5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe
Size

56KB
MD5

5913437815500d1bf53a91e57759c720
SHA1

47279ed11176538296dc845b6f7b5667210b6e75
SHA256

5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2
SHA512

0d161dadc8e220c55a4fa80b3504d2cdd71c68c112767f1620ac2255b87439e04e4b7e9d963671f6dbe4616dd58d48007bb8a32ab2f523d8e2910af3c3121385
SSDEEP

1536:lhKkEInObytLLc9hXcErIRkkce1o1xxfE:rKkEIWytoBsRkM1oRfE

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe

Executes dropped EXE 64 IoCs

pid	Process
4036	Ndfqbhia.exe
2420	Ngdmod32.exe
4224	Nfgmjqop.exe
3320	Nlaegk32.exe
1524	Ndhmhh32.exe
4048	Nfjjppmm.exe
3116	Nnqbanmo.exe
1912	Oponmilc.exe
5048	Ogifjcdp.exe
1460	Oncofm32.exe
628	Opakbi32.exe
4824	Ogkcpbam.exe
4776	Ojjolnaq.exe
3192	Opdghh32.exe
3512	Ocbddc32.exe
2340	Ojllan32.exe
4436	Oqfdnhfk.exe
2696	Ogpmjb32.exe
5088	Onjegled.exe
1380	Oddmdf32.exe
1540	Ogbipa32.exe
452	Ojaelm32.exe
3732	Pqknig32.exe
2620	Pcijeb32.exe
3544	Pfhfan32.exe
448	Pqmjog32.exe
4796	Pclgkb32.exe
8	Pnakhkol.exe
1968	Pcncpbmd.exe
4760	Pjhlml32.exe
552	Pdmpje32.exe
4844	Pnfdcjkg.exe
5020	Pfaigm32.exe
2080	Qdbiedpa.exe
4196	Anogiicl.exe
4148	Anadoi32.exe
2996	Aeklkchg.exe
740	Amgapeea.exe
4900	Afoeiklb.exe
1940	Aminee32.exe
3640	Accfbokl.exe
3156	Bebblb32.exe
2612	Bfdodjhm.exe
220	Bmngqdpj.exe
1892	Bgcknmop.exe
2980	Bnmcjg32.exe
4448	Beglgani.exe
1300	Bjddphlq.exe
4848	Banllbdn.exe
1512	Bfkedibe.exe
4792	Bmemac32.exe
3808	Bcoenmao.exe
5064	Cjinkg32.exe
1452	Cenahpha.exe
2000	Chmndlge.exe
4592	Cnffqf32.exe
4012	Caebma32.exe
4864	Chokikeb.exe
4884	Cjmgfgdf.exe
4876	Cmlcbbcj.exe
3508	Ceckcp32.exe
2716	Cfdhkhjj.exe
920	Cmnpgb32.exe
4972	Ceehho32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Oponmilc.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Ndfqbhia.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1116	2444	WerFault.exe	165

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 4036	3588	5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe	82
PID 3588 wrote to memory of 4036	3588	5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe	82
PID 3588 wrote to memory of 4036	3588	5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe	82
PID 4036 wrote to memory of 2420	4036	Ndfqbhia.exe	83
PID 4036 wrote to memory of 2420	4036	Ndfqbhia.exe	83
PID 4036 wrote to memory of 2420	4036	Ndfqbhia.exe	83
PID 2420 wrote to memory of 4224	2420	Ngdmod32.exe	84
PID 2420 wrote to memory of 4224	2420	Ngdmod32.exe	84
PID 2420 wrote to memory of 4224	2420	Ngdmod32.exe	84
PID 4224 wrote to memory of 3320	4224	Nfgmjqop.exe	85
PID 4224 wrote to memory of 3320	4224	Nfgmjqop.exe	85
PID 4224 wrote to memory of 3320	4224	Nfgmjqop.exe	85
PID 3320 wrote to memory of 1524	3320	Nlaegk32.exe	86
PID 3320 wrote to memory of 1524	3320	Nlaegk32.exe	86
PID 3320 wrote to memory of 1524	3320	Nlaegk32.exe	86
PID 1524 wrote to memory of 4048	1524	Ndhmhh32.exe	87
PID 1524 wrote to memory of 4048	1524	Ndhmhh32.exe	87
PID 1524 wrote to memory of 4048	1524	Ndhmhh32.exe	87
PID 4048 wrote to memory of 3116	4048	Nfjjppmm.exe	88
PID 4048 wrote to memory of 3116	4048	Nfjjppmm.exe	88
PID 4048 wrote to memory of 3116	4048	Nfjjppmm.exe	88
PID 3116 wrote to memory of 1912	3116	Nnqbanmo.exe	89
PID 3116 wrote to memory of 1912	3116	Nnqbanmo.exe	89
PID 3116 wrote to memory of 1912	3116	Nnqbanmo.exe	89
PID 1912 wrote to memory of 5048	1912	Oponmilc.exe	90
PID 1912 wrote to memory of 5048	1912	Oponmilc.exe	90
PID 1912 wrote to memory of 5048	1912	Oponmilc.exe	90
PID 5048 wrote to memory of 1460	5048	Ogifjcdp.exe	91
PID 5048 wrote to memory of 1460	5048	Ogifjcdp.exe	91
PID 5048 wrote to memory of 1460	5048	Ogifjcdp.exe	91
PID 1460 wrote to memory of 628	1460	Oncofm32.exe	92
PID 1460 wrote to memory of 628	1460	Oncofm32.exe	92
PID 1460 wrote to memory of 628	1460	Oncofm32.exe	92
PID 628 wrote to memory of 4824	628	Opakbi32.exe	93
PID 628 wrote to memory of 4824	628	Opakbi32.exe	93
PID 628 wrote to memory of 4824	628	Opakbi32.exe	93
PID 4824 wrote to memory of 4776	4824	Ogkcpbam.exe	94
PID 4824 wrote to memory of 4776	4824	Ogkcpbam.exe	94
PID 4824 wrote to memory of 4776	4824	Ogkcpbam.exe	94
PID 4776 wrote to memory of 3192	4776	Ojjolnaq.exe	95
PID 4776 wrote to memory of 3192	4776	Ojjolnaq.exe	95
PID 4776 wrote to memory of 3192	4776	Ojjolnaq.exe	95
PID 3192 wrote to memory of 3512	3192	Opdghh32.exe	96
PID 3192 wrote to memory of 3512	3192	Opdghh32.exe	96
PID 3192 wrote to memory of 3512	3192	Opdghh32.exe	96
PID 3512 wrote to memory of 2340	3512	Ocbddc32.exe	97
PID 3512 wrote to memory of 2340	3512	Ocbddc32.exe	97
PID 3512 wrote to memory of 2340	3512	Ocbddc32.exe	97
PID 2340 wrote to memory of 4436	2340	Ojllan32.exe	98
PID 2340 wrote to memory of 4436	2340	Ojllan32.exe	98
PID 2340 wrote to memory of 4436	2340	Ojllan32.exe	98
PID 4436 wrote to memory of 2696	4436	Oqfdnhfk.exe	99
PID 4436 wrote to memory of 2696	4436	Oqfdnhfk.exe	99
PID 4436 wrote to memory of 2696	4436	Oqfdnhfk.exe	99
PID 2696 wrote to memory of 5088	2696	Ogpmjb32.exe	100
PID 2696 wrote to memory of 5088	2696	Ogpmjb32.exe	100
PID 2696 wrote to memory of 5088	2696	Ogpmjb32.exe	100
PID 5088 wrote to memory of 1380	5088	Onjegled.exe	101
PID 5088 wrote to memory of 1380	5088	Onjegled.exe	101
PID 5088 wrote to memory of 1380	5088	Onjegled.exe	101
PID 1380 wrote to memory of 1540	1380	Oddmdf32.exe	102
PID 1380 wrote to memory of 1540	1380	Oddmdf32.exe	102
PID 1380 wrote to memory of 1540	1380	Oddmdf32.exe	102
PID 1540 wrote to memory of 452	1540	Ogbipa32.exe	103

C:\Users\Admin\AppData\Local\Temp\5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe
"C:\Users\Admin\AppData\Local\Temp\5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\SysWOW64\Ndfqbhia.exe
  C:\Windows\system32\Ndfqbhia.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\SysWOW64\Ngdmod32.exe
    C:\Windows\system32\Ngdmod32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\Nfgmjqop.exe
      C:\Windows\system32\Nfgmjqop.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3320
      - C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        66⤵
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        67⤵
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4732
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:264
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        85⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 216
        86⤵
        Program crash
        
        PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2444 -ip 2444
1⤵
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
56KB

MD5
a0b15658a2dac2fd49317c52fbb932d9

SHA1
04ec72118eec2ede1b99c600805c46daee721ce1

SHA256
87103cb3ccf08d6f85157969bfd2b7dd86a056870ec0ec997c88d61c3801b68b

SHA512
793ccea90d162f05c4b0426bd0238fc62c9ba4d29b2af2ca6f70e09328a965fd7386ee378dc38f673cb848c6505bd71a07cb0a3e13710bc24e56656f93d606b5

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
56KB

MD5
06f4bc9f16afe9d54f951992a5a66f70

SHA1
ae586627d9323c7be9ffcf305220705ba696e412

SHA256
b50c88f81794f4f0997ea657c0bfae05f046aa5f43e7b09db578f6fd1f918096

SHA512
158009ae14f16d7a1a1f66b6c7ecee3bda0ff7d67aa122640a042549465bf46c9669cb72a86848c6f597b9561c74bcd3c15b16419bc70d229f5d606da347bdae

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
56KB

MD5
8bb68ac2255274ef059966e6ec4e5b5e

SHA1
076ac09a11ea353d7ff6e16460ecbe552ef87c05

SHA256
78d9951336c7f2bd2c2fb7e2c49834864161f737d8fcb5dfec9bc458b5f35b14

SHA512
a823e95e62cb6f7ee922b6556ee574a5be11cf52ca66dd8c9d30b30e9824900d580f0e0d7487ffd21a7a2334ca3022c546e81031996d242a50e8caa25ad5515d

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
56KB

MD5
5a99c1caad4c77b81c6abb4fa2895700

SHA1
d711d5343819c39b15e6f80dd0e07bce0b45c8b8

SHA256
3e84c499659973ffea941a448b6618f5b66d8814b186cf9aded5f2342d6f829b

SHA512
1f9a6be0ca573599dd52dcfb295411c9a54f1d8c7c217c257cbf1dce65d57dbe00f60ac8d9b6c978e05fa1ebb335cd2858a78d993ecc914c8276c1238341af82

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
56KB

MD5
05930e099baa7bc3600efb40cddc2939

SHA1
6450594995e578676e2411e7927652762d1aed44

SHA256
aa7e54d812455151442149ece11e1ab893bf1b62ce82d5fb782f005fbfe1f5e4

SHA512
ab85b881375ae282cbb42584798873aa63d61816d1e1d763c39a7c2d7c3413aa65049c3b308dee89485c3ea13d7ad0b5ad8e6775f14d362bdd1c4fc72b19fc43

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
56KB

MD5
58a6db5a36b8d7c7b13e86840c479f42

SHA1
a29df193891df7913e8d7a659d596eb3d00cfee6

SHA256
4e2d4825644626689d25d9fdcfb44e29d84064392dccfb9f98aaec45fab7ff53

SHA512
7afcfa5415c14aa27ef5a8632ddc62ba0c73d571f315eba162a7a76ae622346b89f7b553b0333bf97c02bc954472ca3d458bd58991e2367222ffd1a314367fc1

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
56KB

MD5
9cb3ae3281535d3b6a4d5bdf24a42331

SHA1
0c511b511f5835ce74d4b948064bcc659b5c115d

SHA256
0ca8f984132b6f5538cd05721a2be117c632c70cc1cee953e3fcaf80fbefec34

SHA512
50c6550e4659b2af7c1251f2c2d73c2bc7757d2d7c083936ee4faaa8bfb5d2bf1ac1ecc7f897571fb8b45d2f24c58f0a2dc5a498f985e6a1765a01217aea51b6

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
56KB

MD5
174d51f4ea9aa211dcd354d3431b0b85

SHA1
72a1f8ec1fd2cf2893bdce1bd8fc5d7e718cf3b3

SHA256
dde3ba136bebcee62adb0d3376440bb23009fc653f92f167d702022e26c8a06e

SHA512
81d55a92f014831e273d8cdf91f2c1de1858751e3e7d490536ae4615ac7dcf0892df051cad4ab8ac286ccd0a7966a81fa5be58f5596b4cf4eb4617d9cd74f61c

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
56KB

MD5
82b27549a554eedfdb1e529026d426a2

SHA1
4e87233ab1935385dc043d5bc5dd95ce26ec5081

SHA256
ecac76d4de362fe73f3b4f1523f669023e792dc8c35cde44a367ce4d559ed632

SHA512
89fbeeb9ba93e6975957328171d03727d64fcaeffe1e9e554b7b826aced7f05bbd6cf09f195915f80a0f2501abf8305ea778dc2f6f726014f027a78d769dd484

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
56KB

MD5
4307375f274274e0c5c22bc3a134fe58

SHA1
d655874096186b829afa6eb4fc617e7f22f7ba79

SHA256
ba0ba3fef4979bb5b480317fb80a5eaa3c4e243ee806a63218d6b0d068acdd42

SHA512
acc56c809752f6aff36c80ccf61e43846fd455c56519bae2df584ca38925bab80fc18ae2ad7e8e96884940b4f205424db2c7bccdcdd4c6cc56fd0d7ceee019b9

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
56KB

MD5
3832bf3e306a78edea47d722e5f2332b

SHA1
745a04342d2b75825fba4acd592e89d9cea768d6

SHA256
78d52509b686938369be0d541af644537e3707455c08c23bc951e23b5da6eac7

SHA512
030b75c13afb22dba14900f7f738c01983b362665e6341fc362b7144824852f03da4f17e6ee0269be037bf920e9d68c35293c83da2834806675e22dd6fcdf676

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
56KB

MD5
713754b9a100e3a9f2184042e130a316

SHA1
bd3c061584ea30272ea83614ad2ca5048c503679

SHA256
cccd409685a4c3de28def7597da2263e22f6d0920e1d67a0d2d4a2301428d8e5

SHA512
ae644d18777367ea3f13b7f6b0205240901029ac79f15cea36ff8d9bb49622ce679a1ee32615a9754116721ef062d35ead8edb155b03e56f13aa72a7cb2d3728

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
56KB

MD5
c02283d0127b04f67261548cb0c288bc

SHA1
e2ef1d3174caa5e84ac1f06a10c8cc3ad17e2796

SHA256
91b5e5ebd32958a19f3fad20b61e9ccacbccb0007b566880b3b1f0fe511f8e94

SHA512
3d954cbf0b4c9fe58f378eb3d8bbeada18a103c29c1478281bf46f8db9402780c10f0f57fdd04589490ffb27b5e2302de4131071d73be6f4ed4969233ff0556c

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
56KB

MD5
fe9489c5c7ef7f61f259259ec57dc0ed

SHA1
90c667bb14a13f183ca03b5857c48ecd00455028

SHA256
1d66cfaf08e1024f231092f1b121b5d9e6d0d97e2aea355c60112b8eb63d4f89

SHA512
43f180e9659e82a8557fb555b93bf438b40bd17d8c30fe683d7ffc55283306f2f42dbdd64a1f74aab4810b06d49fe8a333fc50d8f7fd2dcdae7cc8404d284da8

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
56KB

MD5
e4d63030ad70205b0f31127e84caa184

SHA1
55b7bc85c3f26d422c46e7c7ec4266088c1b10bb

SHA256
a4d796534d14e24ca7c43eaa4799fbe28b694ff21dc76011c369de7352947cc0

SHA512
81ef086c15ab27f3fa5abcf3de8663ea33c333733e09271c3da1b0c714536c1fca54d029615741a0740317790547b3dbd46981bda7da326e9752f11028fdb89d

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
56KB

MD5
b19f3ec429041542d11efe2aa5c0bfe2

SHA1
808460739bf4e8d102c6b8b63726dbb14655f955

SHA256
a9cea2aeae53b75d3dee17ec0522dcc272129cec565b014a2d4b70d2a46a0765

SHA512
9441c5f2f9360a888ec97021049fbfe71bd9c6b917be2551e3516a547d13681f659cf6b840be77795dc3a5ddd95c010ac93f2eb5e296de6eb475ec2e60fe7e56

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
56KB

MD5
c50690825c4243f4037d54cdb30e5f28

SHA1
fe0a1a47b46cf3a52fcd356249ec0934e9428818

SHA256
ef743278fac7f90284e530a5c7c476a468f07a279213e8f81fc3f715be894199

SHA512
f43446305be633828e6e9dcfca59b82b9da14119fe9537cc4b22206569b2702d6690f2222c22d692943530c146ed6af579ee107fa2b6ceeb40b51775f5ab4f5e

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
56KB

MD5
c408adc1d1b38b6f2bf5f7af3475396d

SHA1
026f8f4b49684a15c5cffbdf0c3ad6ac4fa48c02

SHA256
a0e238bbd078ee4987f6c14ac3a4d78b2e9d37dc3739c7bb059285054be83ad8

SHA512
8e517f9eaefd864a16b1ad379f4d174271493e2ab4cb9a094c1e8a44ad92054af8ee221ede6b729b37916ff05e10f6f79eb35b02adecce84e5d1ec4ce2071741

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
56KB

MD5
f0a667c88b894305409d2b577bee845d

SHA1
ab881636dd2c23b49ceec3a2e19941fc8b8bed89

SHA256
b817e522f7222f1d12c8a0ecf0a8f8549e0f4223ccc932b67207018fe8f66b3a

SHA512
106a88dd4c5b9883594716cb118c545465b924dd9ffffcc9aee8595b2aed3e59c4af655b61872c493342eb776fec4792e62b1ff0955e9dc60574bd2065373834

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
56KB

MD5
04e767e02feb0b66ac5631eb0ec8ac50

SHA1
acbd439065b0d6e3ac5135cdfb710fcde1c3b72f

SHA256
f30650d59f8b0831530cb65a9618c52bfe9703b741d012d3d469490eb2d1ee96

SHA512
f56172bd514b2b9aa7086f9b25aae595bac86ef95a6df8f71aab8b5096c0555b3daf9612a8544fc54039a764989a32594115c02d6f2fc0c5d410af4d6226415b

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
56KB

MD5
a6e67f5a65a423a8be1f187067f788be

SHA1
5d796602b3c91414ca86e88a1d01ad0ec6c89189

SHA256
631e616e20f18abadbf56f7c0196e40e7f191f69c34cd09c2c19b586670b02cb

SHA512
7e6ccb40e314264baf4e8307d20d507f1ac2ab4123b9392d863872985c7624ad352e47b94753a6a1af6efd5d35c9944d0bc8ebede68a669a433e1a3ebc6f3452

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
56KB

MD5
3dd4b4ab37c250c305db121aa1757880

SHA1
107193a89f162347a1e010fad7e8812e4607332b

SHA256
6ffc77ee59b6e44d0cd6a587e566908d6b066554f0ec3866c54e3fdac5dfb350

SHA512
dcaa38e75f13d7a1ec2c566ad40c70c372561c30671edeb9410cc0e55b966acd271eff2842195c86fd18e30bd3c6545555c1462b8fe52b3fd6b26f10d636a4a3

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
56KB

MD5
6ae0ff39f17a144b98775fe2e736b476

SHA1
8fa07bc229599c29ab08ba2d0b2601e7d37865cf

SHA256
3849a9bb674db19f781fa4b7f4fc85b9c1de87465675e0834f281d074b41e83b

SHA512
5ff13f6fc2edf4d9c09549e4fbf4cb92ef798690e6c441779ace569aaeb572f22d9ee908fbad87bc85461ca94606ffea6fbded0782fe6191f20762308968a682

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
56KB

MD5
c061ac0d68de7347173b05c79f1d91f0

SHA1
92e70346dc2ed46e38e8b1ca937d85e6160e1b43

SHA256
258c388403bea88adeb77cfdb93875e77d2056bc27b4c74470257a65d2522095

SHA512
defec4443dbd99a7169d2d61a0f2d452e9871d0955b41e5facbe9c137291de15eb6780f0930b96d5129dba2090eb23a051273bc54062b4e03a66f8d30e212e3f

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
56KB

MD5
fb71fbb084103be6ea19affd705a5c57

SHA1
89ae19d522e1357c3bc87701502aa4047e6d000b

SHA256
4649170a515d5451df5930f1e8290f925194ca12b3cbd49385051098f0f9d67c

SHA512
ea622915f808dcd3af625bac138002b1978de6d0135cc35e537518ce3738824553c3788b816d46454ac74470c67c45b8ac87717e8bd0c8a2c6d1f51d9cdf766d

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
56KB

MD5
afbab2fd0ffee1ceac4da4f35bee77e5

SHA1
e3d863fbe43e6095db5abb8c6567c5c6a5a8e5f3

SHA256
4a980604500f6a8b0d92d8968f9b85fc41bcfcb8ad49d19bd6e8c823a271e668

SHA512
6511b474ce895be85c3a925968cd31821648ffdf6874fc419073f6899a4d4d5cb85bc5e67f4d42daa7408a63596dda5a02373de749826192499f9f8ee566807a

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
56KB

MD5
f3e2b8c30f2dda5d733f8a6d543edef2

SHA1
03b81208fbef45a56202b86c5255ac38ecdcccef

SHA256
9747a60772375132d9c5d510924f72ec8a673557267242c29a3df6fd572df062

SHA512
bd9555c1a71f0af023153c6f6325a71e3fa7ae2828f9b91142a636f70bae1f4dd010b4855f4cfb82455e75c71cc1074a5abdadc2f1be69e720fca091c7134814

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
56KB

MD5
7e2e70c04de9487e5777dc1cfada35d4

SHA1
0dc12541d2ae28de29fc1ebe41999a11df0ba73f

SHA256
8a8277551b271b25aa8513fb1822dda2c00bef0cb6352509731d0a252ffae0b5

SHA512
862431e7c1865bfea8e29901aed01ef9a61e7acb87d3cb1ca7ab7c5e6d05901fa62a892d04ab98ba44f5b02f46e7c9651b42f3d6411a6502ef51445f96a340b4

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
56KB

MD5
f78e58dd1ec74b350f2e31d66da875c5

SHA1
f11ac69a6a08770b7fea72839b4d7a448d27a2d4

SHA256
a97db77eef71732746852328883ac539d19310b35e8a4f31e397bdfbb3c5df71

SHA512
be275f0bc08b7974c1d08641b8cadaa1b34cf4b4fce94996c5ff03b40b318f19dcf20a9ac5b26f105c809c7a13206f91dc8692e61ba8d7dc326fbf0d5a11a3bc

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
56KB

MD5
3bf5fa9661c21d64925be53f783c7c32

SHA1
ba55fea45710534c43190a0d72161693682c807a

SHA256
8b9d08dc2fb5b82b1ed2cef00479e4bfb8ca8ee89e2e53926333e05da2bd55aa

SHA512
8e66b500f1776446a9825b48f62a49351f423293eb5ba2a4da0b5ca934fe5f9899e95ba3a012993226c582e6c9cbee7061f65d71e34c84233999fcd4d3f1065d

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
56KB

MD5
a5f88482445fe999f247aa97d3c67677

SHA1
ffe8c053ea3d42cac111c87a540e030749e28a6d

SHA256
e4bf22d277a1ed9cf4f8054d693b5a4a9cb4cfc7d4dbf9baaff4dd5449ac252c

SHA512
f947e34994442626415f31ff35bac246d784c4641ff164dbe126306255384a3e9a0973c1484b4e51b8cb5173910c6226ddd0998a2d2643184d01a9d97bb9f110

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
56KB

MD5
2b7be65fe7a7e76e4823d57555e2ce43

SHA1
5a1f1e4b70925b24d480069dfbe716fd5a7570ba

SHA256
9e77ef852242e0246f49b406e79aaa50636caa7e567c699f54b0aa08154885fd

SHA512
d158754376d902418eaf676c7e2f26995129ee4fc362272f36aa5dc9ed6cb6bc9b8631a57245431419277c65670222eeb7da1aca81778445c63584a37f87add8

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
56KB

MD5
76e9b6f38a79b241149e5c94ce8c49b3

SHA1
f031c74571b4caf0b2b4e02d569d49e449b355a2

SHA256
4bb0ede31fc54a9acc3fb3ee70d4d3950d138d5fd82502f119af104755f3374a

SHA512
524742cb447c9f0b2509c8083e8f4c16a03233277116a434571842d462039688234fa0301cffb455ebcf071977381efa3f449b7f5b334416847b9d07e9f6fa71

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
56KB

MD5
e621d1d5592f019ac207ca20f485d628

SHA1
fda544d81bf3fbcc30ea7c1b3c94eab7aef7f707

SHA256
3c1e091c9c4cb113957f9e6cc4482d1d1948f4a93c0029c5e18c51c29a4e710f

SHA512
efb156cfe77c113b8a3253769e9ae145fd8a4d17a41bda2a8dac976750653b02626ac0fa7ed34ede51650280c80a441edd22534c0dfce207a7fc2f58d3d40fff

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
56KB

MD5
f148194867d82d4612483c0690b4d278

SHA1
8f9a7bf49d476324a5da2055360ac0d205809a39

SHA256
5fdebc8186517b0294591d46c6ea013784edaeba9499b4c4f4f9de3ea6c4ae63

SHA512
3f192a09a722e9d1e4dfcc98c1e63d142387d92cee38738b341183dcd0580b65bd9abd7f369dc7980cf95d3f9f014760260cb7cf707dc8a9453248595de99b6c

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
56KB

MD5
93457ecd0e946da393128a6d9cfac5cf

SHA1
2217d9d2e3e89bfb866da9e9a48b971cf880aaae

SHA256
d63f49ce9e4c064615dc2e65c85061c2ecec8c115a1a8720b2b53f87eb3b7b34

SHA512
20d58d57eaf96e0fc12ea5ede6fb8ac5b3514a6e244c2d9e160883443bb90dd4e191763a549f2a206e1b69c9f7f6021ba2138ebda663bdd63610a8942b3bd4fe

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
56KB

MD5
a7cbdb6db56988c9e27ff6305eb95803

SHA1
2d6b76aa0194203a2b788675e7cd7cdb88a0c67a

SHA256
b3e34b9870b9eda710f4282def97929f447a829cfc7fc335dc02185130f8e120

SHA512
dc108e76ff0e097a4528802f30813cdf75569e5d67874dc23e0740714aac08a1e752b858b4cf35a60c4a2d8b50a9daf6fcdc97ffb8f49984c875ce8f9cb487a8

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
56KB

MD5
23584f219835569b54ef5c830caae6bc

SHA1
6a45f5fe92dded0868688714adf012d4efcf6da9

SHA256
903b6434ef4da49a362c8ab9eb5fdf02da5ceae7b3b1882dcb211552d4312ce4

SHA512
db825085f44a8bf65c202aace6ed09d61b9bab7e330f25c7ddc394c88f1c53e5b61f0678a89006189626d0fcac7e5074146facf74f41a687fb8f90909e112759

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
56KB

MD5
22396014acb5e63d2ccdeb5001d2ce35

SHA1
03c36cb89e3603861dd62360b5dd88a3eadeba24

SHA256
353d7c04114086435a6b76ee0248e4648266aeea0023eb03f5d5ecc1a96ba286

SHA512
2796a1e29e7abcedae21ec04f967ffc4aba3df52ad7e65690138811bd9d36ad35df94a572ffc08dc445835e61c7b1da4112c9d4f275bb3ab6cfb5a66b44dc49e

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
56KB

MD5
10e9d122c5017d29eff59d88ab573b6d

SHA1
77d8851c9723c346eb7697db462090d6f8a02499

SHA256
ca6363079f3d3ca1b2457662b9259c36221809ae817b85a34c261aef028faf69

SHA512
f859cb030bc13b0498507cb63c108dc4bf6f1cbde50c804d9e214addcb36d871ea93db04ae10bb0950972053ffeeade1710cd6d90f3fb6e32ee11c2d041406a7

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
56KB

MD5
a6941486d1d21212a7bbdaaef9fded8b

SHA1
c7e5484c2dbccc6244c8fcfc659015fcd63b6ab6

SHA256
cd34d3dbe25cea79bc7348493a6c807d58853275cb35b7698e7a3c0058ea8dba

SHA512
d0d697e0d32572c3db422100f8d17c752f61dece25159d5139446195a630d4cf1ade1597b16c12e2a7e920a11cbfe1b18e5a85f96039724e9797ff44ec584f7a

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
56KB

MD5
00529f1305bd399ce956c722bdb51008

SHA1
e5818e05ec1b6d55714ae99172e9fdd7aecefba9

SHA256
53476d2dc50bd2681cc21efc1cfae8fbc436f34ef1c715280e3e6ff1821d245c

SHA512
4500bdf90295c97f60cfd13cbbb52bacd95694fdf08c159be5f3c4afb8be7c15a5d60780110e3797f83aed6858303bd14b39cba7be6bdeff63cc1047119449a5

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
56KB

MD5
51e90c1db4b20a49ac56b5dac473bb05

SHA1
abacb645328a83bbdfc6b1652e2c7bb6cd95ff3c

SHA256
f22f8cf0b15120a800f988d2a0376cfc88df964937038384a0c6f66b6e4a6c07

SHA512
a94b12a028d0871882d2b9b4d90a7363cec54e6df5dc6e5f04a822ce72ecafc505339e1b955271d8156976692bec130d9eccd57f767f2f8c93140d15ea10c9e5

Download Submit
memory/8-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/8-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/220-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/552-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/552-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1512-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3156-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3156-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3320-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3320-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3588-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3808-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4048-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4048-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4148-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4148-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads