a3c2402464f721fecab3c788b64c1f9dc44a4107b7eb48926dad32571156be2d

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3c2402464f721fecab3c788b64c1f9dc44a4107b7eb48926dad32571156be2dN.exe
Size

78KB
MD5

2231b82decdb1dbdf2c68d0850d14d60
SHA1

4f7ef07f9bdee022c2b972b78f041935f8d6d85f
SHA256

a3c2402464f721fecab3c788b64c1f9dc44a4107b7eb48926dad32571156be2d
SHA512

77f668befa007f3aa17a3b4497e2f7508c20a145413dd0d81f43be6268584c5a7f4eae250b37aeec4acf68fe2e80dae109db5dcca74e986af4a5bfea223af2ff
SSDEEP

1536:C0+JLLlxpmadSMvuINrT97oMiVnN+zL20gJi1ie:pSvAaaINrT97FiVngzL20WKt

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a3c2402464f721fecab3c788b64c1f9dc44a4107b7eb48926dad32571156be2dN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a3c2402464f721fecab3c788b64c1f9dc44a4107b7eb48926dad32571156be2dN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe

Executes dropped EXE 64 IoCs

pid	Process
5052	Njciko32.exe
3308	Nlaegk32.exe
4952	Npmagine.exe
1240	Nckndeni.exe
3180	Nggjdc32.exe
2060	Nfjjppmm.exe
2896	Nnqbanmo.exe
4104	Odkjng32.exe
4996	Ocnjidkf.exe
3644	Oncofm32.exe
2960	Opakbi32.exe
3164	Ocpgod32.exe
620	Ofnckp32.exe
3368	Opdghh32.exe
876	Ognpebpj.exe
2520	Olkhmi32.exe
4728	Odapnf32.exe
1676	Ogpmjb32.exe
968	Olmeci32.exe
3008	Oddmdf32.exe
1928	Ofeilobp.exe
3348	Pnlaml32.exe
4668	Pdfjifjo.exe
4960	Pfhfan32.exe
428	Pnonbk32.exe
1924	Pdifoehl.exe
4260	Pfjcgn32.exe
4936	Pjeoglgc.exe
4164	Pmdkch32.exe
3696	Pdkcde32.exe
2168	Pcncpbmd.exe
1284	Pncgmkmj.exe
3716	Pmfhig32.exe
2908	Pqbdjfln.exe
4792	Pcppfaka.exe
2724	Pfolbmje.exe
1844	Pnfdcjkg.exe
4776	Pmidog32.exe
1348	Pcbmka32.exe
1192	Pfaigm32.exe
4708	Qnhahj32.exe
464	Qdbiedpa.exe
544	Qfcfml32.exe
4320	Qmmnjfnl.exe
2052	Qddfkd32.exe
2000	Qgcbgo32.exe
3060	Anmjcieo.exe
4208	Aqkgpedc.exe
4860	Ageolo32.exe
3796	Ambgef32.exe
4796	Aclpap32.exe
3672	Ajfhnjhq.exe
412	Aeklkchg.exe
4824	Acnlgp32.exe
2768	Andqdh32.exe
2072	Amgapeea.exe
4672	Acqimo32.exe
1124	Anfmjhmd.exe
1804	Aadifclh.exe
4724	Agoabn32.exe
4756	Bagflcje.exe
3228	Bcebhoii.exe
4044	Bganhm32.exe
636	Bjokdipf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5920	5780	WerFault.exe	200

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3c2402464f721fecab3c788b64c1f9dc44a4107b7eb48926dad32571156be2dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	a3c2402464f721fecab3c788b64c1f9dc44a4107b7eb48926dad32571156be2dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a3c2402464f721fecab3c788b64c1f9dc44a4107b7eb48926dad32571156be2dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 5052	1940	a3c2402464f721fecab3c788b64c1f9dc44a4107b7eb48926dad32571156be2dN.exe	83
PID 1940 wrote to memory of 5052	1940	a3c2402464f721fecab3c788b64c1f9dc44a4107b7eb48926dad32571156be2dN.exe	83
PID 1940 wrote to memory of 5052	1940	a3c2402464f721fecab3c788b64c1f9dc44a4107b7eb48926dad32571156be2dN.exe	83
PID 5052 wrote to memory of 3308	5052	Njciko32.exe	84
PID 5052 wrote to memory of 3308	5052	Njciko32.exe	84
PID 5052 wrote to memory of 3308	5052	Njciko32.exe	84
PID 3308 wrote to memory of 4952	3308	Nlaegk32.exe	85
PID 3308 wrote to memory of 4952	3308	Nlaegk32.exe	85
PID 3308 wrote to memory of 4952	3308	Nlaegk32.exe	85
PID 4952 wrote to memory of 1240	4952	Npmagine.exe	86
PID 4952 wrote to memory of 1240	4952	Npmagine.exe	86
PID 4952 wrote to memory of 1240	4952	Npmagine.exe	86
PID 1240 wrote to memory of 3180	1240	Nckndeni.exe	87
PID 1240 wrote to memory of 3180	1240	Nckndeni.exe	87
PID 1240 wrote to memory of 3180	1240	Nckndeni.exe	87
PID 3180 wrote to memory of 2060	3180	Nggjdc32.exe	88
PID 3180 wrote to memory of 2060	3180	Nggjdc32.exe	88
PID 3180 wrote to memory of 2060	3180	Nggjdc32.exe	88
PID 2060 wrote to memory of 2896	2060	Nfjjppmm.exe	89
PID 2060 wrote to memory of 2896	2060	Nfjjppmm.exe	89
PID 2060 wrote to memory of 2896	2060	Nfjjppmm.exe	89
PID 2896 wrote to memory of 4104	2896	Nnqbanmo.exe	90
PID 2896 wrote to memory of 4104	2896	Nnqbanmo.exe	90
PID 2896 wrote to memory of 4104	2896	Nnqbanmo.exe	90
PID 4104 wrote to memory of 4996	4104	Odkjng32.exe	91
PID 4104 wrote to memory of 4996	4104	Odkjng32.exe	91
PID 4104 wrote to memory of 4996	4104	Odkjng32.exe	91
PID 4996 wrote to memory of 3644	4996	Ocnjidkf.exe	93
PID 4996 wrote to memory of 3644	4996	Ocnjidkf.exe	93
PID 4996 wrote to memory of 3644	4996	Ocnjidkf.exe	93
PID 3644 wrote to memory of 2960	3644	Oncofm32.exe	94
PID 3644 wrote to memory of 2960	3644	Oncofm32.exe	94
PID 3644 wrote to memory of 2960	3644	Oncofm32.exe	94
PID 2960 wrote to memory of 3164	2960	Opakbi32.exe	95
PID 2960 wrote to memory of 3164	2960	Opakbi32.exe	95
PID 2960 wrote to memory of 3164	2960	Opakbi32.exe	95
PID 3164 wrote to memory of 620	3164	Ocpgod32.exe	97
PID 3164 wrote to memory of 620	3164	Ocpgod32.exe	97
PID 3164 wrote to memory of 620	3164	Ocpgod32.exe	97
PID 620 wrote to memory of 3368	620	Ofnckp32.exe	98
PID 620 wrote to memory of 3368	620	Ofnckp32.exe	98
PID 620 wrote to memory of 3368	620	Ofnckp32.exe	98
PID 3368 wrote to memory of 876	3368	Opdghh32.exe	99
PID 3368 wrote to memory of 876	3368	Opdghh32.exe	99
PID 3368 wrote to memory of 876	3368	Opdghh32.exe	99
PID 876 wrote to memory of 2520	876	Ognpebpj.exe	101
PID 876 wrote to memory of 2520	876	Ognpebpj.exe	101
PID 876 wrote to memory of 2520	876	Ognpebpj.exe	101
PID 2520 wrote to memory of 4728	2520	Olkhmi32.exe	102
PID 2520 wrote to memory of 4728	2520	Olkhmi32.exe	102
PID 2520 wrote to memory of 4728	2520	Olkhmi32.exe	102
PID 4728 wrote to memory of 1676	4728	Odapnf32.exe	103
PID 4728 wrote to memory of 1676	4728	Odapnf32.exe	103
PID 4728 wrote to memory of 1676	4728	Odapnf32.exe	103
PID 1676 wrote to memory of 968	1676	Ogpmjb32.exe	104
PID 1676 wrote to memory of 968	1676	Ogpmjb32.exe	104
PID 1676 wrote to memory of 968	1676	Ogpmjb32.exe	104
PID 968 wrote to memory of 3008	968	Olmeci32.exe	105
PID 968 wrote to memory of 3008	968	Olmeci32.exe	105
PID 968 wrote to memory of 3008	968	Olmeci32.exe	105
PID 3008 wrote to memory of 1928	3008	Oddmdf32.exe	106
PID 3008 wrote to memory of 1928	3008	Oddmdf32.exe	106
PID 3008 wrote to memory of 1928	3008	Oddmdf32.exe	106
PID 1928 wrote to memory of 3348	1928	Ofeilobp.exe	107

C:\Users\Admin\AppData\Local\Temp\a3c2402464f721fecab3c788b64c1f9dc44a4107b7eb48926dad32571156be2dN.exe
"C:\Users\Admin\AppData\Local\Temp\a3c2402464f721fecab3c788b64c1f9dc44a4107b7eb48926dad32571156be2dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\Njciko32.exe
  C:\Windows\system32\Njciko32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\Nlaegk32.exe
    C:\Windows\system32\Nlaegk32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\SysWOW64\Npmagine.exe
      C:\Windows\system32\Npmagine.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4952
    - - C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1240
      - C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4668
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        30⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1284
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        36⤵
        Executes dropped EXE
        
        PID:4792
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        41⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:412
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2392
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        71⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        77⤵
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        78⤵
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        80⤵
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        104⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        106⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 212
        117⤵
        Program crash
        
        PID:5920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5780 -ip 5780
1⤵
PID:5868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
78KB

MD5
262c495fef32ecda1f201279c804bbd4

SHA1
7b4c8373ee31ba4455099866c3147ac40545e977

SHA256
338d208b89b5b1790e360215c7b897b567e4bf3fe3bc0fe155d20c78bb7b48d5

SHA512
61b72272e920bb1791605450133a50dae430748ac0a9741f8c5180848c61516fd1ee8e416bcd8443973b0a260a1e74f9b0c59161ea73a35498186bbc3fc235ee

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
78KB

MD5
b92da63109cd20e7df957ae03706d7ea

SHA1
0b16e8c12707342e835a356a637e669dceca79fc

SHA256
32d8b7422c1bbaa01321c8c45173605fd42e04f1268f015ec8d4cf74fc65a402

SHA512
6dc24045d7199323459583f3c8e18f681634d0bba3b47fb9966c70bc8a36c57d6a4242d9164cae1939b0f5d20bf04356e03c7a78d9e0fe3f2f60f74c183ccda1

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
78KB

MD5
3bda1e07f38e1c28501f2050747286a1

SHA1
141b3a23e8fd86f7232ff1a7c856637a5ae70113

SHA256
e4afd9abbcbbc072000e8d4bb818c3e964b91b258425203a066c3a5f81200ed3

SHA512
66e9afe8fdc8fee6032410f256b25243eaa17c018e7af5052f2c5a5d56f3e56d81de8299fbf94f942b7c057a58c7ebaa52420f9f440c7ed3bc37b36d3cf5dbbe

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
78KB

MD5
5b72a3ef91c286914732ac4a404c6187

SHA1
610776af8e5afedfbcfb30d495187c53a99f92d6

SHA256
6d15f3588f46ed3f8b920614977bb750c9f08bae80fddc719e47f4e0a38b26b8

SHA512
fccf91e41d7e6369cab413b341210ac81414c04177af04b871f1477eee65bb7f3eecf6857d878ab66e1e68106a6c71637119974cd150e0f71ec10307525ad949

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
78KB

MD5
04aec54045864413f3e6f668cd51e64a

SHA1
d998c9efe175b72175e9ae033a344c37f8624064

SHA256
b173f80fe350204da41612eaf9b439d24a1afcb6346ceabf5d761e2972f4e082

SHA512
d349beac0dd46c14748a56bdad053c76b9b1135d0ca1a6ac3760bbe4eef46555d5788b4945a87ce0ee1d35d8d8b8f51df0da9023f45737ffc290d48660cc2851

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
78KB

MD5
7d483cbccf436199dc803f8705126aba

SHA1
49573cf45c5bb9cf249f7cbe4b33318d0565d5d3

SHA256
a5ba8fdb6a92257d6180e7299e70f57f1db59034c6881dc77bf4ff07046dfc55

SHA512
487d20750c5bfc98d4477c11c5e03b40571ae243abe1b09e2ac697394de43b0badcdf5da47b457fe5e9810c39bed298aea31fdbb532c43bd5e4df4e5b64b0588

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
78KB

MD5
e34e1a3b6032130e0b72e38f659c21f4

SHA1
7025733bcb828c053e5751712059a9b75e1ad6e7

SHA256
03978ba3cba555d04d7882a319f4981357bbe06e82189bbe2f019aa1f0254956

SHA512
5d3e7efa1b24438755ab165167f8d15f59a03a05ded49ee0d938f5dbbe4b5a2d4c3ba3694dca5a0bfe84bdd3d88f3ddce1a93d8628f2a58471aff155cc8b521e

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
78KB

MD5
3bebb672f9364ac5d86fff41f1a9c2cb

SHA1
115968d260fa6472cac2f8576fbf69677bbfef60

SHA256
7d115645c83ad7984f1030485b04302b919894cd8bfbf37687f80931efc3db90

SHA512
de3c345e800ae696870522141296f0c4667845cf25ae762c8742b702d5dfa6301f45e899cbb9360566a11d98a2de1c623d2706bf69a870ce9932eddee837d642

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
78KB

MD5
09ca3b42376409a3db1fa05d928d0202

SHA1
88789176dc373d0b85c4f1fd9e27b4e4e8a9672b

SHA256
752790f671ceaa3b3c501362eedd4688db62b973d0c2063df7047b3a4a859bd3

SHA512
99b7361bb4585f21b8a5a7a5d8cddfb8ed77f733bdf913d56c628d68c88699583d3e8b7f79e0802e5555c02b33c65dc5670b0cafa59f4d02bd45158b4897627a

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
78KB

MD5
3af2c90f878bafafacbf6e2b4ef59834

SHA1
4522aa12622dba90206964ccb4382fc9f78947e8

SHA256
893a7f5bee5a273c659c6e2f850e344dc944c36e2b6ef6b4ea902a483701d839

SHA512
08dc7e1d9ddcd577c814814477299ee20fa433e3ae86b416157251378bd4b08df74700ddfe1a435675198a3bbd8683c74d2132aaf84046039cf38b6ab4cf862d

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
78KB

MD5
b5ff90950c44a2f8568e2244b6d2e06c

SHA1
5edde1799013c989297ba4adb430e6e4717907f3

SHA256
469afa51f5201c4a6b43d54c9744a84de13dedb99e61c0f450413145835fcdde

SHA512
a334cfd76561e1ec13c8b3ed89a454471376acba603fc74916aa4cc17bc46111eca6dad53f87468faadb617df10d4fea9b81e7f2d9ecf85037c5b8679c98026f

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
78KB

MD5
cf0f53284f049b2566146ebe1ff5e9f9

SHA1
6a24c32cab16c82645d5867bc8af12c95aec27ee

SHA256
4d50f8ae905b4ca85d7504bcbc0225c2d70a64003ee4eb7d13e8f106c0eb40b9

SHA512
092796c361550c70f754c8c56425f07bd7382bcc4d25313b21bfc012ef5689b5ad91b42eddbdf1795471a7041e7674226380fde7f9f24a4a0e22c40bafffe56c

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
78KB

MD5
4d1eebda30027cd245c4fd5d8d6d7ae3

SHA1
5f1a0c1b60e627aa3d6ad82c21f59469e5a939b7

SHA256
8d1d91312ff25941174e72a31cc226ca7da276a4107e77923f19bec8eb299740

SHA512
773f6badf9f83bd43ad3c259dc6b51eaa920b889d36d1a11156cda6e17e5dd99185f963b5fa4b039e89190945cae20c839ef7273bf0d67df79074769243fe6a8

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
78KB

MD5
dd7057587a2d0522dd5fac811dd64392

SHA1
9d95938e481a675f246173b7763dfcb8ccc17549

SHA256
b9503363eda6250e201c77f2d30968df50b06439832e51b914001ef24ac19465

SHA512
102fbbe02e0eba98f559d124bab0354988f3836a321f4857989f95e22873d9dc4c87585eb7b44de7e38c36f28400b8aeaf4d063cc758292609ee3d1640241649

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
78KB

MD5
b0d3d3f072074bb7f508e788f140553c

SHA1
d93dad0b684bbc9a0f097b1b394c84abd3afe834

SHA256
682f3369a731f93e53e6eabe072b179f0223f0a16bff4c4616b2294b8b4b9380

SHA512
bc2a13af81aa7f04c8a9c26172a94e3e3a964a52de61458e067826ac2a70eb5daee1bf2dad70b0637af2562fcc21be1afa3967d9b43b4dfbe28cd894fc763329

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
78KB

MD5
f50a720497b68c794656112f26afe4f0

SHA1
bddeda5ac7fefec66ac161aa2f436ccce13f51eb

SHA256
1b05bc7b6dac561a6e3d1edf1e2b4e641575e4f6f5fd798c777524a4bcde66bd

SHA512
1bed6a2a87c3cf4ccdb41cb6516d9bd7d4a9628a2fbbb88a1b06382f4e6254f3918ba3a391fa2019de0d96147a6e1f09970fc90dd208d489aba35758ced8f714

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
78KB

MD5
a500f2065b5bd47cf1d5eaa7de744888

SHA1
26b7ee112326fd69b1fbb0f07e14f6acdd1df4f4

SHA256
69f630cf3d1204ef61cec61f50225d84a786a3673875ea7d4057a1ee7610548c

SHA512
9640b80246cda7e9992dd08fcb827894ef701fe36ce9fbf9ffb5928e57f3afbcd656e09f1c5cdf9d538af0d63b548056d4610ed33143c2e0405f29da5d94626b

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
78KB

MD5
daff17d974a587b8b0de5b80f8d757f3

SHA1
533f1c6658bd4bd951cc283bf1bce19a1d7385ca

SHA256
5422b47986fb8d37d945c5b7652604e33bafbab4d10799e0308e06245762ad16

SHA512
796ffea0c1b7c9028b1c1abf761cfa81067bfeb3e56a949161ff291ab1beeb70e9ea88af7caa4fd6acba28c5b4b8e4347195d84e557a51ca4916d9cb67c8c45b

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
78KB

MD5
64e6604579cb3f688192b1ea3c9f9696

SHA1
05082cd4f60bfa3b4bc4154c720e25d02a47e82b

SHA256
cc088695a0c23492c5a480d8e33cf7f7d84117c236cb01501f12f384f5ee3d70

SHA512
9fd2ba2427c6e22c5de64186f88b31c2f0af6c290ba63cd2ae3e36a9566e1bfee426b0ed2c1832f9da8afff8a21e146eec97089f2bfda3445da90d6d7309ff60

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
78KB

MD5
db396cbed87c6d47129e1b8de1adc6a7

SHA1
02c296b04decbde2fc28e7eabf1bf0f33b6161d2

SHA256
2a85e194b1a3cde144e47e610946a4eb878b9d88824e4c9a502726147d8a9693

SHA512
62bc99d79b02eea5f330f7f223f175d897ad289ce6e4ec658b25310a50390e4b887746a17b74558b32959da40a47b9afdab3896b764e983261a7900822b7c82a

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
78KB

MD5
361d2a1ccb17db8e90e0bfd74df2d594

SHA1
a1f3e2c08074668cfeebd06e7027b2fd9a4237c7

SHA256
01bd7cf00aec79a1076ea45af62bb94409ee1309fcd9a25ed1d2df5fe09055c0

SHA512
12dc7ca9c64a5ed2365b38cf5f182febeafcb32567540d432f95a0238068d054d1b8a08dfcd59d06a1ffee1a93091ef8a65fec05350383a4f9748bdeefc1e92f

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
78KB

MD5
451da487cec8eec521a9bcf174e998dd

SHA1
9bd2802bfb6ecbbfe2b7e5ea6201d0ee6566f6a7

SHA256
374c46b2235e1927a4fd62bd55af26c22e009475e39114bfdafc1c7fe92f4895

SHA512
352095f841951642b12a8623698d8a0e8acb5330103715895358de4b61b2a6ce1d86595deab880da4efe5f6a6ba9d9263e9d77f5990d87c846ce457697295b26

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
78KB

MD5
7041daad452ef54515eb4c40f2264f74

SHA1
08f94c868ce57dc985af4d70435d7db613a4e1b9

SHA256
6f63981a4cca2278e6c27d276eb03dfe7c035a9a04d517664c9a57fc31fae6f9

SHA512
249f39940551501dd9e55a88053c9698954739e28fe1ed7b39c4a39761fd21e85323136a104bd3f12c8edddf773c7e8c8218690a90c178c1d918d652ba28ffce

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
78KB

MD5
2924e99f0ab2f888652a3b7fc19b4ab1

SHA1
abb7595cb13f85414a79f99664bd7e0f252759f7

SHA256
f9e26f02121e5a479749c259e76a8b52765d08cf596106fcfcc633232694ee01

SHA512
b869573f26a67a3d3b3120943d305a942dd1161e47e337f3ed0b39a4ffca789b9069447e60942c5cb9fc72d8399d136295cf82fcb03cc70ea7d5708afe39478b

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
78KB

MD5
c7dcd8ade4f05714abf71fe64e26a1c8

SHA1
4db532e116e263cdb538d7dabfe24453175090b5

SHA256
1c9fa076fbc812ce815ebe51a9d8abbb8add6f38bf91d428ecc07f1c54211385

SHA512
97f53104df9b703cea1c173151dc10ce92c164c4a7c53a041c667dff83ff785bc283efb791a789a8a73622e075cd2f9f4534265d9c94091b22bbe933d74fee83

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
78KB

MD5
8e818fbd359512069c9e3412fbf22095

SHA1
19d8c628889f6bc0bf68a346757188edea901f51

SHA256
676748ed5b3b38f42eeda59a8c7fa346b74d3e8d810fcafe371582d85db8126a

SHA512
a6c3f2e709fada3935828a8db5f0532cf3dfe1a6a45a5618729b3ee4013ec7a3e39ec9d050c2e70faaad1d2aba0f5cad20c622a087651dad724c3972c26bab65

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
78KB

MD5
36f89995ddee12dcd06621b47afeeb18

SHA1
2f4fe30fdbb36326e86706572f627b085dcaaac0

SHA256
b2cdeb5d6282fdb9f2a6e120fa9c20d6783f5cfb4d2ec9b2afaa7cee65c7f81c

SHA512
cced29706e809c67ef4eed3547b82cfb844cec4c21f2b1a670f8d6e967ef0ae1de0d6f9b7a1e4ed01c105284d96652a05bdde4456a260301ae81bc7a70957ddf

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
78KB

MD5
15a389785e99ee7a7b66ce3e48749ac7

SHA1
8eece06ef61a77a36cef0d51f797dd01963d6da3

SHA256
445eb35f3bb0bc9b14107c78574b52bc961674f59828982a70c5ab6224cbd538

SHA512
60825eb6000a2976a573341240c44d3ad4b80e1733f953ed8698abc46406cb0009e56498db7d6bd2ce8bcf4b9c26922a89b953e74eb70cdbeaa8f1c2d5890b10

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
78KB

MD5
9ff101563dd067daf31a2634acd2a8ac

SHA1
5e7fa59fba12280cff5d7bfbc2c2c1692f7ed291

SHA256
8e77e8e8c72a6cbd3a85f95183eb50093f02b9e2ef794501713b3b14d812981a

SHA512
874839675170848f30540ca0ed2a65e6b91757279f93069a7a72aa76d9762379560cc5426e51b3eeae6c23533e5836eb0be8e93cace19ef74ae5947da212b9aa

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
78KB

MD5
d274914bf1fbcdfcce3ace6a67a50c82

SHA1
bc9c5476ac5791d9b6b2322acb5ec0ac2b9f6f26

SHA256
8ec921643c81eac5b3b0d3c30aefcbd9eda92bf1eec6d2314e97af1ca1402088

SHA512
03e9a4a008e5881819a7d0a82548c332365b11d36ede7d3cea5673568e09d85ef1079bcd568d527472267a3038b2d8487603ba848fbd676491ebbea4f3b22e81

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
78KB

MD5
9d674b3286d76d99695a41713222ba04

SHA1
5b48adcf8a176dc101d62e5651fe70b5f9bcef48

SHA256
ac2b9387e029f0340e4433ad274b446f58eb183ef30538cbe443868aba2e58b4

SHA512
776f4184c3dd6bf92de70331aeff9a07ffe485d58a139c6e0d77171265fe439655a7c74f3958494ea0abe486c9a4b378bee54945c9f631ff027769a516093609

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
78KB

MD5
dea972947fe40c90e26e2e9da570944c

SHA1
98f11fc46eaada3c65f19a69b4616e66f52dd61b

SHA256
0ab65306e8697a932ebb7e2b8a3c12857d8b2e626ab242b3031299132dfecbfa

SHA512
1944c44f110caa4b88ca06f795e693dae33bd413225e361af2f16344710eb04a7abff891d011acffa31088b69b9d5b5e0ca88791931cc7329608506faaf9273b

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
78KB

MD5
64e46890c3a783e446dc00aa75b1a303

SHA1
41a1b8186207e32a4a5bcfd08a386ffe34654cc5

SHA256
df4d3b0917db5a729e9d1fc9ce415e2000435ca4e6d4bfe04962ac7e5eaf8e7c

SHA512
634f7434c1df82d60910878f1d0455457509f5e360ea915c5ce6f919f0fcbac39bf7ad651b6a37c4643682aae64313c02658d898f6373aaa643298b0fc341ecf

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
78KB

MD5
dedd1f96eb647398a96a311d2aa4b21e

SHA1
aab80a66e5921a87dc8268d865fa907f16758866

SHA256
17eb57dd850460516f85ad8a26a38695e7c69c2d13fb1a70249acf62aa811b93

SHA512
8e41b89c1f23966118a39fa9240c4865fec43a2e9df15982acc40a1b63427f2e09be9195da04606d38f43ca9d0e174e42908dba7ad6c7e16a369ea46a87d8c17

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
78KB

MD5
37ddc346ea6d4314252f8a4519d22060

SHA1
446d14b51b529765458906e31d2748183ebca9ce

SHA256
1e0e0585d3872c00399e5c261a226c5241099d579080d74dd041d37e7baadcee

SHA512
fc3378cdc84dceb44ed74ccfe50f22f5cb55428849949dedbf3d335aa023a9479d2eb79d089f3016903fc7b91d45efd0e70218cd78d1a034e04a2fbd530e7192

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
78KB

MD5
d1f130384c1751cef20a01158a4cb2db

SHA1
b6e0345f4c12e9b6f97299741090b9334ad2c48d

SHA256
861be4e91ca533d4dc362f4cb842f67b7301eff51246d9a5b6374f9a89eac7ac

SHA512
41a29aabcce0404ff0856448c47b4c2591e72048d5988307ed8c2980abbd506ffdb97bdb19e09835a5f767fade6a86c923a27cb43db13943c4e8447d6c8eaf00

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
78KB

MD5
d45139b667de7a20ea9d493088ec438c

SHA1
d2e10b2506fadc276721d67dd1587bc715abbf1b

SHA256
1c3c596796c2cf60f80484dd424455c453ad1d83eaeb0cdb0891337c2669cf5c

SHA512
a3f579274f7adde877d18be51d6fb1d406227cf7a79639b41569fba02e1912c8521d6c500d4a053395d1bba6ecb468b4afe6d8f50ccfe0a2f2619ab6dcf24807

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
78KB

MD5
e63c8ea1840ed9b804e9ca93cbe2b97d

SHA1
adb9b700a9526e548173578f1fc4df0ef71f54d8

SHA256
5ace89745e0b9f2ca961c8361f47915bae7e244a1726736186b1464a5a8c3bf2

SHA512
2392ccb589d0a77638c4e9da89fee8a8d3ad39ed6b3846e96006692cec79e6f979e3e0c903a2c475d07648a2f9685a4e478fe2703cc6c9aba39aaa6b632b3427

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
78KB

MD5
96c4fde03fa329a6f1f02d73ac04592f

SHA1
dfec252c860246ea2c7fc898f1f529b860afdfcb

SHA256
9d9b26241aefd589aafc41ad034ab9de7659e175fdc0e6e5cccfb61c830f6273

SHA512
9554a834907ae31bd88afbbfb4f0c1045f10723d4a349e4d0748d5d8c4caf5a4ce84b758e8cc528c02eb1e9d240c1bea16d8a6ba54db1d4ae24dee462e941b51

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
78KB

MD5
9a53880ea4cc35dac2dd125c8742fb51

SHA1
31ab51a93177b39e0743fb05c6e6589a84df8d5a

SHA256
a6b8eb02e8ca49118fa76ab7423c71521750c5109b09cfce5dac725ac936addd

SHA512
50ae32f56a1dcc75b6fcdd24e3fc38694169ec01f1b22cd21b07cfb857bc0d68efc8aae81873c5e361dc28df1eb7be868a10bd114c7bd630407faf295720e60a

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
78KB

MD5
094dcd0344177cabfce9293d2d6645bb

SHA1
27b849223fe40d81c3544e83d8a0aa8f587a28ff

SHA256
8fb88b9abb5287a002279915ca64cf1e9405b388bb68c53bd21abde3f933fd3f

SHA512
4942b48be7be93edaad6aa6abbd5f3cb597b9067eca1a1255ca19a3d7f68a3a9e5b17428736bac6cc1e8505eca464f9ee9851084d2dc9ce32ecb493148ac5e3b

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
78KB

MD5
c6e628f9cd45ecf48abfd8a3608c759e

SHA1
fd3305fc02d72ae3ec87d01b0a53cc9ec56fe2c4

SHA256
03432bfd978813587404533961a160839bd3045ab7ade15706d0c0c2ded45b89

SHA512
8f291764e9c6d893d7366a7eb32121a44fa74fba542a1d3c27591f4aac7e38478ec820b2526d8eb9fa39e2ae364b49e2a43fb0108174126536f59bde3125ceec

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
78KB

MD5
9f6a57e306c890bc63c89a625d9dfa02

SHA1
a9242949b1ad7d8fbb456d0c372275f70419b30d

SHA256
d446e9a6ac69d7968b16cdf0976541436cda4f915ae140def6dda0e9d6f8be81

SHA512
da8bfdb17350b4e17f89f53bc9d0f5eb6003bd3776b79ec2d2b7ff3ed1b60d90e5f3869d54ce1058cb976fbabe657382c0ababf9a432bb140aeeb3af820c7a7a

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
78KB

MD5
ed32be8418d7826c0e430f1b503ba5f1

SHA1
45878193daf4b8ce5ed4c8a12447d76137fc526c

SHA256
46f5defbcac5b061cf766ac2d89014a397c68fa7eb2b1610a9068efcfc8cd99a

SHA512
e7f58c27ceb70a22be3e37349b63cf0228413a73595af74cb66f215f422e71e840e1d97d568ab100e8c02c8d5bb7704aefcee5c817b804f5468498fcc46386dc

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
78KB

MD5
a2eba9bca8719cf901a95a685d909b37

SHA1
1aca2d987ef6f8d314396508ea365fffc49e4719

SHA256
ec5d959fa93a3901449dbd036d3e29137dae06ca97d5e9949540c673d08a9f75

SHA512
87882ebceb7a7b25c8355838ed62b9681628a2437aff873f67a186bbf92dad77130c252fa0a2fd2d93848e98047c53cb20ec90ee4ad8cc705ab9827cd6f555a2

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
78KB

MD5
f219a0b28b8bc576c102375a29f30aad

SHA1
c7744917fbb529155fc2aa4043b0030d45468a02

SHA256
78d6d0c8ff3716a89a8e8e7cf984cd4b5b813d6d5b4eb3c12b482d884bd4a4f8

SHA512
9f227f5fce2aa371bf147852c297898cfb448c104d5a79828bd7e4c451f5a835ef0a373186ba39dc81499a0ad29898ee50d09ce2efd0cad77e9853df2105f6eb

Download Submit
memory/412-422-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/428-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/428-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/464-414-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/464-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/544-421-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/544-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/620-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/620-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/876-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/876-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/968-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/968-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1192-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1192-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1240-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1240-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1284-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1284-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1348-393-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1348-332-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1676-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1676-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1844-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1924-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1924-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1928-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1928-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1940-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1940-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1940-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2000-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2052-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2060-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2060-139-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2168-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2168-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2520-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2724-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2896-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2896-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3060-381-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3164-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3164-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3180-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3180-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3308-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3308-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3348-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3348-190-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3368-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3368-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3672-415-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3696-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3696-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3716-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3716-355-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3796-401-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4104-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4104-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4164-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4164-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4208-387-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4260-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4260-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4320-428-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4320-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4668-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4668-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4708-407-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4708-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4728-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4728-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4776-325-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4792-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4792-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4796-408-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4824-429-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4936-243-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4936-324-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4952-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4952-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4960-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4960-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4996-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4996-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5052-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5052-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads