843d34f085dd4f5c27cb05a20e168da2233bc8aa47be0a2fdd90f8cf2fa92689

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd858492e05eec8cf03a0c63a6bc2dd0N.exe
Size

78KB
MD5

fd858492e05eec8cf03a0c63a6bc2dd0
SHA1

aa366de6ba99b72c34f63d1daa7b7c4c53a70eda
SHA256

843d34f085dd4f5c27cb05a20e168da2233bc8aa47be0a2fdd90f8cf2fa92689
SHA512

3f717e6051786ee4e17029c44e281299368461a0d2a150efc7383e039310ebbf8699e6af0d078afd541a418dc65e6ce3e3ab49a53273c54458762affc41c10dc
SSDEEP

1536:f6SpE/MXt2O9ExOVEiE0qkWBLkIggsJVHcbns:6kXt2O9IOq0qVBLogsDes

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fd858492e05eec8cf03a0c63a6bc2dd0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe

Executes dropped EXE 64 IoCs

pid	Process
5056	Mlhbal32.exe
3016	Npcoakfp.exe
468	Ncbknfed.exe
4140	Nepgjaeg.exe
4668	Nljofl32.exe
1976	Ndaggimg.exe
3664	Nebdoa32.exe
5088	Nnjlpo32.exe
2700	Ndcdmikd.exe
3320	Neeqea32.exe
2796	Nloiakho.exe
960	Ndfqbhia.exe
380	Nfgmjqop.exe
2100	Nlaegk32.exe
408	Nckndeni.exe
4780	Nfjjppmm.exe
1592	Oponmilc.exe
3632	Ojgbfocc.exe
4900	Odmgcgbi.exe
4176	Ofnckp32.exe
4224	Opdghh32.exe
4892	Ognpebpj.exe
4508	Ojllan32.exe
5104	Oqfdnhfk.exe
3928	Ocdqjceo.exe
3660	Ojoign32.exe
4364	Oqhacgdh.exe
1064	Ogbipa32.exe
432	Pnlaml32.exe
4104	Pdfjifjo.exe
1484	Pfhfan32.exe
3752	Pnonbk32.exe
2104	Pclgkb32.exe
2216	Pfjcgn32.exe
3876	Pnakhkol.exe
3924	Pqpgdfnp.exe
4164	Pgioqq32.exe
4392	Pncgmkmj.exe
3296	Pdmpje32.exe
2292	Pfolbmje.exe
2188	Pnfdcjkg.exe
3220	Pqdqof32.exe
3640	Pcbmka32.exe
1884	Qnhahj32.exe
3492	Qceiaa32.exe
4368	Qfcfml32.exe
4992	Qmmnjfnl.exe
4580	Qddfkd32.exe
2452	Qgcbgo32.exe
4472	Anmjcieo.exe
5048	Adgbpc32.exe
1880	Ageolo32.exe
4244	Anogiicl.exe
3452	Aqncedbp.exe
2168	Aclpap32.exe
4208	Anadoi32.exe
3648	Amddjegd.exe
3964	Aqppkd32.exe
3312	Acnlgp32.exe
3712	Ajhddjfn.exe
5068	Andqdh32.exe
2784	Aabmqd32.exe
580	Aeniabfd.exe
3612	Aglemn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nloiakho.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5704	5548	WerFault.exe	198

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	fd858492e05eec8cf03a0c63a6bc2dd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Nepgjaeg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 5056	4680	fd858492e05eec8cf03a0c63a6bc2dd0N.exe	84
PID 4680 wrote to memory of 5056	4680	fd858492e05eec8cf03a0c63a6bc2dd0N.exe	84
PID 4680 wrote to memory of 5056	4680	fd858492e05eec8cf03a0c63a6bc2dd0N.exe	84
PID 5056 wrote to memory of 3016	5056	Mlhbal32.exe	85
PID 5056 wrote to memory of 3016	5056	Mlhbal32.exe	85
PID 5056 wrote to memory of 3016	5056	Mlhbal32.exe	85
PID 3016 wrote to memory of 468	3016	Npcoakfp.exe	86
PID 3016 wrote to memory of 468	3016	Npcoakfp.exe	86
PID 3016 wrote to memory of 468	3016	Npcoakfp.exe	86
PID 468 wrote to memory of 4140	468	Ncbknfed.exe	87
PID 468 wrote to memory of 4140	468	Ncbknfed.exe	87
PID 468 wrote to memory of 4140	468	Ncbknfed.exe	87
PID 4140 wrote to memory of 4668	4140	Nepgjaeg.exe	88
PID 4140 wrote to memory of 4668	4140	Nepgjaeg.exe	88
PID 4140 wrote to memory of 4668	4140	Nepgjaeg.exe	88
PID 4668 wrote to memory of 1976	4668	Nljofl32.exe	89
PID 4668 wrote to memory of 1976	4668	Nljofl32.exe	89
PID 4668 wrote to memory of 1976	4668	Nljofl32.exe	89
PID 1976 wrote to memory of 3664	1976	Ndaggimg.exe	90
PID 1976 wrote to memory of 3664	1976	Ndaggimg.exe	90
PID 1976 wrote to memory of 3664	1976	Ndaggimg.exe	90
PID 3664 wrote to memory of 5088	3664	Nebdoa32.exe	91
PID 3664 wrote to memory of 5088	3664	Nebdoa32.exe	91
PID 3664 wrote to memory of 5088	3664	Nebdoa32.exe	91
PID 5088 wrote to memory of 2700	5088	Nnjlpo32.exe	92
PID 5088 wrote to memory of 2700	5088	Nnjlpo32.exe	92
PID 5088 wrote to memory of 2700	5088	Nnjlpo32.exe	92
PID 2700 wrote to memory of 3320	2700	Ndcdmikd.exe	93
PID 2700 wrote to memory of 3320	2700	Ndcdmikd.exe	93
PID 2700 wrote to memory of 3320	2700	Ndcdmikd.exe	93
PID 3320 wrote to memory of 2796	3320	Neeqea32.exe	94
PID 3320 wrote to memory of 2796	3320	Neeqea32.exe	94
PID 3320 wrote to memory of 2796	3320	Neeqea32.exe	94
PID 2796 wrote to memory of 960	2796	Nloiakho.exe	95
PID 2796 wrote to memory of 960	2796	Nloiakho.exe	95
PID 2796 wrote to memory of 960	2796	Nloiakho.exe	95
PID 960 wrote to memory of 380	960	Ndfqbhia.exe	96
PID 960 wrote to memory of 380	960	Ndfqbhia.exe	96
PID 960 wrote to memory of 380	960	Ndfqbhia.exe	96
PID 380 wrote to memory of 2100	380	Nfgmjqop.exe	97
PID 380 wrote to memory of 2100	380	Nfgmjqop.exe	97
PID 380 wrote to memory of 2100	380	Nfgmjqop.exe	97
PID 2100 wrote to memory of 408	2100	Nlaegk32.exe	98
PID 2100 wrote to memory of 408	2100	Nlaegk32.exe	98
PID 2100 wrote to memory of 408	2100	Nlaegk32.exe	98
PID 408 wrote to memory of 4780	408	Nckndeni.exe	99
PID 408 wrote to memory of 4780	408	Nckndeni.exe	99
PID 408 wrote to memory of 4780	408	Nckndeni.exe	99
PID 4780 wrote to memory of 1592	4780	Nfjjppmm.exe	100
PID 4780 wrote to memory of 1592	4780	Nfjjppmm.exe	100
PID 4780 wrote to memory of 1592	4780	Nfjjppmm.exe	100
PID 1592 wrote to memory of 3632	1592	Oponmilc.exe	102
PID 1592 wrote to memory of 3632	1592	Oponmilc.exe	102
PID 1592 wrote to memory of 3632	1592	Oponmilc.exe	102
PID 3632 wrote to memory of 4900	3632	Ojgbfocc.exe	104
PID 3632 wrote to memory of 4900	3632	Ojgbfocc.exe	104
PID 3632 wrote to memory of 4900	3632	Ojgbfocc.exe	104
PID 4900 wrote to memory of 4176	4900	Odmgcgbi.exe	105
PID 4900 wrote to memory of 4176	4900	Odmgcgbi.exe	105
PID 4900 wrote to memory of 4176	4900	Odmgcgbi.exe	105
PID 4176 wrote to memory of 4224	4176	Ofnckp32.exe	107
PID 4176 wrote to memory of 4224	4176	Ofnckp32.exe	107
PID 4176 wrote to memory of 4224	4176	Ofnckp32.exe	107
PID 4224 wrote to memory of 4892	4224	Opdghh32.exe	108

C:\Users\Admin\AppData\Local\Temp\fd858492e05eec8cf03a0c63a6bc2dd0N.exe
"C:\Users\Admin\AppData\Local\Temp\fd858492e05eec8cf03a0c63a6bc2dd0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\SysWOW64\Mlhbal32.exe
  C:\Windows\system32\Mlhbal32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\SysWOW64\Npcoakfp.exe
    C:\Windows\system32\Npcoakfp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\SysWOW64\Ncbknfed.exe
      C:\Windows\system32\Ncbknfed.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:468
    - - C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
      - C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        42⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        61⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1764
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        76⤵
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1908
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        81⤵
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        84⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        90⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        99⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        105⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6112
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        108⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        112⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        113⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 404
        114⤵
        Program crash
        
        PID:5704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5548 -ip 5548
1⤵
PID:5648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
78KB

MD5
fc4fee8dba1e8baf4045993932bebc4e

SHA1
a20307ea6b189b5899c04c527f2e4389c10e9e0a

SHA256
4a2c5d8030f4a13045072c48b1546f29959469c72f36e90ba30e5f7ac93ff8bf

SHA512
ee928a8acb5a545d8b379c1ca21c328938b57bc3437febe6f70e5d999b85c55001ea914e319cd312205f89f2ce007c8b69c37f1c46794124f6d1b45c86beeb33

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
78KB

MD5
b06ac7b0db2fbb7d694caf5f90e726e2

SHA1
755cf857b685ce99e0e567d25a7b36d25a352945

SHA256
1be0ac2a8b3a30bf5144ccf9c1e699c0f8c6257fd40e3761a402c57e6bb963e6

SHA512
869498c71a9465c9564ccaa0fe819826c0a8dfacb0f6818c24048883ad5961be24d1dd95609a4ef445950d7d49fef39e29edf2bd32f115cec4a8e0906438c09b

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
78KB

MD5
d9ee01582650db87c0e3ccd08e42d5f2

SHA1
1e6bcf7c48c4ce6184a63c80f4f5bf101c519f15

SHA256
c203c70f1be2bc8dafa692c9a256d0539ea9f7f0c4f83c0aa08fcddec9f15930

SHA512
cb26846e109bfaa7bcafdaadfb23eee793b62e6d2a73900110a674b0408152c5966815345bfe4960012ee64173445fadaefe12f50e1a13ccb56b08df9dddc13e

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
78KB

MD5
2689e039c07ca28fecb2f33a47b63f5e

SHA1
80211d899d732f468b0b98d7e9823a020f2a7188

SHA256
85b4d16b6daaddbfdc5177ca83e82df2158e9735fd8656c809c3d6ecb0004bd1

SHA512
58359ff28a73b28897446721fbc68ccb06f47f9f4e7e694587d959b96879dae7abeb923b574800fcecd528ff4e7705addb021ce15b3746752165a7daf07c049b

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
78KB

MD5
0c54becccf295896075968abe798f602

SHA1
e82d749138d5e7ab7859d6bdd19bc6b8da557a70

SHA256
7a537eefcf4ad829b9a184c32227eda703e10a005b077085b39b713b5dc00941

SHA512
5497dff0304a98ed72506602fa332e2c6cc19aff74fea00d53beeb0f43e4105d557332549b4525d06278db390215713cae5e7f48137b56f9a332e636c85a51bc

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
78KB

MD5
86ceb3cc11cc368524aef67c37cf8f47

SHA1
1eed6509d19281496ea4e2bcb3d67314d9df2c05

SHA256
47252d38efd4fdff1fbd509f3a0ccf262456be828ad07bcbd844031f31c9acfd

SHA512
9e5db022e8fdf78e0a31875c7000f47406b9f92df41faa336ed3149b52b0ada85b499c2421dec5446625040dc7d1bc7cf808af74b927fe6b2bf3f04713100718

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
78KB

MD5
c9e8eec6a234c11fc65c3c23a53b652e

SHA1
0de2344f90b3bb66c9340b68fa896428dcf702a1

SHA256
f819c139d3e68938bfda9d25048601b45445ebfa2cff6b14c1bdb2c260d22dd6

SHA512
e43249c6871a9e288453e96b0672b7c6e37230a703306100ae301f590975403ea51d0237e812edf1c8afc235873d40845b1c07b74ea28c0c5cdc81088c819dc0

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
78KB

MD5
addbcfe36110aa41c4b46a868b3ee8c8

SHA1
2746bed2de49a20b7f51ab1cf2b12f848042ac67

SHA256
8f4b913b08831c0cda8c5b17088c907e663d38c9a935bbf41ecb16c36386b519

SHA512
b45ef59ca83f8272deb3d2ab823c53ea62d690b6207b2d4cae4fb7e0196b8a36fc3dc68b1b1d7c7d7692e108f9509f89567846ad305fe1dfaef48af4f7736638

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
78KB

MD5
96fa41c8b98144dad0aa9afcf4c124ea

SHA1
90f8303eb0690ae5f8c379dcd1babf77f173d675

SHA256
6a5309a71520ceacee4eb3fdd8bc81cc39bc0d3f0a8250f1828995d60e1df87b

SHA512
95b0c29f70f6e92db6f0c5c2a45c33e28c1f65a323403a2a9a4a4ac0eb93e909f6108731e7ac4046430babf3c8b5cd39e0890c8f8cc5ae76982984c45b8fe916

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
78KB

MD5
fa6013f17425d1db5fe4582d2e3502e6

SHA1
937cf781322f3c667795b7f0e822c793b1ee66f7

SHA256
7e96405c0e0e9ed638e4742ba4ee18ee672e29caf5575b5414eded4dddf35e18

SHA512
fdf6167e3d9e24b2f258a20a273185e9565610d53b93ed3c6e5540b1ca4cabf4f88b452a17d471ee45382aa01b32d2412ed89200c9e4efa93bb9305d7081ff23

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
78KB

MD5
801f0930fa6f2e92c06bb231e3efdc78

SHA1
9fb4b17199ffae51144ef1d3a40da88e41e05b9f

SHA256
e869df1f38d4fd2c547dd3ae5a78dda24923810c5f5a511d7e480c1d30411bce

SHA512
eb8a287c2764c2e5184b56f32bd9eaf26b1ef1b66dbeba7f78982c928f79e00a994e00a88ab47bd1983b054ecee265d6a81fbbf35dae809a40b60623f57466c8

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
78KB

MD5
71cbd056e51bfb7efbb52707d704bf18

SHA1
3528c072f878211398f978777cdba6daba3c8e6a

SHA256
f9668578e83f04a6a8d90b6e6459c2189fe7e20a6ab968fc74eab7edf317e09c

SHA512
b431a0ec0c14aca2213bac36e9554b2d765e940fcc2626b4b80114b4a9edf72f7cc0421485a30e2113a12a917bfe86f988c93e4755abe337ed3aa2028320f869

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
78KB

MD5
d65d3863ba8080b177095b42fe0a061f

SHA1
7de8537d3fbb32079db525495a43d5ab8b246bc2

SHA256
f08e90fb46a85eb1900c2a23383f18395c2a8fb06b81a61a7af2f75e1d9d1352

SHA512
a420125f0d4d64c7feef6e263adc5b713bbc47e862e7ce57a695477d223815bd0ba174a4ce44ced8744b73cbdbc85d6222c011ccce86b9bd882fd8e6dc20f2fe

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
78KB

MD5
6335067728d0d7fa2dc1820d8bf2f3b7

SHA1
ed90b178f751ce43ac6c8e1d64636b4983005d8a

SHA256
6df948c37feecd424e01531f348f867a61ad3c32ed71e23e7c0a3a0d79c24605

SHA512
eff5dc6e496b259b9665401a9fcf155365097645d5d9975f932127de36bc1c98e923e8aa693b12f8f2a9f1ca5dd05f2c340ba6d610a765ac66f88a608bedbf5d

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
78KB

MD5
ea993f98346561983eafe1a4c97f6ed9

SHA1
26559b89a0fa7ca32192ed19f5055a5145b99587

SHA256
9b48bdc7ce13eff03d8eb705e01d8684d25a1bd322bb9b52816b3f52119543f1

SHA512
0c4daaf84482cb18015573877465e3f14ac959ce903ec5a0d0939dcd56d1f44f1bd2825d0862b0e4abfd6c75de306a33062cd3d91d43c527f646217a997b79fd

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
78KB

MD5
6db949e6b38fb735f25dcd860429160a

SHA1
a8ef1919bbe00bd4523e30829d721ef9c7666bd1

SHA256
4e6638309a4eed914f3ca30ae20d6a31af03c61b4fc0742b51a67b715cfa5974

SHA512
aca04731b44f22716f21f77a58d98e18ac2338749bc0e52b79154b474a1c5fc1d07bf963068b3b80c17a32412b8b78aadd9797758f3a12ebe19ed654386351f6

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
78KB

MD5
a706ceb93755154156ee112662e69e8e

SHA1
9c5ef2003c534053030e9777d83bab4e90883b34

SHA256
cb1e7f9dc6e1f4156a9aa521b7035da1be0a0ed2ab844bdd9a4939666b7be96b

SHA512
03c64eb3893e8a991f68fef69bb35d03bb720549715917f8f1d3b685ea5d8c6354aad60582c03e0de8f302f399e0a40bb5445b88074cf8de6be86046934bc7eb

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
78KB

MD5
26b68f43195c3ea970bf026fe33c92d4

SHA1
9547909581698a648c459890998b152524974479

SHA256
c5ef623e23f2142baca0ae748f33d516b331bab783e3d0d664808b732626637b

SHA512
e5f3a9ece7208456bf3b057d6a45974191eb30e118ac7a41d7b540fe3580acff47bbcde82a3a9dc2ce9ebfbfc9a0aa19afda2bb45c02585f70f24010f6f8f7cb

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
78KB

MD5
f15c1c2eeb5d15563113049a2ce2e9cf

SHA1
bdaec40043abee19cf01f90a4c2fdfe3ebfcd09c

SHA256
010ece64db9c6d13dd7d2c556f6fa5885321767d2b70ac3f10132207665f6c65

SHA512
488e4afa1eb336685157b8f39e59e34544191ef75621da2c8b8c755a30236f1e48f5118aff4f4a61f95ccc8edf3eb38c5901992b6bf67468a3ee84c36fbff6fa

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
78KB

MD5
6a27af95d191f88258175813400133c6

SHA1
d7f7ecc81126a4c8a54880854d8226fc50d37583

SHA256
8674fe2b927e64f7b7b92749190f598b4965993f1a95725d3cb83f4582bc0c61

SHA512
e9512f705253b41a2063cc665062658ef7be342f4a74e9a50ce578e6afb6e822969dc4bad679fd396c08a0955a9f1c45b01255b6cc5c08e1a6ef8ce9356c6942

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
78KB

MD5
d0babe391545974038b0fb14a7b2ba17

SHA1
21522779365ef37208bc4ec48ad56597b6171760

SHA256
006070cc45c1a83b24ec1a297cf446d5158dc39822b6de651fcc20c44e383b2c

SHA512
8f0a6cc6ac7bd53d1c8abae104c25a0da56b94989f584013a651f6d1992a2a6429659cc63d2cd6171f55732e42fc20e9221ddad7a2b84162e7bf1b29958211d7

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
78KB

MD5
0e167231976e4389c462f980f04b785b

SHA1
b8f959f6f3a044e63adf8498f7d5ddddace719fa

SHA256
5c23da7a4201de834a342e63ca940a26678f5fa0b44b0e4268bb288fb0373052

SHA512
a06b6ca2d99eaa4f18ad243b6207fa87479e74336096aaaa58a876d3598ff125fa47c36bb14312be0fc57186c69aa3f6453b01b3cc85ac9b46d6627983b8fcb2

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
78KB

MD5
4fc89da579898568baedaca5da4ca34a

SHA1
9d7594e3cac68b2cc95bdc43f474c2429a69470e

SHA256
49b7633561333329f8438a3f1b11857ce868053feafbdba798ba6c15fafa5094

SHA512
97f71d81a44879d4a1fa5b55b1f4ac21d490bc52b47198b9302218b1323b0afcaf770a486a16b06f39b6a583113d8331fd7ec315c801b53a55f71ed8d7b05104

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
78KB

MD5
c19ffda437a79c30562bee90fa33a15f

SHA1
fbd411256b1a408fb3a12c9012b9ee62dda888e6

SHA256
5b8a6179be3f381afcf405f694e9742026313016f7a8d113428ea954f07f3dee

SHA512
abd3df2a4e2c9d1f37ef4d76bb23dce742754906619aa6fe333fb32ea3c276bd736c5dcf03eeeacee9d3d508f7c16ea5fe2d91e2b283d1cd3257a954984954c9

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
78KB

MD5
ee06caf48a8b04abec1f36ffc13072a3

SHA1
cb8bbe13d1c7ac4aa38d2bbf5546c6c7537de478

SHA256
76bbbd64964ede4b774e1cb8f53e2a32cbd6e67124168e7725d50f3b463b97ce

SHA512
7528c12e2a40b919ed701ae651d2d58e6d31253489dc4a26467070377a086148dfcae3b9427b5392030cd16a9d07079ec225ec4cb2b5bfe9cc63fad2f2620a17

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
78KB

MD5
bc31e33999133f059071a768281dcfa7

SHA1
bf8b3135605d7aedff346b87dde23989d55ff78f

SHA256
c08e8893ece37007db8185dd907c49d22f07a484e9d5167fb3943e1bf74043f6

SHA512
5d80b251c411f14206ae193d26e56eecabb736b3feec03155b449ceabdcf752d2fdac3f1712a189930a733510b03fbdb90d7f38ba6acd5bf190d4ea1b08fca6b

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
78KB

MD5
294d7219548637e7463325dd2c70877e

SHA1
bbb1657b5af36264be0275c10af66ec48207de1c

SHA256
564622ef318c0552e75fe6a04c9a8b92be09fcfd2334994875b9b78d475a64a9

SHA512
47a25b02794610e8571d507cf206a5128d55a5b81f2ce0e2bbf318b1dbacac0ccd1819491422aaf30926b1d96e3d054777106c2c0f25e723cfb161941fdbd83e

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
78KB

MD5
58265e083501d5cfdc15a8f4078b2768

SHA1
1eb2f54a07c4acc965cb79b1ca0f7254467569f6

SHA256
88be34487c939ecd389abe3f3c9c5e5dd6a8bb016fdc12e072ee977dec7a98ac

SHA512
f8e3f12bdbdd757fdc121ccd78d21eb3cecf286a158ec4a364e912d6db015b08f37d7686c577a70c0790f68523807afcde56b147fb560a7d9be4e903a53d1086

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
78KB

MD5
9ec6f92330927f209a76262653d1c192

SHA1
65a6ba9d7ea9dfd1566ba7b008c9462628d8ef7e

SHA256
e25b667054d0e9d92a02e9d549436a9e1d548b018d7ff4cf05e02f58133c155c

SHA512
2945c0d893c36059b768533ee4cb98022878c7536faea94e99f633e2083d89b8cf4b02dc9d45a81f37f1aae5cd12cee90686efa7ccd017956ac3631816d2eacc

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
78KB

MD5
5fa964149eef558fc0fd2b098ed1da51

SHA1
4dccfc7eb503b82362e6ee1ad2764887c495dad0

SHA256
84ba43276a300c3b4bccf7561d543ec982364f5aff1906f3024fe7d82ec6fcb1

SHA512
e53a5d66426f379862b3ce72d413a9215cab7e374952e03e13be5090b134f36e417fc8e22ab5aaec136be7e27a12a24737d92083a7b7532daae1b955be6d54e8

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
78KB

MD5
ee96f5d98fc959f4c379aa85feb1e916

SHA1
ab0e2c0b2c53ac9df3964a6589f8179db242e6f5

SHA256
b3c34bbd46955b173204fd4bf1c1491bd3806fa412ea7763948aec1a666e3f20

SHA512
dda52810270a97020c18ab66aaa8b54d6d2e5faee0f8b915b3bf73c1292a7366a310dcbd903dd59b5a9dcb697c6f0a53f5931bfe61d1e41c85cbc69a7488b16f

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
78KB

MD5
cb9413d623568a507dabaf95a144ca3a

SHA1
2733fb7e819e3c4060af06a977d063afa2985ea2

SHA256
33609adf18c074fd280c8dd4c6718a05ee75d800f902b79013628acd0d093c17

SHA512
63374f88ff2835747d3aa541b25291a5e5dbb0e46dd89f835216a59de6dfda5e544751afb75c174a28969d0c556cb3e711f80f12ab8bea7e32c598527b080857

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
78KB

MD5
3df31dd1529c43e4b38e79570c95789c

SHA1
2f5707479cb88c711004611fb1736c843d03d2b9

SHA256
deb3469296fdbe634a2780cf9b2dd2d30736026d265bb6ddee079af1dfc10c20

SHA512
85f6689901f07b7d5b96751dbc0b42a2557f3fb8f7a24aceb997d7765136800d4b325ff26b978b720ad661103d882ab7f89eccaeaba7969cc90ea8e2d24cd5a3

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
78KB

MD5
5777368c1c97954a4b5f1c0d381e016b

SHA1
164d12f5b952a1a68f12a4bd984a5ad837e80778

SHA256
7bc390486521c7516570e8b2a77ed6fe23854483506485ad82e5c52c7b76f9ad

SHA512
a96f77273f23e709108c35ac8aea404c1cae81e33aa893b2ed013f52e0148d35d554bf6b7c8330438fc03f543fb370fa4e575ed5ae5003e3fe57e1cfa6de2907

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
78KB

MD5
d3630d68bb481382ac8d777565c3ca7e

SHA1
5311b01f94cd60798b3f5368fb9d1d97d7049c90

SHA256
14ba7e826ef63a2829c4a04b86d92db53276b05272b7a7a2435a222f7113a126

SHA512
c9b8a56eda5c8e6094c7fc7c8fb35239dae0308461736f9343430f99a6b6144a47ef4ac971a28e9b4ce38538857bd4054f7d8a0b4860d90109e9032761df235e

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
78KB

MD5
7ad04d8fc88112cc8af75af7d5b07165

SHA1
f0cf7343e125fa4231622d034ab84df145b6d73e

SHA256
65629caac24280d2409996c08c060bc6eb41228ba709969b151c2ec1d3476fd8

SHA512
c3a5ea4d95fbecd9a052d4bcdb18684f4531d4c712fe6ac52178e7c5071b2ff0dd443b5053eb41cd8f72c1d860814c53547ffacaff44d380f4b2221ec34df5ba

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
78KB

MD5
41b563bdd6faf0df7b6cc23e46f9db2c

SHA1
4a8c1472ecaa7aa9f2e2f6efedbf18886ead7074

SHA256
bebca95099edd6398d30b781701424f88a1b06e8fd7e7709e2fecc3eb429bf5b

SHA512
e1f0b410757dc5f407498b41cc4fd651e7e7f5b8658b2340d88ee2ff87d4f96824a84e54f78c8e36dff8aa0b973ff3272bbb55ec49a4dc0076f8df92c4542eba

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
78KB

MD5
deeffd300ef7ee40a48e3882d1384c0c

SHA1
b1ec354325a41ae69bded02d97b6057a93db8f8b

SHA256
8fbdf5f088dc6b790538aa4560ec9ed14e37d2b03417b7e098251aab2da59019

SHA512
70dca20cabdd96f3020c9e380b725511b87031d00db9e8933f3bec6ccfcf470669034280e43984d44eea89ae8aa7bda7051eaa7bf13f8cee67e02e0e4a56da75

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
78KB

MD5
9b4bf2a2308e17d0e8982ffb21d67254

SHA1
783d837e7b694e88e48faa7ceb3f4448313550ba

SHA256
684616439ac11117c33c3bd7bb1cfff8beb4d6d5f47b5cf4d9b2ef8497affe02

SHA512
d280c40e78cdea48cbe9b6ecd88d9eb520d61997be9847717bd2f21f8bbac148dd2917cf23873a0b5f75f15f9af1b1f40d9c1866bc007f20cf6c22085823668f

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
78KB

MD5
ce1948ec6cb73f3dadf8c7cc7f025870

SHA1
2d842ea8724e5ca75ff225ffbb6bd895712e79b0

SHA256
7c55e5f2c93c9ce3734e23bc1f933dcd1b7b3a3e269fdd6214bc0861d37b8632

SHA512
b1745bcf96da3b717daf8bb2c44eb9bb2cdfb39980cdf90be65a502c3ef408d5f31485fc74e80cd68243d558555b7ea0e55e99b87db2e96e36f56b7ffffcc4dd

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
78KB

MD5
1548c005e0ed0ea4e9e3fdccc8f6f5b2

SHA1
8ba1b11e46ef229e406b5f3460072a43060200b9

SHA256
2672afbc9ece4c9b4e4999ac0a13d244f6bb2a960f8da0c637afcec717eab012

SHA512
03b920b23e020c642849d205709d601ebbb4ed98a63741b6a4b61b6057a679002224224793d5288c21ff7262cde10c74cf364746d59b3364c5d5fc0055dd5066

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
78KB

MD5
88f1e7aad1f0e8cbf32aa986a70336fd

SHA1
40b346b379afc3a94361805aeea36493f1522c06

SHA256
b9db3c84114d9b69112ab5f32627b5b66ef7f25c8407c148033b29e918a18606

SHA512
12492dca19139e0d7b4ba3fb11002e5b3a2dde8e14f9b50cd1bde22073661481d622a97dc6b1128df3be816e71491d4aa83f140be9bff68a8b3bf914feab6f82

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
78KB

MD5
5faccfcaca68ecd177d4ec9c7f254b01

SHA1
6296659b4a52a3cf0fa02a37fa5d6043a1acc75b

SHA256
79c9f355c7d82e36520285bba6880d77ffe1edc773b202b006d07d56696b314e

SHA512
665699b3e853cd00e8b9225c3cd01e516e88c61389741e62fd7b8c29523fd825e81ecb0bbc36a1fa2f766f2f1a7410a2c0b1e390bf7e95f7fa30ccd512874201

Download Submit
memory/380-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/380-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/408-126-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/408-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/432-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/432-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/468-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/468-25-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/960-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/960-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1064-242-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1064-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1484-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1484-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1880-419-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1884-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1976-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1976-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2104-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2104-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2188-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2188-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2216-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2216-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2292-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2292-404-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2452-398-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-73-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2796-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2796-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3016-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3016-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3220-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3220-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3296-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3296-397-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3320-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3320-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3492-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3632-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3632-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3640-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3660-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3660-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3664-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3664-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3752-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3752-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3876-300-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3876-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3924-307-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3924-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3928-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3928-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4104-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4104-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4140-33-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4140-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4164-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4164-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4176-259-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4176-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4224-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4224-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4364-233-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4364-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4368-377-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4392-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4392-390-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4472-405-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4508-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4508-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4580-391-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4668-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4668-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4680-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4680-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4680-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4780-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4780-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4892-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4892-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4900-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4900-161-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4992-384-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5056-13-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5088-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5088-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5104-206-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5104-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads