76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe
Size

395KB
MD5

be67a7267fe8015fe6ee046b77d3a4f0
SHA1

4d64fd4d54bc6ef9498495a433bf00f21b7358ea
SHA256

76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6
SHA512

25e073adb7a3b73e0d3377f9f7fe761d6bb09d6a6a1f0fcd08999b1c3aaed58847bbfbf83d2ef35852d458768b3e8ef47c56f91874957ae2055490f6d21d3c38
SSDEEP

6144:ZdxsQDvs4y70u4HXs4yr0u490u4Ds4yvW8lM:y94O0dHc4i0d90dA4X

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe

Executes dropped EXE 64 IoCs

pid	Process
3280	Ngmgne32.exe
1160	Ndaggimg.exe
5004	Nebdoa32.exe
4144	Ncfdie32.exe
880	Ndfqbhia.exe
3184	Ncianepl.exe
3988	Nfgmjqop.exe
1740	Nnneknob.exe
2716	Nlaegk32.exe
3768	Ndhmhh32.exe
544	Nggjdc32.exe
4400	Nfjjppmm.exe
3796	Nnqbanmo.exe
1728	Olcbmj32.exe
3956	Oponmilc.exe
2616	Odkjng32.exe
4520	Ocnjidkf.exe
3996	Oflgep32.exe
3968	Ojgbfocc.exe
2844	Oncofm32.exe
3596	Opakbi32.exe
1788	Odmgcgbi.exe
3076	Ocpgod32.exe
3636	Ogkcpbam.exe
2468	Ofnckp32.exe
1552	Ojjolnaq.exe
1484	Oneklm32.exe
2860	Olhlhjpd.exe
2888	Opdghh32.exe
4504	Odocigqg.exe
3436	Ognpebpj.exe
4624	Ofqpqo32.exe
3244	Ojllan32.exe
3236	Onhhamgg.exe
4040	Olkhmi32.exe
3876	Oqfdnhfk.exe
2408	Ocdqjceo.exe
1896	Ogpmjb32.exe
4280	Ofcmfodb.exe
1660	Olmeci32.exe
4012	Oqhacgdh.exe
1256	Oddmdf32.exe
4024	Ogbipa32.exe
4556	Ojaelm32.exe
1636	Pnlaml32.exe
512	Pmoahijl.exe
2016	Pdfjifjo.exe
2336	Pcijeb32.exe
2036	Pgefeajb.exe
4152	Pfhfan32.exe
3680	Pnonbk32.exe
4580	Pmannhhj.exe
1356	Pqmjog32.exe
3352	Pclgkb32.exe
3568	Pggbkagp.exe
5064	Pfjcgn32.exe
3868	Pjeoglgc.exe
3904	Pnakhkol.exe
4108	Pmdkch32.exe
4484	Pdkcde32.exe
4008	Pcncpbmd.exe
3736	Pgioqq32.exe
3092	Pjhlml32.exe
1456	Pncgmkmj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pdkcde32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4940	1200	WerFault.exe	184

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pmannhhj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 3280	1140	76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe	82
PID 1140 wrote to memory of 3280	1140	76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe	82
PID 1140 wrote to memory of 3280	1140	76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe	82
PID 3280 wrote to memory of 1160	3280	Ngmgne32.exe	83
PID 3280 wrote to memory of 1160	3280	Ngmgne32.exe	83
PID 3280 wrote to memory of 1160	3280	Ngmgne32.exe	83
PID 1160 wrote to memory of 5004	1160	Ndaggimg.exe	84
PID 1160 wrote to memory of 5004	1160	Ndaggimg.exe	84
PID 1160 wrote to memory of 5004	1160	Ndaggimg.exe	84
PID 5004 wrote to memory of 4144	5004	Nebdoa32.exe	85
PID 5004 wrote to memory of 4144	5004	Nebdoa32.exe	85
PID 5004 wrote to memory of 4144	5004	Nebdoa32.exe	85
PID 4144 wrote to memory of 880	4144	Ncfdie32.exe	86
PID 4144 wrote to memory of 880	4144	Ncfdie32.exe	86
PID 4144 wrote to memory of 880	4144	Ncfdie32.exe	86
PID 880 wrote to memory of 3184	880	Ndfqbhia.exe	87
PID 880 wrote to memory of 3184	880	Ndfqbhia.exe	87
PID 880 wrote to memory of 3184	880	Ndfqbhia.exe	87
PID 3184 wrote to memory of 3988	3184	Ncianepl.exe	88
PID 3184 wrote to memory of 3988	3184	Ncianepl.exe	88
PID 3184 wrote to memory of 3988	3184	Ncianepl.exe	88
PID 3988 wrote to memory of 1740	3988	Nfgmjqop.exe	89
PID 3988 wrote to memory of 1740	3988	Nfgmjqop.exe	89
PID 3988 wrote to memory of 1740	3988	Nfgmjqop.exe	89
PID 1740 wrote to memory of 2716	1740	Nnneknob.exe	90
PID 1740 wrote to memory of 2716	1740	Nnneknob.exe	90
PID 1740 wrote to memory of 2716	1740	Nnneknob.exe	90
PID 2716 wrote to memory of 3768	2716	Nlaegk32.exe	91
PID 2716 wrote to memory of 3768	2716	Nlaegk32.exe	91
PID 2716 wrote to memory of 3768	2716	Nlaegk32.exe	91
PID 3768 wrote to memory of 544	3768	Ndhmhh32.exe	92
PID 3768 wrote to memory of 544	3768	Ndhmhh32.exe	92
PID 3768 wrote to memory of 544	3768	Ndhmhh32.exe	92
PID 544 wrote to memory of 4400	544	Nggjdc32.exe	93
PID 544 wrote to memory of 4400	544	Nggjdc32.exe	93
PID 544 wrote to memory of 4400	544	Nggjdc32.exe	93
PID 4400 wrote to memory of 3796	4400	Nfjjppmm.exe	94
PID 4400 wrote to memory of 3796	4400	Nfjjppmm.exe	94
PID 4400 wrote to memory of 3796	4400	Nfjjppmm.exe	94
PID 3796 wrote to memory of 1728	3796	Nnqbanmo.exe	95
PID 3796 wrote to memory of 1728	3796	Nnqbanmo.exe	95
PID 3796 wrote to memory of 1728	3796	Nnqbanmo.exe	95
PID 1728 wrote to memory of 3956	1728	Olcbmj32.exe	96
PID 1728 wrote to memory of 3956	1728	Olcbmj32.exe	96
PID 1728 wrote to memory of 3956	1728	Olcbmj32.exe	96
PID 3956 wrote to memory of 2616	3956	Oponmilc.exe	97
PID 3956 wrote to memory of 2616	3956	Oponmilc.exe	97
PID 3956 wrote to memory of 2616	3956	Oponmilc.exe	97
PID 2616 wrote to memory of 4520	2616	Odkjng32.exe	98
PID 2616 wrote to memory of 4520	2616	Odkjng32.exe	98
PID 2616 wrote to memory of 4520	2616	Odkjng32.exe	98
PID 4520 wrote to memory of 3996	4520	Ocnjidkf.exe	99
PID 4520 wrote to memory of 3996	4520	Ocnjidkf.exe	99
PID 4520 wrote to memory of 3996	4520	Ocnjidkf.exe	99
PID 3996 wrote to memory of 3968	3996	Oflgep32.exe	100
PID 3996 wrote to memory of 3968	3996	Oflgep32.exe	100
PID 3996 wrote to memory of 3968	3996	Oflgep32.exe	100
PID 3968 wrote to memory of 2844	3968	Ojgbfocc.exe	101
PID 3968 wrote to memory of 2844	3968	Ojgbfocc.exe	101
PID 3968 wrote to memory of 2844	3968	Ojgbfocc.exe	101
PID 2844 wrote to memory of 3596	2844	Oncofm32.exe	102
PID 2844 wrote to memory of 3596	2844	Oncofm32.exe	102
PID 2844 wrote to memory of 3596	2844	Oncofm32.exe	102
PID 3596 wrote to memory of 1788	3596	Opakbi32.exe	103

C:\Users\Admin\AppData\Local\Temp\76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe
"C:\Users\Admin\AppData\Local\Temp\76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\SysWOW64\Ngmgne32.exe
  C:\Windows\system32\Ngmgne32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\SysWOW64\Ndaggimg.exe
    C:\Windows\system32\Ndaggimg.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\SysWOW64\Nebdoa32.exe
      C:\Windows\system32\Nebdoa32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
      - C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4024
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3568
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        67⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        74⤵
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3456
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        96⤵
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 396
        103⤵
        Program crash
        
        PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1200 -ip 1200
1⤵
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
395KB

MD5
157a29dc9e27b98fa8277a4edcf67153

SHA1
ebdc9534d4bc64935767e589ed7f82578932e5cb

SHA256
c0faa26915461882e6583946377313499a1fa5c68a4f65166fe22a4a035efc9a

SHA512
46f51ecaa22cdbec957d6ee9dd1e907ce400280cf9b19aabe6a783c0f27dc477673715755bb837e0ed86d5d9e89d23bf3355afab495dcacb921884f1227395c4

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
395KB

MD5
c0649cc63f631a9c0f12609241a61b8b

SHA1
a7e95abf841b9ff048c0233afd80ee41fdc82a9d

SHA256
d844b19d9c72bb0b153d157a428588c88b2957a10a5755707b9f941aa34a9b65

SHA512
8555700e157102cc6f55752b5a3ebe4c15cf347cfb4990fbe061169ea22c715de37a24e6d78677da1d047f58ca84ebe8ccf5f25cb1b75ff7895df83f3c32efd2

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
395KB

MD5
4f6e4d379ed89c02c40ee9dde1e93ed7

SHA1
a4a692e8d7f7a4cd26741205e9be7ec48afd4082

SHA256
90e8687694776ce5d1a16ec5101fc9c9f29f832d3aa366e4bc144f9a1f52446f

SHA512
f8a2fd0a2a3b4af6d0e0993747db752f408c6c26d50c00f4ed6632caea2cc18b13b5a9702672c24ef762c7418d91120a92a9a95994749b8962defddc978a483b

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
395KB

MD5
707a9eff46b85a76fe12cd04f4be9dd9

SHA1
f8e0f65d47343b40245fd8633e2d77ff28a871e2

SHA256
e5da5dfd73a886f5f495bf3d19044f57c7d5e882f5ad58a4e613715178b8ce12

SHA512
22e0356728cf4a7aa5994bae9644f1a646a324dfb4e244236ff96732aa8955252f5d9ce8410fc3b974df8d0314419947026b2d16db6be873bf283aa60de2fab4

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
395KB

MD5
8c7d98f5fc88c54e91fafa7eb31634f4

SHA1
26f3122c0ae6a41410233124658c02845f8ad1a4

SHA256
0c9a92adaa02f3251a71a6b486ae115d472205b430c8deafb261135f14421f30

SHA512
523b481051a389755ed1738f67733a4a72aad80b2ed08e5f39438161cf07948a3b2f121c203da485e83b7d1afddc9da4eb52b52809d52bc77b8dc3abb1285cb8

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
395KB

MD5
aa840e4a5074c352b368f8c76dcc08eb

SHA1
5de91b6121146b38c33481a2231ab9a51a9a0060

SHA256
63e24fae82812b25dcedbec48d51016016ebd8c74367fd33554c9ad2588cbe88

SHA512
cb13a0defb9ac4ae266e75f6cde59fecabefedf22244977638c1d871ccaa73356b5f2c351da2d6b4e045c2508bb4758c31e2f1a88c40e20edb22f36a9dc1ede5

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
395KB

MD5
6acb690f61e6e1c35c338088125c5bfc

SHA1
2b1c0d73b117ffd2a7f7cadb9d03e0e500f2ac19

SHA256
a2a5f198cbdeb5f381b5ae31ef38a0b450b216f7e1c8a8a63c41e292727baa7f

SHA512
be7efe40704e27e9d0275638cfa5fa139a97517b2dc5863b37d1e994b84f3f6ff67b06ed84a3a04ea0f2a080ed45551d75a471fe5772aadd2c3e4b28259621c7

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
395KB

MD5
e69fab92334ea630f76d10d4c491e8b2

SHA1
509327f9713fa0f022ef84e1f09aab225a181927

SHA256
88613fefbf249aed0da06fa955b9c362d63c78865c0b5ea64fd0694d37213c5a

SHA512
a5789b1d6a975b281b8a75ae5fa7575329f8cadd38d20708dd76564a3c4c01b2b5088ef478295808fa5302a1ad3cb72d7bc74e58a4b4ed91abdb6f2ff5a7c481

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
395KB

MD5
fd2017b453ef026c8c2559dd2337e02a

SHA1
8e6fab8090de11b0e2441541a342c60f491bb5ac

SHA256
1d0d3f27fc01311209e19dc5e5cd6946b2b5ee7cc2826259a92bda451d8eccd2

SHA512
ed3bf654730795aa6e879bd535e9e5dd1faf5a12a88382874ce22730019692947df18fe891c0d299bb78a78e15fd8c18ed088df30fcf56d150d7526bbd63175d

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
395KB

MD5
e2408e88ebd32c73d50d35f49218751c

SHA1
b59ebc4a2fec6d12dbbe4379b79780f04930f2cb

SHA256
86df26c946c02f39014933bd922f78cea6e63e6d53a698f6e93ae2fba1acdcd8

SHA512
f595126274e27ca62cb0faa3f9c2abf3cfe5da9b72ed3d7d1a3b3c45e38c738a6666cee288f4a1bf8807487b1eedfc01d57ce04bd9089c568465b18b32964827

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
395KB

MD5
0f579b1beede67d42bae7a87267285a0

SHA1
ac16a2e203f4edb605f9f082b912d0d83a84e38f

SHA256
75fcaf80885c88bb2f32eb9fb181f48b9dd2b253a5395abab9fffe9ab5f26b63

SHA512
f0ad117161853317080e627bf82b61b5b43827d5da0baecb5da61ba18466ffe02b09ddc4ff57755fa6dd3717652133f61a1edded1ae93224040462c2e08fe236

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
395KB

MD5
072f5885d00e81283d1ce1366fd0ec16

SHA1
89af794389e1ea491b9c9434d0b70d68d768a51b

SHA256
67c10e9f718487b745145926bfd0e71862d414cfa40e18025cb1fa02b3af7eda

SHA512
dcc755baa6322e63f7f23d6eac0bb60e2a3f659f3a31e0d2bb50b0e76fa5e266742b7314d76946cfa87b877fcb6b09325e28e72b85c2d85116ebc909a57d8074

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
395KB

MD5
636fa93d335365043c9b92be5b0d7711

SHA1
2172263b7aa052a900b923ed6eb2bd332efc95fe

SHA256
3d922864a1a098bcf64f91dc3e112dfa39b75146f77793fb19d68851ed036677

SHA512
c2047f7ecf3ba561274981da655ec033bc9af8ded947805a30e72b31c6ce8d99bc0b57a04da937368944eb936c138192bd4a6952ac98a258c1f9f7544d7b4577

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
395KB

MD5
8f226f71cbca7088a7d275290a27a965

SHA1
9ad476dd78dafff5a28ecb34d6aedf3fb80bfd70

SHA256
2089fd1200e8a72e66464891759aa1a74e7159670fc961416c3f907ff9319c86

SHA512
29829cad5b7fb5eade76a3d324746bee766298c986119db352c0dd235f194c2ec90d62d37b5f7238d2d7d96b5a3721e2a94bc2cfc4b3c0c4e5443b548cc4f581

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
395KB

MD5
9204cc12a7374ccfe4bcc6d00e07367c

SHA1
67158bec8f5c78fef8ca5158287858e7836ef24f

SHA256
8518bdfa9ef387a6d991ec18276bcd4f68c70a7811c259fd8beedb63f42cc7ee

SHA512
a2f2bb387b724eed75e5c5d99274a6717fbdeb973353f18e48d56bb9a8da3c006935641bcc35710b89e8218b195085669513d4fafc6ddbc71d74c9757be042e4

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
395KB

MD5
95116644f7c3db289dc2568a4a6b0f45

SHA1
6f62a318ebcb3cb978cf73cf0718c086ee40db23

SHA256
2c6c3465005bcf25fa5543fab9b1b5dc7d8f22d794f807f4b874d4a398d2c92d

SHA512
504859159cc815c4691ff80239260dc6441aa3d2b25ff5e8ccce4154212915ef60f975115f9e4688cf1df3f80bbad9ac3ee5723dccc2fef26beee805507b033b

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
395KB

MD5
7a2c4d4d12e8909cd920bffc777bfc3b

SHA1
991f246d6059a5183b7d27572dad0126a5a550d9

SHA256
0ca9d4907622b2b4d294aec801853e5a679887ceb41d64139a4972a09d86bbd8

SHA512
860fd2f522dddf7cc3577f035b10fa1f4c1682d720d0718f68aa52d22062586b9c1608de30d6ef53fe4d35f6c307841f49d03c001632899ab9ebf34357f9944e

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
395KB

MD5
69aff337828301a078652ef327c4da2e

SHA1
e42234e4eaf8ee1c8fac920638644f841f6848f9

SHA256
e18f0c18aa28ba584654288ec363ac4316a7cb153e4f62a123bb4e3c703599a9

SHA512
afbab3a790fea0d6e359cb154fffbfc0b4e16f21aef160d3a2e2960cfd5d0f6482a3746587491f7904e1c19e747b42a18cbe1dcbe8da96c053700099b58e43c9

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
395KB

MD5
1120e5b9397e6aab8f5efe73e6a40ee8

SHA1
527cad29a0f4c9de35038ac43e318cbf3fe9b310

SHA256
5378ff66152f906831b808aec85f99a4b3390b66e44e9947d0317c59ea76bb2a

SHA512
98dc8f6dfa63416fc76d769a895e370e76f675c463b27a2e2ad7da68f990b202a23878452f6501ebfcfd45fd868345e2296e0c5a146e8371544bb9ebfcb3b9d3

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
395KB

MD5
61dd376bc1fdc6ba99c5f1897a94ea73

SHA1
8e5184bf018362efe595a7598610a76f62ed1dcf

SHA256
33ade831959a7f89713772da062dbcea9e3e71651abe9b4c35013f300bb6499a

SHA512
c9cb5b49621777767f21070145944be7b35f247d4710155c306344c26a03f2d319bcd88c7db6628c27f771918598501937d2a34517a4a41e102bd9c82b197fe3

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
395KB

MD5
e1df9e2d6f3bebc7e9743a2987c0a827

SHA1
71b6fe1fd223f9729bfdbb9c3ab79348a4b955f2

SHA256
2cf0d8e363bc761a35a6afb8d3cfef80feea8101658650f6ce7798f07994a192

SHA512
7798655ba75c719bfaadfce51e0a9c2050a75bd08fb6f0f91fafe5bf45995927c7748ac20224b3e774832ad5452b3385902a13af71fd5b09120d2e4de22b6fa0

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
395KB

MD5
f868c5861db7eaaadd915f30fe3d9478

SHA1
75cdfdeb182de11d45bb40bc74be934cbcce6479

SHA256
e4be520439827c10167a57c4af984f3a1438570c05f4295be23c2a07522920d3

SHA512
2ef37c818f09205b1ebf7132928310baae5147e26d91052860c2621f7b173eb2447da88f9b7aa018aa00d60c571950892d4d60c792630fe09a5fb9f7b4d43b16

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
395KB

MD5
d9c3aff905d995fd1029bb33f49250f5

SHA1
835b605249e731c9c06e3b0dc8cb5aee19c6fabf

SHA256
50607eb6af8651a3e13c340f7f440194193a8bd23006fe08a5612a2069573326

SHA512
7353cdb121faf4063eb39bafe2841987f0b9ecb9154b5cca1d5148aa584e7de60c6cd9c38859296e2e608f3689a34a5922de01debbda44a20f993ff83ce224c5

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
395KB

MD5
381b54a1e26f010273916805dff8bcff

SHA1
66fd22fc6903d0a5aa632cd2c705f8587dc53790

SHA256
38633a59c2c8b542c425247fc0bd113b11123fd709a924d01d071f9c18b15d57

SHA512
d8be77eea778e2280c3185ae354b9232c654aa9787caee38e59b2acf00a099d4a1f224908684630c0437d716c19e38748b452418f5751dc30f6a19815291a10f

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
395KB

MD5
37c06bf4d18b59b7e181929494fd487d

SHA1
8aa431b248009bceaa82fa4806ea5d0d68b8faff

SHA256
dc938833602dc579bca59af60a2ce33d3beb412ef02f19565080e035bc34671e

SHA512
87e1e105e489d3f6a3592af632c9b4d201995f29bb91514194aec96579a624d03bffd8881a2829f49caac6f6e5f3746748bdefdab6ad1366003fdcb22097159c

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
395KB

MD5
4fcbd3cbfceca00e0aa6e77f7ccb59fc

SHA1
18723ee2aa98946a2674ddb5fc5ecdc1c48c7400

SHA256
25bf7d3183f1d0e295570b2d6f1eab8831fc6e6c625abd70deddeee1056aab39

SHA512
86319fb756a47c30feb2ac04aa4f0694641a03205ebc6f3f519f076a1d1984f913c2339a2fc97c87a98dd5ad6817e074a25bf30a4126cac5103f545f2d6960c4

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
395KB

MD5
908b6db001eb0c9a3c7b8afa6acf4c77

SHA1
a883cda0fbd96eec6043acfd847069ab1d62632a

SHA256
f7e28e0f342dc030ef02d286d9ea3973e2e9f571e948e0f7ba113c57702be146

SHA512
d5aa0fe82cd4f0d15674707c0ad595c12ea46f023022d20cc677edb8622d8867b1f772806c4762c2ddb37e9907424a1983bd4cf5f5d60ba36815547c583cdafe

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
395KB

MD5
b559e3e9f9d77389fc41ebd90b322ad1

SHA1
dba99ad820b6b9078ca86de0cd1b5fe3e6f281e5

SHA256
a62505a58e396ddb8146f652805cd1fe05266c23f9172ea692c45159c99c6034

SHA512
8195b7bef2a31a5b1cd513d84822d2c83711f6237a73527000ac331960329a5681c52b24d7fe734902b98789ec4bda48a925b89687f36dcb7a314d2823cad484

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
395KB

MD5
154868dd2e7116fa8069d9c3493c1d66

SHA1
6c6ec9797d9c78537beb4aadc6aa11d6465c426c

SHA256
5c6efe687b5d72519eb5152fde0587a414f17d0a546cafc3e1b6922ad01facdb

SHA512
05777d54c3f12fc45d2e187864056e8f1ee17b0d4446f70e4eb28a2a9027954df8eabe5b55646a4ed942a3a937c8f397760d300c3f14c10e5c33b025ce549c82

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
395KB

MD5
897ffdd74e26bae8cd5d729d3b467197

SHA1
f43840044a1565b113e72329fb4c71716afbc0e6

SHA256
e3eecffd453f3354ac00e32a29940c8335a67c9d7f10c1ac26b132fdd5a10d6a

SHA512
e314e50ea93e4e08a1498a33c41b412b6f7d805ea849c3a08e598ba86ed5a1ad47edddefa8a1b34509419757b390120d3bab7d46972494b3b777860cca0d98d9

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
395KB

MD5
eeca087340d91c4feeb3658ab56c5941

SHA1
38b34a394568933d1a6fa8cb94825867085aa461

SHA256
5bed114eb4397e371a6699961a685aea60ad6a78b241622a530b748e6299e07d

SHA512
558d2fcd5cd4af760a11ff8dda60aa1fc9ac092372a33140ddd2ac6028ababc26d96a47c8cb1eeb9f7ff1f7b7d08e6c410dcc4916a403f22cba6e06bc01cca6d

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
395KB

MD5
5c5cd935f85d50627baf8c7ec1064292

SHA1
c389a3341bce0060b77a324409dcd2d344984eb6

SHA256
f7adf67025ad4e1e7ca015ae8eae60802fe3c35cea7a5bb31b5a835cda1e25aa

SHA512
289fbc6c420536d8d8335236ac4f101f6db0b6d395ffffb9483ba14b1e7fc05e6f00a92f1f766ad17a0d93332fea2b28fbd6289096194eae4e33b8737b4e4bae

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
395KB

MD5
271aa2a2e0e5eec23cdfdb5adc18e451

SHA1
312aef9dc55d30880739df75305bb3542b2ad6ab

SHA256
cb9c646cb0f2c600973d806fa46bac8f3ff5bf51d5361669094d16976a903256

SHA512
4cf0b4ae1282a06730d9f7d2aaa30a5c19ae40b1402f409b4894647c23628d5877e9b2bad6c62198f7c6a4d014e5f58cab8529bb7b2cdc45f6418c92530770d6

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
395KB

MD5
17d8de8041fa12818124bfca764d9c39

SHA1
fab75225a2e6deb3a80703f81ac6e206b159a0bf

SHA256
1dddc7b965efd71d19e518c8d154e7d0d8de7dec0a73b1f06f83c4e20a12e972

SHA512
edf1393af270d56fd2d00bbee2cfddb44fc1bf6959a17e36117f726466692525181d573889acd8932f619a45071be9b75ebc02b322d9622faeacbb6c4553d632

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
395KB

MD5
7ce168adfb494658d3388a5329e8552a

SHA1
305a6564556333a12c8ed63a9e11bd44b1e5db8e

SHA256
d4f0f5f74778cbe444ca5b2040d5dbd8a9e6c0bce1116ba6bf99d3dac6eb3047

SHA512
f8cddc512e58627af6324932c6dfb3ea6653f7f06ff6b89b9bd82ef76b7f4b40ecec7bfb1096f0bae4ac4d4fcbe4677ee7f32860b17e3a9eadda69b95525f1e8

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
395KB

MD5
ee1d60f0aa3572294a471d3ab4d61bcb

SHA1
fb2cab5c8cc913562d7cb2f4aaf7bc6065b82017

SHA256
bf6e9cb979ef99e6604397b917a1c7fc88556e06ef57c675c1daaad7f9bd412d

SHA512
f70b831fc4038ef2425db656a9894d54b3b70e8c41411e50e0d8b0096b52d13d7ace5062d2e5fdb06158fe42f56b277def2eb8a91446129d3a83e62ba2d7da06

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
395KB

MD5
5325cadee70475b0fd1b6f1729a8e0e5

SHA1
b5aadae2331a6f847f343b5abcee35ed43ec86e8

SHA256
4e1ec75eefaf2f542cc222bd4552af7e5065b5b876ebd190cdcf55247cbbd6c5

SHA512
8ba48e766d240ac5007ec5212063a8ad8fa07b93545b4c251154234982b25d4e53daba4b0d097e25857799434641e272a7b71d5275114f8ff50d3f3e5369051a

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
395KB

MD5
e5ffac486e5f451771bc866b5e885b5f

SHA1
337ec0c35cf187d22cb4ee207c162c14cdf563d5

SHA256
ffaaad6c64fd4f294e30139840938bbfa7fb006f2d3cfb4f75428fc8a3947962

SHA512
5dceef91870016ae73d4e27b4d08e1c2654f2c90b232f4dc52d33304bdd121d10de03d33b6adffdb118561dd500817cfb8f3bed72120543b9959188641b238f6

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
395KB

MD5
7961a265b83aef9fba75c9f4c40325b2

SHA1
f646884706f0acd9c0205e8b9877f38f4254c937

SHA256
f8bf5c698d9f0bab113ffe978beef0cd9c154d70edb2f4dfe97925c67ba222a5

SHA512
543e830476e0b2c71dbd700afd8acfb0ec4465d55dab0481bcd5df0383e3d7dd1a97789f9997e4d5aa68f586f5d38c8b8d9771badf39827e7238ffff3a0df72a

Download Submit
memory/208-678-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/208-525-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-573-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-662-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/760-617-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/760-647-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/860-472-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/864-579-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/864-660-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/876-443-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/880-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1004-455-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1056-519-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1056-680-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1140-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1160-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1200-638-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1200-641-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1456-430-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1480-642-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1480-632-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-413-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1684-682-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1684-514-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1728-396-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1740-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1788-409-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-674-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-537-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1880-437-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2020-620-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2020-649-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2032-684-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2032-507-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-690-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-490-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2248-531-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2248-676-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2336-417-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2468-412-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2616-402-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2620-653-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2620-603-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2636-655-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2636-591-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2716-394-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2764-668-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2764-555-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2844-407-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2860-414-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2904-483-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-410-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3176-672-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3176-543-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3184-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3280-7-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-415-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3456-688-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3568-418-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3596-408-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3632-657-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3632-589-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3636-411-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3768-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3868-420-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3904-421-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3916-561-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3916-666-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3956-399-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3968-406-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3988-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3996-405-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-428-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-422-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4144-833-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4144-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4180-501-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4180-686-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-416-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4400-395-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4476-484-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4484-427-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4520-403-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-670-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-549-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4608-658-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4608-597-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4640-644-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4640-626-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4668-651-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4692-431-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4804-664-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4804-567-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4884-449-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5004-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5064-419-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5088-466-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads