SysWOW64\Hiagoigj.dll	Clbdpc32.exe
File created	C:\Windows\SysWOW64\Dpaohckm.dll	Dpefaq32.exe
File created	C:\Windows\SysWOW64\Pfncia32.exe	Pbbgicnd.exe
File opened for modification	C:\Windows\SysWOW64\Cboibm32.exe	Cpqlfa32.exe
File opened for modification	C:\Windows\SysWOW64\Pilpfm32.exe	Pfncia32.exe
File created	C:\Windows\SysWOW64\Fflnkhef.dll	Pilpfm32.exe
File opened for modification	C:\Windows\SysWOW64\Bemlhj32.exe	Bboplo32.exe
File opened for modification	C:\Windows\SysWOW64\Okfbgiij.exe	Omcbkl32.exe
File opened for modification	C:\Windows\SysWOW64\Pkoemhao.exe	Pmmeak32.exe
File opened for modification	C:\Windows\SysWOW64\Dpllbp32.exe	Dibdeegc.exe
File created	C:\Windows\SysWOW64\Gdojoeki.dll	Okailj32.exe
File created	C:\Windows\SysWOW64\Aflpkpjm.exe	Qcncodki.exe
File opened for modification	C:\Windows\SysWOW64\Amkabind.exe	Aecialmb.exe
File created	C:\Windows\SysWOW64\Cbjogmlf.exe	Cplckbmc.exe
File created	C:\Windows\SysWOW64\Cepadh32.exe	Cbaehl32.exe
File created	C:\Windows\SysWOW64\Nffopp32.dll	Dgdgijhp.exe
File created	C:\Windows\SysWOW64\Nocbfjmc.exe	Nlcidopb.exe
File created	C:\Windows\SysWOW64\Amkabind.exe	Aecialmb.exe
File created	C:\Windows\SysWOW64\Qpiidi32.dll	Bifkcioc.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dpllbp32.exe
File created	C:\Windows\SysWOW64\Lhgdmb32.exe	Lamlphoo.exe
File created	C:\Windows\SysWOW64\Okolfj32.exe	Nfpghccm.exe
File created	C:\Windows\SysWOW64\Amkejmgc.dll	Cifdjg32.exe
File created	C:\Windows\SysWOW64\Ohbikenl.dll	Ocmjhfjl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6832	6676	WerFault.exe	227

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfncia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmagch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bikeni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjompqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abemep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddqbbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmifkecb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okolfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peempn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomncfge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidomjaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apimodmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bifkcioc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bboplo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bedbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lamlphoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheienli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pilpfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpqlfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cidgdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mccokj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbgnecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afeban32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cehlcikj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbjogmlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dibdeegc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmeoqlpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpifeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbfoclai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbbgicnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammnhilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjlap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bflham32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhhml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfjeckpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepadh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgdmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mahklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podkmgop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acgfec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecpknke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bppcpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbpjfij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40dad87aa93ea073ef1ba816c9231d2f71f7f1539029126c2b6ad2c80aae71ba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nocbfjmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ochamg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcbkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjhlklg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alkeifga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alpnde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beaecjab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clgmkbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdgijhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfbgiij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoemhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Albkieqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfonnk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloojfj.dll"	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkamckh.dll"	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihlnd32.dll"	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddogn32.dll"	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfcoblfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cplckbmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpgnmlep.dll"	Cdjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpiidi32.dll"	Bifkcioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clbdpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpllbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohhfknjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjdmlonn.dll"	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknmjgje.dll"	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpbpecen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmbpjfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aecialmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqkiecpd.dll"	Amkabind.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkidlkmq.dll"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpgjpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhgdmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdnelpod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppbeie32.dll"	Bmddihfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Albkieqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bikeni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcpika32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkiecbnd.dll"	Cdebfago.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bemlhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmanljfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bppcpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbfoclai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	40dad87aa93ea073ef1ba816c9231d2f71f7f1539029126c2b6ad2c80aae71ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqoppk32.dll"	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefnemqj.dll"	Aeffgkkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcicjbal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjellfo.dll"	Bflham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bflham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clbdpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckfmq32.dll"	Dibdeegc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhfnche.dll"	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdfnq32.dll"	Nfpghccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndfchkio.dll"	Cbjogmlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfbmfbn.dll"	Cmbpjfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlpkg32.dll"	Pcfmneaa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4124	4848	40dad87aa93ea073ef1ba816c9231d2f71f7f1539029126c2b6ad2c80aae71ba.exe	90
PID 4848 wrote to memory of 4124	4848	40dad87aa93ea073ef1ba816c9231d2f71f7f1539029126c2b6ad2c80aae71ba.exe	90
PID 4848 wrote to memory of 4124	4848	40dad87aa93ea073ef1ba816c9231d2f71f7f1539029126c2b6ad2c80aae71ba.exe	90
PID 4124 wrote to memory of 1420	4124	Lamlphoo.exe	92
PID 4124 wrote to memory of 1420	4124	Lamlphoo.exe	92
PID 4124 wrote to memory of 1420	4124	Lamlphoo.exe	92
PID 1420 wrote to memory of 1040	1420	Lhgdmb32.exe	94
PID 1420 wrote to memory of 1040	1420	Lhgdmb32.exe	94
PID 1420 wrote to memory of 1040	1420	Lhgdmb32.exe	94
PID 1040 wrote to memory of 3580	1040	Mccokj32.exe	95
PID 1040 wrote to memory of 3580	1040	Mccokj32.exe	95
PID 1040 wrote to memory of 3580	1040	Mccokj32.exe	95
PID 3580 wrote to memory of 2588	3580	Mojopk32.exe	96
PID 3580 wrote to memory of 2588	3580	Mojopk32.exe	96
PID 3580 wrote to memory of 2588	3580	Mojopk32.exe	96
PID 2588 wrote to memory of 1328	2588	Mahklf32.exe	97
PID 2588 wrote to memory of 1328	2588	Mahklf32.exe	97
PID 2588 wrote to memory of 1328	2588	Mahklf32.exe	97
PID 1328 wrote to memory of 2028	1328	Mdghhb32.exe	99
PID 1328 wrote to memory of 2028	1328	Mdghhb32.exe	99
PID 1328 wrote to memory of 2028	1328	Mdghhb32.exe	99
PID 2028 wrote to memory of 1432	2028	Nfiagd32.exe	100
PID 2028 wrote to memory of 1432	2028	Nfiagd32.exe	100
PID 2028 wrote to memory of 1432	2028	Nfiagd32.exe	100
PID 1432 wrote to memory of 3564	1432	Nlcidopb.exe	101
PID 1432 wrote to memory of 3564	1432	Nlcidopb.exe	101
PID 1432 wrote to memory of 3564	1432	Nlcidopb.exe	101
PID 3564 wrote to memory of 3320	3564	Nocbfjmc.exe	102
PID 3564 wrote to memory of 3320	3564	Nocbfjmc.exe	102
PID 3564 wrote to memory of 3320	3564	Nocbfjmc.exe	102
PID 3320 wrote to memory of 2288	3320	Nfpghccm.exe	103
PID 3320 wrote to memory of 2288	3320	Nfpghccm.exe	103
PID 3320 wrote to memory of 2288	3320	Nfpghccm.exe	103
PID 2288 wrote to memory of 3732	2288	Okolfj32.exe	104
PID 2288 wrote to memory of 3732	2288	Okolfj32.exe	104
PID 2288 wrote to memory of 3732	2288	Okolfj32.exe	104
PID 3732 wrote to memory of 4392	3732	Ocfdgg32.exe	105
PID 3732 wrote to memory of 4392	3732	Ocfdgg32.exe	105
PID 3732 wrote to memory of 4392	3732	Ocfdgg32.exe	105
PID 4392 wrote to memory of 788	4392	Ofdqcc32.exe	106
PID 4392 wrote to memory of 788	4392	Ofdqcc32.exe	106
PID 4392 wrote to memory of 788	4392	Ofdqcc32.exe	106
PID 788 wrote to memory of 1588	788	Okailj32.exe	107
PID 788 wrote to memory of 1588	788	Okailj32.exe	107
PID 788 wrote to memory of 1588	788	Okailj32.exe	107
PID 1588 wrote to memory of 600	1588	Ochamg32.exe	108
PID 1588 wrote to memory of 600	1588	Ochamg32.exe	108
PID 1588 wrote to memory of 600	1588	Ochamg32.exe	108
PID 600 wrote to memory of 3660	600	Ofgmib32.exe	109
PID 600 wrote to memory of 3660	600	Ofgmib32.exe	109
PID 600 wrote to memory of 3660	600	Ofgmib32.exe	109
PID 3660 wrote to memory of 2884	3660	Odjmdocp.exe	110
PID 3660 wrote to memory of 2884	3660	Odjmdocp.exe	110
PID 3660 wrote to memory of 2884	3660	Odjmdocp.exe	110
PID 2884 wrote to memory of 1492	2884	Oheienli.exe	111
PID 2884 wrote to memory of 1492	2884	Oheienli.exe	111
PID 2884 wrote to memory of 1492	2884	Oheienli.exe	111
PID 1492 wrote to memory of 3780	1492	Okceaikl.exe	112
PID 1492 wrote to memory of 3780	1492	Okceaikl.exe	112
PID 1492 wrote to memory of 3780	1492	Okceaikl.exe	112
PID 3780 wrote to memory of 4324	3780	Oooaah32.exe	113
PID 3780 wrote to memory of 4324	3780	Oooaah32.exe	113
PID 3780 wrote to memory of 4324	3780	Oooaah32.exe	113
PID 4324 wrote to memory of 4944	4324	Obnnnc32.exe	114

C:\Users\Admin\AppData\Local\Temp\40dad87aa93ea073ef1ba816c9231d2f71f7f1539029126c2b6ad2c80aae71ba.exe
"C:\Users\Admin\AppData\Local\Temp\40dad87aa93ea073ef1ba816c9231d2f71f7f1539029126c2b6ad2c80aae71ba.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\SysWOW64\Lamlphoo.exe
  C:\Windows\system32\Lamlphoo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Windows\SysWOW64\Lhgdmb32.exe
    C:\Windows\system32\Lhgdmb32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\SysWOW64\Mccokj32.exe
      C:\Windows\system32\Mccokj32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1040
    - - C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3580
      - C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        36⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5228
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5476
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        58⤵
        Executes dropped EXE
        
        PID:5668
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        60⤵
        Executes dropped EXE
        
        PID:5748
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Alkeifga.exe
        
        C:\Windows\system32\Alkeifga.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        65⤵
        Executes dropped EXE
        
        PID:5948
        
        C:\Windows\SysWOW64\Abemep32.exe
        
        C:\Windows\system32\Abemep32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Aecialmb.exe
        
        C:\Windows\system32\Aecialmb.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Amkabind.exe
        
        C:\Windows\system32\Amkabind.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Abgjkpll.exe
        
        C:\Windows\system32\Abgjkpll.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\Aeffgkkp.exe
        
        C:\Windows\system32\Aeffgkkp.exe
        71⤵
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Ammnhilb.exe
        
        C:\Windows\system32\Ammnhilb.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Windows\SysWOW64\Alpnde32.exe
        
        C:\Windows\system32\Alpnde32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Acgfec32.exe
        
        C:\Windows\system32\Acgfec32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\Afeban32.exe
        
        C:\Windows\system32\Afeban32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Albkieqj.exe
        
        C:\Windows\system32\Albkieqj.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Bcicjbal.exe
        
        C:\Windows\system32\Bcicjbal.exe
        78⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Bfhofnpp.exe
        
        C:\Windows\system32\Bfhofnpp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Bifkcioc.exe
        
        C:\Windows\system32\Bifkcioc.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Bmagch32.exe
        
        C:\Windows\system32\Bmagch32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Bppcpc32.exe
        
        C:\Windows\system32\Bppcpc32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Bboplo32.exe
        
        C:\Windows\system32\Bboplo32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Bmddihfj.exe
        
        C:\Windows\system32\Bmddihfj.exe
        85⤵
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Bpbpecen.exe
        
        C:\Windows\system32\Bpbpecen.exe
        86⤵
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Bcnleb32.exe
        
        C:\Windows\system32\Bcnleb32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Bflham32.exe
        
        C:\Windows\system32\Bflham32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Bikeni32.exe
        
        C:\Windows\system32\Bikeni32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        90⤵
        
        PID:784
        
        C:\Windows\SysWOW64\Bcpika32.exe
        
        C:\Windows\system32\Bcpika32.exe
        91⤵
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        92⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:6196
        
        C:\Windows\SysWOW64\Bmimdg32.exe
        
        C:\Windows\system32\Bmimdg32.exe
        94⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Bpgjpb32.exe
        
        C:\Windows\system32\Bpgjpb32.exe
        95⤵
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Bcbeqaia.exe
        
        C:\Windows\system32\Bcbeqaia.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6324
        
        C:\Windows\SysWOW64\Bedbhi32.exe
        
        C:\Windows\system32\Bedbhi32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6364
        
        C:\Windows\SysWOW64\Bmkjig32.exe
        
        C:\Windows\system32\Bmkjig32.exe
        98⤵
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Cpifeb32.exe
        
        C:\Windows\system32\Cpifeb32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6444
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Cfcoblfb.exe
        
        C:\Windows\system32\Cfcoblfb.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Cibkohef.exe
        
        C:\Windows\system32\Cibkohef.exe
        102⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        103⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Cbjogmlf.exe
        
        C:\Windows\system32\Cbjogmlf.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6764
        
        C:\Windows\SysWOW64\Clbdpc32.exe
        
        C:\Windows\system32\Clbdpc32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Cdjlap32.exe
        
        C:\Windows\system32\Cdjlap32.exe
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Cfhhml32.exe
        
        C:\Windows\system32\Cfhhml32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:6884
        
        C:\Windows\SysWOW64\Cifdjg32.exe
        
        C:\Windows\system32\Cifdjg32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6924
        
        C:\Windows\SysWOW64\Cmbpjfij.exe
        
        C:\Windows\system32\Cmbpjfij.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6964
        
        C:\Windows\SysWOW64\Cpqlfa32.exe
        
        C:\Windows\system32\Cpqlfa32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7004
        
        C:\Windows\SysWOW64\Cboibm32.exe
        
        C:\Windows\system32\Cboibm32.exe
        114⤵
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        116⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Clgmkbna.exe
        
        C:\Windows\system32\Clgmkbna.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:7164
        
        C:\Windows\SysWOW64\Cdnelpod.exe
        
        C:\Windows\system32\Cdnelpod.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Cepadh32.exe
        
        C:\Windows\system32\Cepadh32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        125⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\Dmifkecb.exe
        
        C:\Windows\system32\Dmifkecb.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Dbfoclai.exe
        
        C:\Windows\system32\Dbfoclai.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Dedkogqm.exe
        
        C:\Windows\system32\Dedkogqm.exe
        129⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6320
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5516
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        132⤵
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Dgdgijhp.exe
        
        C:\Windows\system32\Dgdgijhp.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        136⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 408
        137⤵
        Program crash
        
        PID:6832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6676 -ip 6676
1⤵
PID:6760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4360,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:8
1⤵
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lamlphoo.exe

Filesize
727KB

MD5
bed22f2a6d41ba0a80097d3ceb418647

SHA1
3e2de4b2fdea431f647404449a8077d8212a46f8

SHA256
df9773144e823d63fa531cbd5796f393f4b6994efa1ba09ef27e133639fa39c1

SHA512
1bfc0d68efa90d38f806527c0272c7293d6d1da603d08d8b70481b4f079837ea0f37f201342813233a5cbfa905dd52099bb8bf8895dff0bd35a70e912c2c7da3

Download Submit
C:\Windows\SysWOW64\Lhgdmb32.exe

Filesize
727KB

MD5
358a308eb3bb6f2b41d3a38ff0ac654d

SHA1
ec83fa0b0d8af6e6860abc1f9deb3f1f1c07a9de

SHA256
f2a70a71d7b2a13470c4f3f7f402bff3cfb761f1befb37503de6472d593ff353

SHA512
a4891604eaf4134325ed9380cfe1602114dcaf9ad9c7465edab5538c0cbabf696097ea77df7d6d2c0045b626f3b93d0af415e170c4527b1c6c1753acc3394cba

Download Submit
C:\Windows\SysWOW64\Mahklf32.exe

Filesize
727KB

MD5
8b1c20000d5ef6b439e9c340c6212ad0

SHA1
6bfd25f36f947bf7be8a5eecbc28f768fa59f9a6

SHA256
c26e70ff2db8c36698ac9366b1b0911078b85090cdbc6eb04a6657637af0051a

SHA512
b95205fe2f9956aca9a80334f7804acff9c073a1561ff12345d2e9b5db8a4766c17ebea2c358b0d59c91a9db336967231122acb02366808e8c31b914232b54c6

Download Submit
C:\Windows\SysWOW64\Mccokj32.exe

Filesize
727KB

MD5
948f8ff55dcdaf08b4e00d20770d9f40

SHA1
b6fb57b9898bb92a6480d0dbd8da37296ebf28ce

SHA256
ae5ccbf6efc6007bcf116541ecf1e680174b7b9a270d4edf94287ab67cd9851e

SHA512
af8cf73f11d24fbb8a7f7f4a742b217b6314c88169160a988db78c55638475b0a954c2c4601bc30949a10030715e891ae8d89ecba865d9573a8a69ccf8fd66eb

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
727KB

MD5
8fe6a68495c5c8bd8c9ac782e8d30a2a

SHA1
d48c661f2e16ea2408c53b0220f2df4f175234fa

SHA256
bb0ecc1102e22dd75cdeb60806ecd975390c3b292d57275262662e03c099c81c

SHA512
6a0375b47f569e61d330aaa0b4ca09b8b0001bf987e848c3838763676780ca56b26be09f966113e8fa7d7553784ea8202a4353643bb09dce0e1447b8e13c256e

Download Submit
C:\Windows\SysWOW64\Mojopk32.exe

Filesize
727KB

MD5
bc86af8e1078e37972a9283c8bb86e3f

SHA1
522bb819e9bc76e5540f649689c70c68033736aa

SHA256
a8e570674ab1a8008c4d310113a5f514926123e0c30ed6471810840b9e416c0e

SHA512
8d3c907b984caa604b330cda44ba27a416496ebd732493c49d7fbf66ff2c8891b985fb64fcdb98134fd24fd34ab443a80cc05d3abfee5ff72cb3589af625d732

Download Submit
C:\Windows\SysWOW64\Nfiagd32.exe

Filesize
727KB

MD5
4eabde087ca577ae1f7b69c784b97897

SHA1
35406dbb287484bd3ff630bc52a93ea111277396

SHA256
c0ffd37ad2be0718c72677e8f57a34a07e0fd3348184a73bab814fde542b998a

SHA512
4f39ec843a39258643a3309ac867084864891471f71042ad7927b62fceff3a07e78780cd8ecb687fd9916edc870f52ec2893be48698ad33409d7c9b08b9ec81f

Download Submit
C:\Windows\SysWOW64\Nfpghccm.exe

Filesize
727KB

MD5
2f8af2a6e75fbcda35df9a4fa67dc8e6

SHA1
937b861d7b66f9f371acb499cb4282a2e520750c

SHA256
7d86da4cfeccebb99467069fb0a5a33235f54c16a5c4fa48178bfb91637cf6f8

SHA512
61d3f18ff9e6ad094216f9517841f93575d879bdf9c0e8e5205845a46f743b40108ca1114f594445a8ca88403e27aece07c6f45ff4517d08dc79e94d4818288a

Download Submit
C:\Windows\SysWOW64\Nlcidopb.exe

Filesize
727KB

MD5
6215fa77f8d5dbbbcccd3ae8fa125be4

SHA1
d2a0285a0fc2e648769657fb0e86b15f85279941

SHA256
66cd699b1ec5c3bb004b356772dd4c379cb2439fb6b23e53016cdd59dbcf3ce6

SHA512
d585317ff9182e3dcf9cd08862957168c890af8addd2769959c345fdc6425ab0020e2bd52d199ffa621d1977a894f5e7d6b055c678d8aad394bc54fca654b71e

Download Submit
C:\Windows\SysWOW64\Nocbfjmc.exe

Filesize
727KB

MD5
b2cbdc302e2e4a9254fa35aa2835f315

SHA1
1b3e8e593a439fa6d2b1df1f0c371e4c51a2ce7e

SHA256
fe5e369b8a36a8cac48c09b37ac568d1b99fcc402978d889713dc330d0fe3458

SHA512
6b74b3f52bb81218e5474813b8f3c57513fa8332e8d78b800ea89eb2799a2dc091b9bd162ecd24724f224ec1fce77e353a40ff9fbb29716efcaab92e85e339a5

Download Submit
C:\Windows\SysWOW64\Obnnnc32.exe

Filesize
727KB

MD5
70086e00573a658374bf641763bac6a4

SHA1
5cb0ca0daa453217ae17360f499c64b1b3c2d510

SHA256
bb02e75b95505b6bfc682fbefb57b83f4d9155743ffd55f8e0584c56470e80f9

SHA512
e41b8b93f881cb798d62fc5c514d0042d67072b509ac2596ce9d2d864fa881efae2d08e810b9a312195951a567f1f7b6895778c50287fc4f7c5f8409e0e39a46

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
727KB

MD5
424a4e3c15d3a6a59a8d94e783bdd6d3

SHA1
f76efa15e7039b921c2eeaec5118f1cbe3e604ed

SHA256
592bd182a4f77391a01e1e2a42ed3af8bcefa3aea5d58016dd70734a184e8edf

SHA512
0c789c857e02ffd1337412be37d95fe94130bde8f0216deb8579722cbdc688b8759e92edf588741dbc9166c858dd5e572e8419aeb9f1157deba2c65107e8eb3a

Download Submit
C:\Windows\SysWOW64\Ochamg32.exe

Filesize
727KB

MD5
38fe460df290ce0aac4ddd9c08abc4fc

SHA1
3bb8c862dccf6da5caecc740f098e30cccfa827f

SHA256
1e7932d36b0429e6f1cb6599e24b73473aae3ad53f3bb4fbfddd933caf39429e

SHA512
ca86dd3c3cd41c7c9fa1ec32e41080f87988a80cd954972625bf89b6ff8f6664098ededeea515668512fb520985f5cc9f86e71607cb0b6925660df58d96ff8bc

Download Submit
C:\Windows\SysWOW64\Ocmjhfjl.exe

Filesize
727KB

MD5
f0acb381bd8bbe5dcb819ff1b5b8aff9

SHA1
e24cf7d599ca2c87a89822ce440c2b57e920882c

SHA256
3e9eae4ce39e395b2d15373c6f788b665760629ba0e83f929fa08f9b1d2a24e0

SHA512
6a453997aa297e0849e8ded49c7a043ddc3ac6b284fbcdcead7decd38f5aa7caeae41ec8d76b89f561dd344e40cdcc51fa59f62c653f7c47089d50e72c5c9e39

Download Submit
C:\Windows\SysWOW64\Odjmdocp.exe

Filesize
727KB

MD5
fdffbd6b123405c6ce3a97d6af94a3b5

SHA1
f3af6b65b9b4054be7ec58177b8abba282935e82

SHA256
c8bd8f2594bb1ed23c1b3153027835b309ba4373f9cd0fd2e9d7e7f9891ed6a5

SHA512
0c46cb25356e028632d8f302a9036c3e51bd77b652df51cbbe9b67da456088ba6d8bd4e6817fc34dbfb60ac61f8c7ebf123ace6bff900e94c039cf0119f554ac

Download Submit
C:\Windows\SysWOW64\Odljjo32.exe

Filesize
727KB

MD5
06408aee83e6b3213d5c78c5f851dd0f

SHA1
f05cc0d200a9737fb0c7ab89827326aa81fd3d4b

SHA256
dedeb552064bdc0e8275d0fa239219ebb582b4b81525699ffee0ac4165d60bc9

SHA512
c47be3bbeddcb346a47e2bed29f0ae3fc70907f57e8ad353f954f10aceae58ded3e9e8a994b4a65434167d7f428fe33206b3085524231499c265e32c706da560

Download Submit
C:\Windows\SysWOW64\Ofdqcc32.exe

Filesize
727KB

MD5
84d791082cde2bc836543394b24ba39d

SHA1
778d9e8e4d541a090c0e509dd861d24ead006f87

SHA256
a8c1a0ea7459958335526e696972ff53af87622207707e41c3b0323f1b4356e7

SHA512
fb274ff406dcb257aa241d897f7f5d07ef475a2b07febed2aeb9e4bab501b76a6824e3e23d713a56a055b7df7d1b4347437d27a8adf6ac05c259058b5987737c

Download Submit
C:\Windows\SysWOW64\Ofgmib32.exe

Filesize
727KB

MD5
465b700a59172f34e6ff8bd91603fd87

SHA1
a2eafe10ad49781e9254af52304b5e7dc7cf7135

SHA256
022b05d480ab05cf75933ef67571a77dc0e56834496073af3d3dcc96b0a8f902

SHA512
23e4184bc141909eb93428c8e89caa8907a06b088fb84c6563803d1877d4b61b43ac91101c66c4a1a2ba1ffd8c53ca42b44a7a66a6d5b07cc90c0dc83771da7d

Download Submit
C:\Windows\SysWOW64\Oflfdbip.exe

Filesize
727KB

MD5
14aabe98fa88f43b9bcd182131019f55

SHA1
90d7b94bcdb67a0387a354367ca8914e99f162d2

SHA256
d09d413c07be19664159617f7f2b89650ffaf065dd1cf24cc4d24a2de40e9e2c

SHA512
39c749bc1a5e9d35db3cba9038d0f0b786e2e52049e4157edf6a9ca63d9f457f5f1e199e8ab85d4aa09ac3226c642fcb7798cf197d547fe1027277b0cd648782

Download Submit
C:\Windows\SysWOW64\Oheienli.exe

Filesize
727KB

MD5
d0d43dcdcabc6b688e27c28b21798634

SHA1
0b4497a7930bd948916eddc46970439eef20cc23

SHA256
fc7a9ef481fdf7648405a91210d6121259376b80bf7cb732f176513ecc6edbe3

SHA512
920760944bff3e0af33ef5605dc7f99abbc4c4830d72495f041aa3f06eafcab30f43ab22ab0687c0a550b18f0bfd1c525519f8613d99beb34635802b3419102a

Download Submit
C:\Windows\SysWOW64\Ohhfknjf.exe

Filesize
727KB

MD5
6676752caad223df57291eb54cb39a54

SHA1
29ef2a068cbf32348818f30e08f1799c64ada553

SHA256
55d7fa7e475ddff6efd35b149b26ac46fb2dddc7ae21353f747ab67d51c05606

SHA512
2e2cebf72ed2e3be535abe30cbf9962d0d4246550d73ae117aa6b65d7683296d35001d0792fd89113a93125651e7d5f9a1c61d9d923c1831a17108c0883805a9

Download Submit
C:\Windows\SysWOW64\Okailj32.exe

Filesize
727KB

MD5
04c649ae5054be12edc344caf6406178

SHA1
e8f2ded0c878cb07c350727a7f253b821904f6fe

SHA256
5316fad160f869adeeddb20dcf01e1d98f762a55dabf1559d562d2d0c8fbd421

SHA512
32ce1f6ed170e4baaf06fc796398bab4818c8e9bb91d3c8d39b1cd3371922c93cd00a3b3772144bee43168d5eaca268347dbfa1800ba9e551dd5097513aab5ac

Download Submit
C:\Windows\SysWOW64\Okceaikl.exe

Filesize
727KB

MD5
adcb2343b4f352d51e10f32c6ca1332f

SHA1
69566cef483b97aa389d96b19344b7408665e2ab

SHA256
2cec7a4796bd24558c34fa38b17c224f39eb976bb7e6354522d5a012fc90d246

SHA512
5b5c7bfbc0f711a6567797598f7ebf23b1d5a35e3d87e91bc4de1244ed9d96ef922bae259c5b2252eefc7d118a85bb68c05a82e59e1d225f1f8927c1ec67c425

Download Submit
C:\Windows\SysWOW64\Okfbgiij.exe

Filesize
727KB

MD5
3466daf36738518af5554680df96d1f4

SHA1
d130b56629a48f7be6c6e59cfdaf396f81ae8794

SHA256
bde2b77a4b6fd8a7aea40f33b6a87077172170322533dc7872d4e5f912ae9abb

SHA512
bd1915ebe08347f9174fcce07d8ec5481a42473d043b1c127a7400677ffb546a06b6b6524c314351b4ea5d0a30468cca6d30213ee709b1e0f915d1fe2d2656a7

Download Submit
C:\Windows\SysWOW64\Okolfj32.exe

Filesize
727KB

MD5
637caa239094230115006d5ace5a3d1e

SHA1
9d5bfc44561a7c449083825f7590307caa096c7a

SHA256
175707f8674f80c79ba6fe9a00d7be6789b23d2c0ad1151eeb1c472e25196876

SHA512
a3d240a6d660a8e41debef74ec77ac64f165d1c1827fe6a605ba40049747f2f056f40fd53d294e093272f84a10dfb67d042042c14fbdcd4f236929a37508d2eb

Download Submit
C:\Windows\SysWOW64\Omcbkl32.exe

Filesize
727KB

MD5
d9438c0899d8ca96e877538b5cd97c82

SHA1
e49088e13a3d6fd22b65106e517cf0ebcd901a4e

SHA256
f9dedc3d59f7ba422912d6149ab2b0d95ae963391a051f2d8b80968be8020f77

SHA512
5103ab45eaa972599a3020db476976d3e7b2185d01195b185ee1536aed52bf35851370542dbf7ed3af16d5e479c1266ce76c85e368f2db1a3a519ce3ef221ba4

Download Submit
C:\Windows\SysWOW64\Oooaah32.exe

Filesize
727KB

MD5
45fb8528d762cd26bc891193d919c878

SHA1
6fdd19b546307d32445de87d9562d5e9999d9a47

SHA256
e6761f6923801c13336dd07f69780db887405cc0f3abe436c5ea3f71f593748d

SHA512
63ddaddf3c0863fcbaed96096e3dd45f14c066719408edc3a43582cb0d8045e0c2ee1a66bd8a728e71629bf434ea78face8ed1b86631b57be68958174487ad9d

Download Submit
C:\Windows\SysWOW64\Pbbgicnd.exe

Filesize
727KB

MD5
abae4baa984c703e2cc8243a3ad4d41b

SHA1
1d16234346d1f68d14fd4297255c32c1bb79a123

SHA256
8889516817aeaf90605546d3772b5150196f813740581f171b2ef3525a385fe2

SHA512
845d8b451d9b2fc0e67a4422448d5fe2981c039382a563013eab1125d5dec411397b58a4041a9ad52c5b43c6409afd7a615c954b5cb799337d5e231c0cacde07

Download Submit
C:\Windows\SysWOW64\Pfncia32.exe

Filesize
727KB

MD5
ef6dc94b625ba883862717d7f21bff24

SHA1
b855badd960a252b9476b56e1ae982fba5248d83

SHA256
eccb58e0e469dbb9a9096be2bbe38794a19abbb03b5f9a9a26e2a24965e714fc

SHA512
2837a0a1148f5cdc3c9f1cbc6d93ea85582381f6594e01abfb5bb2a03822b6a0e051b41fbcc9422f7577427969c877b578ee75ed85007d20ae38c3de9be95d9b

Download Submit
C:\Windows\SysWOW64\Pijcpmhc.exe

Filesize
727KB

MD5
daa574918f31a0d112c20ed95fc2b8d2

SHA1
d3cc0e0661a126644ba7af1b8f38e6030d5ecff6

SHA256
38ed16ad820d23f2727ba87b96e1f282ed32bcd507766935b5e5c6e505e40f09

SHA512
51e3c1394592eddb5b86a3405a759489c86010785654d04ef32b0428a21c380ca19575dcbded1d9ed18fe48b8f5a95c8c5b30eb4770b63fe9d0eecf7774394ed

Download Submit
C:\Windows\SysWOW64\Pmeoqlpl.exe

Filesize
727KB

MD5
3b0844944fbacb169e164121a08072de

SHA1
f17776970fe421bf106c386d5b9dafcd0761b594

SHA256
6c0bde4c92123bceba7f07ab2fd05b79ef7ea5a081112793855b945517618bd3

SHA512
957aa4bdda51ed17832c0b16208bb1cb4c822e82c366bee2d5f2fdd1ddcc69d8c996e1f3d0c3dc839b280232d3da8bd8bdbea211427b0c9d999acd562b7e56bf

Download Submit
C:\Windows\SysWOW64\Podkmgop.exe

Filesize
727KB

MD5
55e6364dee65080291cbdcfdb287338b

SHA1
2c7ba41021cfcb69b99d1a2d1e66cdde99c32421

SHA256
f9a67fb267aaa3216cb715a26ee7ea2c49713119f020cdeb73783ecc80e87d4d

SHA512
6a50bbb3e30479656fba962190bb521f82997edfa6f000770176e410ee62b36ee662c17994ef98e3ca91003610c3bb080810802ba773048e023e6b0e3a113b6d

Download Submit
memory/312-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/336-494-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/408-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/600-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/636-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/788-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/924-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-569-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1328-589-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1328-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-562-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1432-598-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1432-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1588-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-577-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-500-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-482-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3232-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3280-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3536-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3552-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3564-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3580-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3580-576-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-100-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3780-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4112-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4124-555-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4124-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4128-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4220-488-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4324-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4388-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4392-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4768-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4796-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-548-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4856-599-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5052-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5144-512-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5148-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5196-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5220-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5228-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5268-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5292-524-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5308-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5344-530-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5348-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5392-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5420-536-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5428-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5476-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5496-542-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5508-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5548-392-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5572-549-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5588-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5628-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5652-556-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5668-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5708-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5732-564-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5748-422-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5788-428-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5804-570-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5828-434-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5868-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5908-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5940-583-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5948-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5988-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6020-590-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6036-464-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6068-470-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6096-596-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6116-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads