42c4d13e80669e64c7ec7c538946a89720f30c5982ae96c60506d19b619d5213

Analysis

max time kernel
105s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e18b82a2cdd5ce7ba804caf8796211b0N.exe
Size

313KB
MD5

e18b82a2cdd5ce7ba804caf8796211b0
SHA1

3e0016fb1ee3c89aa32bf376a26f301a04bff286
SHA256

42c4d13e80669e64c7ec7c538946a89720f30c5982ae96c60506d19b619d5213
SHA512

dd183f4b99c0923196605f301b44e7c2e5e6ceb2aee66173055b7d6ac75093b0fbfd447d287606efd51493499dc4935815f93045dec5a3cb72fb6d6bcfaf3872
SSDEEP

6144:+Y08lLSCPgZUmKyIxLDXXoq9FJZCUmKyIxLX:+d8ECM32XXf9Do3+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe

Executes dropped EXE 64 IoCs

pid	Process
3144	Mdckfk32.exe
3256	Mgagbf32.exe
940	Medgncoe.exe
2540	Mmlpoqpg.exe
5020	Mdhdajea.exe
4824	Mpoefk32.exe
884	Mmbfpp32.exe
4996	Mcpnhfhf.exe
2060	Mgkjhe32.exe
4264	Mnebeogl.exe
2492	Npcoakfp.exe
3284	Ndokbi32.exe
1784	Ndaggimg.exe
2168	Nnjlpo32.exe
2388	Ndcdmikd.exe
4644	Npjebj32.exe
4804	Nfgmjqop.exe
2284	Nlaegk32.exe
628	Ndhmhh32.exe
4080	Ocnjidkf.exe
976	Oncofm32.exe
3288	Odmgcgbi.exe
2708	Ogkcpbam.exe
5088	Ojjolnaq.exe
4532	Ognpebpj.exe
1064	Onhhamgg.exe
4316	Ocdqjceo.exe
2428	Onjegled.exe
1440	Oddmdf32.exe
1432	Ogbipa32.exe
2392	Pqknig32.exe
1616	Pgefeajb.exe
4212	Pnonbk32.exe
3172	Pclgkb32.exe
2888	Pfjcgn32.exe
1792	Pjeoglgc.exe
2348	Pqpgdfnp.exe
452	Pgioqq32.exe
3360	Pncgmkmj.exe
1564	Pmfhig32.exe
3424	Pdmpje32.exe
4364	Pgllfp32.exe
1480	Pnfdcjkg.exe
3024	Pdpmpdbd.exe
4520	Pfaigm32.exe
4312	Pjmehkqk.exe
4820	Qqfmde32.exe
4548	Qgqeappe.exe
4296	Qnjnnj32.exe
1636	Qddfkd32.exe
3332	Qgcbgo32.exe
1452	Anmjcieo.exe
2176	Adgbpc32.exe
2908	Afhohlbj.exe
3824	Ambgef32.exe
1660	Aclpap32.exe
216	Ajfhnjhq.exe
4452	Aqppkd32.exe
4224	Agjhgngj.exe
4764	Andqdh32.exe
3960	Aabmqd32.exe
2776	Acqimo32.exe
5028	Ajkaii32.exe
4860	Aminee32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nniadn32.dll	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Mmbfpp32.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Npcoakfp.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Mnebeogl.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Lemphdgj.dll	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Agjhgngj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5452	5128	WerFault.exe	201

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nniadn32.dll"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqppkd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 3144	1884	e18b82a2cdd5ce7ba804caf8796211b0N.exe	84
PID 1884 wrote to memory of 3144	1884	e18b82a2cdd5ce7ba804caf8796211b0N.exe	84
PID 1884 wrote to memory of 3144	1884	e18b82a2cdd5ce7ba804caf8796211b0N.exe	84
PID 3144 wrote to memory of 3256	3144	Mdckfk32.exe	85
PID 3144 wrote to memory of 3256	3144	Mdckfk32.exe	85
PID 3144 wrote to memory of 3256	3144	Mdckfk32.exe	85
PID 3256 wrote to memory of 940	3256	Mgagbf32.exe	86
PID 3256 wrote to memory of 940	3256	Mgagbf32.exe	86
PID 3256 wrote to memory of 940	3256	Mgagbf32.exe	86
PID 940 wrote to memory of 2540	940	Medgncoe.exe	87
PID 940 wrote to memory of 2540	940	Medgncoe.exe	87
PID 940 wrote to memory of 2540	940	Medgncoe.exe	87
PID 2540 wrote to memory of 5020	2540	Mmlpoqpg.exe	88
PID 2540 wrote to memory of 5020	2540	Mmlpoqpg.exe	88
PID 2540 wrote to memory of 5020	2540	Mmlpoqpg.exe	88
PID 5020 wrote to memory of 4824	5020	Mdhdajea.exe	90
PID 5020 wrote to memory of 4824	5020	Mdhdajea.exe	90
PID 5020 wrote to memory of 4824	5020	Mdhdajea.exe	90
PID 4824 wrote to memory of 884	4824	Mpoefk32.exe	91
PID 4824 wrote to memory of 884	4824	Mpoefk32.exe	91
PID 4824 wrote to memory of 884	4824	Mpoefk32.exe	91
PID 884 wrote to memory of 4996	884	Mmbfpp32.exe	93
PID 884 wrote to memory of 4996	884	Mmbfpp32.exe	93
PID 884 wrote to memory of 4996	884	Mmbfpp32.exe	93
PID 4996 wrote to memory of 2060	4996	Mcpnhfhf.exe	94
PID 4996 wrote to memory of 2060	4996	Mcpnhfhf.exe	94
PID 4996 wrote to memory of 2060	4996	Mcpnhfhf.exe	94
PID 2060 wrote to memory of 4264	2060	Mgkjhe32.exe	95
PID 2060 wrote to memory of 4264	2060	Mgkjhe32.exe	95
PID 2060 wrote to memory of 4264	2060	Mgkjhe32.exe	95
PID 4264 wrote to memory of 2492	4264	Mnebeogl.exe	96
PID 4264 wrote to memory of 2492	4264	Mnebeogl.exe	96
PID 4264 wrote to memory of 2492	4264	Mnebeogl.exe	96
PID 2492 wrote to memory of 3284	2492	Npcoakfp.exe	97
PID 2492 wrote to memory of 3284	2492	Npcoakfp.exe	97
PID 2492 wrote to memory of 3284	2492	Npcoakfp.exe	97
PID 3284 wrote to memory of 1784	3284	Ndokbi32.exe	98
PID 3284 wrote to memory of 1784	3284	Ndokbi32.exe	98
PID 3284 wrote to memory of 1784	3284	Ndokbi32.exe	98
PID 1784 wrote to memory of 2168	1784	Ndaggimg.exe	100
PID 1784 wrote to memory of 2168	1784	Ndaggimg.exe	100
PID 1784 wrote to memory of 2168	1784	Ndaggimg.exe	100
PID 2168 wrote to memory of 2388	2168	Nnjlpo32.exe	101
PID 2168 wrote to memory of 2388	2168	Nnjlpo32.exe	101
PID 2168 wrote to memory of 2388	2168	Nnjlpo32.exe	101
PID 2388 wrote to memory of 4644	2388	Ndcdmikd.exe	102
PID 2388 wrote to memory of 4644	2388	Ndcdmikd.exe	102
PID 2388 wrote to memory of 4644	2388	Ndcdmikd.exe	102
PID 4644 wrote to memory of 4804	4644	Npjebj32.exe	103
PID 4644 wrote to memory of 4804	4644	Npjebj32.exe	103
PID 4644 wrote to memory of 4804	4644	Npjebj32.exe	103
PID 4804 wrote to memory of 2284	4804	Nfgmjqop.exe	104
PID 4804 wrote to memory of 2284	4804	Nfgmjqop.exe	104
PID 4804 wrote to memory of 2284	4804	Nfgmjqop.exe	104
PID 2284 wrote to memory of 628	2284	Nlaegk32.exe	105
PID 2284 wrote to memory of 628	2284	Nlaegk32.exe	105
PID 2284 wrote to memory of 628	2284	Nlaegk32.exe	105
PID 628 wrote to memory of 4080	628	Ndhmhh32.exe	106
PID 628 wrote to memory of 4080	628	Ndhmhh32.exe	106
PID 628 wrote to memory of 4080	628	Ndhmhh32.exe	106
PID 4080 wrote to memory of 976	4080	Ocnjidkf.exe	107
PID 4080 wrote to memory of 976	4080	Ocnjidkf.exe	107
PID 4080 wrote to memory of 976	4080	Ocnjidkf.exe	107
PID 976 wrote to memory of 3288	976	Oncofm32.exe	108

C:\Users\Admin\AppData\Local\Temp\e18b82a2cdd5ce7ba804caf8796211b0N.exe
"C:\Users\Admin\AppData\Local\Temp\e18b82a2cdd5ce7ba804caf8796211b0N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\Mdckfk32.exe
  C:\Windows\system32\Mdckfk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\SysWOW64\Mgagbf32.exe
    C:\Windows\system32\Mgagbf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Windows\SysWOW64\Medgncoe.exe
      C:\Windows\system32\Medgncoe.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        29⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        56⤵
        Executes dropped EXE
        
        PID:3824
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        67⤵
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4232
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        78⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        92⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        99⤵
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        100⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        102⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        104⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        105⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        108⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        109⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 216
        113⤵
        Program crash
        
        PID:5452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5128 -ip 5128
1⤵
PID:5376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aihbcp32.dll

Filesize
7KB

MD5
ee38ed692c4f95d899b0cdf39e2c3066

SHA1
f006ae16a269adac080b96e2dfe703b389583d1c

SHA256
b56247ef28b21e9970e5c4362f456e1a8c0f9123f3e2245b03ca7ad0b8a8fd27

SHA512
257c36598faa436b8860e06a78af1964937e9b76f7f5b21b2173f236d1b615dc0c23258ad2a8ecb64b9dcea4d5dd9b4e1ade7c69ab4350ea60a770631334f699

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
313KB

MD5
050acd9e459360e405df33a7bc3144b5

SHA1
9de2d81940c0200c61e95d60ca84b75458fbd76d

SHA256
eedabe2f6d967c05d0664442ca1ec015414c837eb40b6338bfbf21fa5a0f6f63

SHA512
a6dd786bacbefe664d992968fb7144574226260ad03e3634b6f57167eee29b2cf498f38fa7f9c1a06544e6eb09d572180d7536fc7ee4603601ba934386fafaa6

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
313KB

MD5
6f2ab7bf89d772eb16fcf45ccd02a21f

SHA1
80c3e9a2b5baa0f24a8fddd0b7d2dd90df9e656b

SHA256
3bc5259e8cfca9de4fd0f916e6f0b6119d471784bbce871c2524c60d6ede673c

SHA512
156fd0516f19a58796b0905d2fe41c0999237bc21b673a83cc176f44bc28956843ad7223cfaedd8e62ca98eb60bd30e2b261aa3ceeadf31a94223e464bd40d33

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
313KB

MD5
51a4f859ab6c46577ab302c7b5f4227f

SHA1
7cc872965defe6f2477f3458f8f8817e56f65dcc

SHA256
826ddb15cce61a23e2130bde8460380fefc32f4c9df94adfc987f2731204b941

SHA512
abadbf8be5cc7ee1875b6a08108e65fdbf0ae82d362b99d9a5926f0ac46e746d436b1cedfb7384853a9dbd0e1543922d611b0113ad63a06c7064a76053723a8e

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
313KB

MD5
f73ac59c2e1764030a91bcb821608d6a

SHA1
e84ae5ae0120ba699f6e4265c490b1b413dbc7f6

SHA256
b34c0ac806898739246c0b486c33f72db2d8b91aa6d362eb30d9963b301e81ed

SHA512
9d1022b903de766dace94e588380411044d58e3286e6bacf9f75c695777a6f5a0e4181efab21dc9eef5a5fdf527c1fb2afd1d3d2f0218b4e8636198bc7cdc5df

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
313KB

MD5
d0eee27c8f6505f4a8a6872ce17a9181

SHA1
f2097517bfe05e535cd79dce6c7f27e0b41822e2

SHA256
f5f13aa87e66cd515b4b9ec26c08ca5988c38f477407731ba5b89711478cf57c

SHA512
aaed135c3e1480db8bf3a6bc79d107a0f293ea80d4b19bfed742aa4eb62601bb3495dbf048cd734090175a6cd0d898f3a8f3eacecc7c2a5e8ab64b7e5610484c

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
313KB

MD5
73e0f8f96d87f4d67ea38e0deddf7606

SHA1
ce05ab2ef3510312f649abe11107b22232e9c052

SHA256
a5cdfae030b881781b502c1008c768e91b8a1c4cbc9ebc6bda0fbe6dcdd8f406

SHA512
4e877868432fe6a4111427af59da9b5210adb6d6c28ab3fff4b69dcc8643ed9d0d4dfda422059dc8796739e027316429950d94ee3251b090cfa414c84af9eb1c

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
313KB

MD5
32d75c754efd9671f295a28f55856d1b

SHA1
4f9d91caac8a312d974a99f9f4cc017dc5a5d68f

SHA256
06edd5a9a2e79e05596bcc9a014fc8bf03029d4d3176a503bde9d788a7b0cd5e

SHA512
b8f6a82273b9d4f18f8dbb340bb1e3ffdfb5b890a05169aa3267fbb8a40502b6519a658e8277365bd1a8e70707772da668655e368df321afd8b19f0cb236111f

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
313KB

MD5
7e859876d62de10125bd65b6951d2a2d

SHA1
52b816b5ca54224338357986e9a8f06930cfdfad

SHA256
ceb010d0eabc01b5eec988c8bc0b2bc7b4f0fdb41860b233f1b99fca89ab8a7f

SHA512
3e9d2e714814e61c67d64bada139316b04beaa34f77f664df7c9b63b384633983c1bd670fbf925d6b78dea776c0cfc7dd257c8acd07b8d58c54516e839952abc

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
313KB

MD5
d01668b83b7c04be14c75905affe36f6

SHA1
37b79c26bb466fa903ab8ade13807bf860d1e40f

SHA256
744ea33517a26de3c771f80922d64e5d67ffdc7fa584ace32c75317cb885fa8a

SHA512
d14578fdc0b8709130f4dfb29f3e2fdbaa59a783c7a721f64519cd3b87b35c2981842b10eb7b70eb1a4dc52286051f28edec852686877ab648faacf7289c7c30

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
313KB

MD5
719ccd6ff8b9a9f3a447480c0f8d8fad

SHA1
2cb8f7576299294444fbee0a188b6fe6dfb5f25c

SHA256
bd54bab8cad266ba567131036a47c66c0b421cf81b52c542bc13b25d857b986f

SHA512
871ffca78098e1af05150c657f3f33e443f6300b07793cb20adf60f423a95a84c8064fb378b8524ac8fa0779b683e0c02eb68d915d29110525158c7d4f110542

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
313KB

MD5
96817ba146b5b0b254950c87cb20ab58

SHA1
c080d8b9cd1fd46edb0695bcaa8b35085f5f0913

SHA256
82ea9d63a21deb64cf7ba4dcebb1a5e3b1ab4710b5d0aed65938a46a7ae9de73

SHA512
2bfe3aa5027415301e13cf6cc74d85887e0382c951d5a7c017f4630f4df8850c50d26ca2eb4da242094e614016fe27f1d0b5e369bb0f26c5bb62549ea007db00

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
313KB

MD5
6e7991925a1e315fa793e039745e144e

SHA1
2f25e36c084bf8069d71721e23a09dc25627e3df

SHA256
2d7aeed728674db06fce6e9eb021b893dafee17d3542f59153081399f8c357f0

SHA512
d9d9c2f64d151e335882c7cc96496be8f4bcfe9a0f3dc4dc5fa761278d28c54fb39105c1dfb6f79a26c0de5a137d1182a4d39e5746511d9f043b439351392956

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
313KB

MD5
da29d4dfc86c83f233b08e74c8ae2b73

SHA1
4ba2ed4143f2f7ea593688beeef5138eb60ea005

SHA256
a3edcc842629c8ac6cb4bcc8043ff3cd1fd633c9d6fe7fc9404f2119a341c774

SHA512
8477839ea3baffe3133fd82311fdfbbd567dee410fe1c3b7341b6c13e779c66af1fe06578e8c13e75b8e29a3ed5923586370fbf8897a970131892e2f5a6ac53e

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
313KB

MD5
8ae3ca88751b07fbdbdecb65de4505e2

SHA1
37d23e021887a21e21cb34347fa2641c9bc15ec4

SHA256
17128ecee00ef8ac1ba7842354da28b4f81e289575ca8e94c6a583c93097bbd0

SHA512
95181d15d19a454a0f3d920fc0e32abc2e22591adceb559d48b9a86da3050b25acc6f34f78658838d7a7444426028858fe97e58d9c952acf3cc3237388eb37df

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
313KB

MD5
4d22d757e436446260ccd58200748df8

SHA1
a0eeb75ad48b73fb7681531b78f94f4a3515708b

SHA256
6bb5016850687aedb29c3d457fddba10f5827416084fccc5646f43b1d591617e

SHA512
72df6264d7f72c04f0115c339226eef78c978325b8b6f1c4d1be80f014dd551323352410e0d4debc594454f0b0f4ce5108dd9163121252e226689b21b1a9abcb

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
313KB

MD5
46cda438b44695f570b76883dbd9672e

SHA1
a6d4ea88881f10dc95c9d87c8150e799dbdef8b2

SHA256
828f43153d93d44db4c390ff96dc366a939cbc92bea2d13205e0c40d58c0bbc3

SHA512
741f52700db6db248fc33e29d8dff852b8fe7d178e136c43b7d3a7077a2a594a118b038af2a3e33d98b374fe082e9452ba2f75b4613ca24dcaa3015a695001c8

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
313KB

MD5
e00076e41f1afcb396e23b73541d88d9

SHA1
ec724de41ea77c0b61f2f9db9ef7d8429dd6b442

SHA256
4f8fbc9afdf1c419e634e86dffd3188a4a83623576e4e545838782b4c56dc49a

SHA512
bc49e69fb44e4130e30483548a7df15065e9f75429f01551196852cbc10635d53c3e9d5ed6ac8cf72aaaa10ca4611ceb0e8b6c95b714840e56a39f9eda32f422

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
313KB

MD5
e8535180aa0d522003431518da953594

SHA1
baf03843d479eb9f73c76c8d209de2ba63a10489

SHA256
46ab58d0074398e23fb1e6407fbf7c3f12eaeedf87ad359bd62b113efd7e9c41

SHA512
4152dc3251e012b3c05f14141b5a2170d376d91eeb643638b811675fa81747e33686731e8ed9ca8aaba53349fc98189aee150ed6c726561282b4d6ac4f7975ad

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
313KB

MD5
6e22d02943be14de0b5f482585516d47

SHA1
aab9cb704751a1a101f3373dd7d53c832375da12

SHA256
28f719dfa868703b8736ef40bf2250bc535b42f49bcdca832c35d92fb31ce9d9

SHA512
a01a9bd86232743cb3919162cca7e7fca239ca2b19c24f1c0b805fdc1c11e8975aa7f45dc9a474590e18dc4eb41cd5c38ad448d02634b5985bb52ef93ea8a95f

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
313KB

MD5
b2c530c74f55780898a76735d3cbea73

SHA1
4b31ce578abee59dce485b8be7bfbcf081504718

SHA256
297978aa62587df42bca61d06989a18e07480fa73a294339ff1f5781c7abaa88

SHA512
4438dc883ce381ce6a9dd1260a4318c8f831f1fd7d945096c379754eb15f8ff2a5c86dc3b233cafae7ebb091ed12a963abd00e16878bbffb5a1625aaf14b70c5

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
313KB

MD5
abb938fb3e52b7f80f5d5118107c8356

SHA1
afab7b0114652ff5b30dc039167e54057bb6e2f2

SHA256
0ce53689a14170a046f9c2f6ffbd9e4748ff06e0fd057e8e0630a6feb52fedc8

SHA512
aa101738e0aea80e0d10392e2bb524139fbaf5f61947d3594977ec331a03ec850eee221e0bb4c61338d97d3aa009b34419e3e100c0479daecd5c4a3cfd2fede0

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
313KB

MD5
54868dc2ab4433ac40d8ad3d6724b6d4

SHA1
25d6c25cffda63012dedf658aad8f3878a82f93d

SHA256
47a9757fd68fffc41d25ad6e42445081b311a54eebf647c2d4a8f6ec84038a9d

SHA512
f5c7ec5f78ef77f82bafc281dd27b56ce66d3ef2fe19d6fa8d2819cbcd4cb4fdb525c2e9e2be48f93cc67231d80c7668e91a31a0ced7dd14f90d9caacd0cf104

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
313KB

MD5
999479a2bdf5ce61de2109e97a5e47e6

SHA1
716294bec25e31020049a4ff2b5786f670ac7cbb

SHA256
c459aded7dc166a7f101b3c7399b694d5557ec835abbe935f07f68875c025a2f

SHA512
789e45765b2e237f2e55427509990e0dd15765a66bef4e5b68183f114535c149b16c3bbbd9951bc13554f42ebc7eeac02071053732bf22eaf1e723ee74ad5e2b

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
313KB

MD5
73acc4fa15f8b8195bccb00bc929462c

SHA1
c1fb675cd18351a7a7bc68c129399c5b95a36c7c

SHA256
2383e8142c9dcbf4f03eaf36b6cf4837b64133b9fdf134135f471ab2e92ebf57

SHA512
005b4d8e38a6ec926da7f4e1b045ce44604e91d994c5ccc4f5657a71bdbd4a2efa08ac86cdf81ed4363b07705c41cbe5ba8a9ab249bfbc61431614ad163f5056

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
313KB

MD5
55c29d45733507362b46eb05bb31e496

SHA1
bea74db71fa2872e9655cc5e671cad9e15eb4ed0

SHA256
7c2a524d744284d7d069952a465fe9e77e3e97b83abc6c0af339a044f07cd4b6

SHA512
1534dfcbb3d014f50b62fda15020e189d23266de352f6f29e636b4d074eab55e42f0d6ad038c8c7a010fad7e8ca5f14117748b96dd379c3274f638501d0cfe40

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
313KB

MD5
a5bdedffc3a3ca50f7f7e65402cc12c9

SHA1
9702915454b3c2b5ddec1ea10fa12363bcd87ad6

SHA256
f68fe146cfba046c89bbf71e77bd1015601f8f6c7dda20dabd66f921f8f6a41a

SHA512
59d747aacdb111282a5e7eacd6b5f08fee85a573025b31cd27b4b0806dae063f585b79082d44e96e1d04db4b91c542717ac07352893281434c6f84f339e0523e

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
313KB

MD5
a600725760b7287065c53117b119f39a

SHA1
fba196b306ee0e38321933f9d9541e9b7f03911b

SHA256
83e4c0844068ca0c1267e1ac32f4b83eb3741f83723f0db86de612d3a0bd9e36

SHA512
286d1e556c366d253bac95c5ac35c81403ddd2f13981d012a77a90091329f39201b7bf3895b15a21ddffdd1cd535118a2e2db91039d910fca35b1fd8f23c8888

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
313KB

MD5
f67b3a1c4fee2dd0ac3aec82366e9436

SHA1
a03b7e5f8806815af868420ad4a5c8527cc4cb93

SHA256
9a611f15a2cc37b33aec326794e769e78dbcf676026dab95886bdbd035542fd9

SHA512
c2bec43a2fd9dd9b763630e1e070cf150646ff760bb770d2d874aef095be7bac7ede200d89bf876103e13c356265e485e3ea71282a46fc4cd1ae9535d086ef25

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
313KB

MD5
4695c4dda3311630082368aa6ce078ae

SHA1
370c9960f7c2700d81f4b5af7cfc864727c7caeb

SHA256
76aacd72132425d150cf1bbc7acf7e69dd7e2485e0784cfb5c1d6e75b218246d

SHA512
93c8351f282f92ad0d6da0e1e7827650c5f3df35d9865f34896bbfb095353956f180303931897f06a68a30d46e92feb7b503a78d0b9839532674251023d52b0b

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
313KB

MD5
30d57bd952d607ffa4d2422901141daa

SHA1
c4f4c2dd58d203b336d0a2e8f613e4866e1dcf35

SHA256
00bd03872fbe640fe1a48898c745e9fb197d07f77ca54f002232bfd5e150f4a2

SHA512
9562341e76b462c9318fd18524f87bf77cfa58064fbdda4f9a8c0a170fdfb7ca54f80c8d389baabe65a3c02c8669ac3dfd8f0e045c99869c15bb4f1375e74325

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
313KB

MD5
2bd1e68ed574427f81c39825f677835d

SHA1
a42c9f89249c85152f2681323a35b0e4e6bb319c

SHA256
150bc2ce886e5cfad1268c1c305dceaa111e0ee80cc8a21072793d0af27fe780

SHA512
04db5e492e94924269d83062afde6bcce70d65c5fe74cfd193d2e996dd372657a02eb0d04171af90a4607cfa00efdc389c5cb0e9263adb8c91f093d846c60c56

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
313KB

MD5
49cb850107de146e606a9f0242e26721

SHA1
a9898189dc04ed53db74c69e57fa9cf60ac6b8d5

SHA256
d6ff41e8705ff8574f8c89b0936ad364962bca1b9f2cf8bd260c012a9d52cf31

SHA512
2bb42348ce570d90e981934963d003fa1d70fe61b64fa2d62e6bb8aca738c67faa17594b967af6a7e2e82f7cf0dde0bd85f059f30ff10f41c1ec164cba8a98cb

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
313KB

MD5
d882ef905604da969e920c33ef385dff

SHA1
a0977b07455d30736d24f3d442c6d480f0233321

SHA256
ddc0f196705ba83fa59d6c14161b44f1e4f891fa2ba964b4ca52ed61024719f6

SHA512
87f376b16d65ebf8fa09573b135ceaf97f60caa77313660e4c5d7ab72cd566c6636ca94e6a574fdd542bd714f48998a25d5d999918df96f6ca12ccccd6e1e37a

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
313KB

MD5
26e96141a7e04911f00788db77ff0738

SHA1
08d41dde93f5fcf9f20971293ba21450a722b6e0

SHA256
07e021cedf965dc09e054a5f9a4721f5b0b95c2e201dc78c82df84877259cbfd

SHA512
1dc41ae16ceaa1a1d3cab91b7752ac9815b1d9220bb22aad45160ee8351170621cf80290d2d201b20cd077a64808dc4fbbe49c2ae360a1343c3d595646afb04e

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
313KB

MD5
aa8f5394a9e8e76c20f80b7df448cb0e

SHA1
343d2b0d9005e522a0cd5236b4f94a798506741b

SHA256
42644f9f9d5a816fe76497b03638b1056bf1d2f00d62eecc1957cd11ec0f54de

SHA512
99189ff53e64c6fd113f8e54448690d56f094face11f79a9274c224c7bc4d53368a7cb7ac41701423884c498d480c2b9e142e4c35bd38ee17c44d2d6ed2cd0fa

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
313KB

MD5
5338c0fec3a63585b10bdc2019cfd922

SHA1
d8a0a0aac628fbcce64067b34f1ba36dae60ce44

SHA256
3c392983f0444b594af7c842687db9ae9d58b0ab85e87eb4ddb11210f1450629

SHA512
8f853288fb8672dbe1842ba505208253f28c095620292ea56c5f7662bc008d5c18985298357fc4b01f567d8e31b437147ad25abf7b32cfb555539013e7128902

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
313KB

MD5
4aadd9498527310aacdf252c144b9f30

SHA1
2738177a153c20530a62de255413170db30d3825

SHA256
e7b0d651b04dd2def96e75b11232b3025f779981b9607197870c8f126933b7fe

SHA512
788541c7684a50ac98f5700b05002270cdef818932563402f9332fcbfa992d0b57a0e310a5a492233c4f3069420f729cc54e2bd5177fedfcb1032fef265dd5e7

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
313KB

MD5
cc38ab28a1425621a6b53058271da2f1

SHA1
e3e88afe91f9a661aaa56bd177d307a836773276

SHA256
9a227cc528355137a07e9bd84738c3c90c3f3d002907a22640ce7c97b573a9b2

SHA512
99b5dca51e97014c93e608f603c6e3d96b0950b543950f4d447f1cbe07c6941eb683c4d0824b57e8c1cdc65324d8ee0abaa3de5abc43a8fd73f59af558f98ca6

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
313KB

MD5
a5c646195deca07e2e579fbd729588d1

SHA1
bd65daa7c56097878839677ce0bcc4544cf777a7

SHA256
07c6f557c002de1634a2d05b5e6a615287e9dc36513a38f9684300a2a82eb236

SHA512
f82c52b689fa0d1e5daa40030eed1b03c61b6913df3ac876777d03bc3e44f23ebe7cc0c10f1b4211145af1f435a01c8858cb79868c77b91c28945a69c28e5a59

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
313KB

MD5
8432711e70727b3e020941d84f42abbc

SHA1
153369eff080a408b6eec0445ea7062e0e72aae0

SHA256
d590034dc9438cc40a62f27b5678d3e80100ed2e798f9ba1ca33bedb0a3efb21

SHA512
cacb92af190541f8d8e5a79d8baac0b114b2fa72ced9c3188fafa71d2d0519eb7c0b78c64c45c8ef397fce5e052cfea2ca0ff13fd623829a2e7f35043ad41256

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
313KB

MD5
ec639e940984c6896210451a2b93d6e3

SHA1
edb3bef0eae3a88660b8a75de41acf5a63c1a893

SHA256
203801ff4a87c7ea9a9bb427fc441e3b8787ed0ea3b6fc2e1ff2ec923df2a689

SHA512
55052a967e32be5f9ceeb35007f82b0f4c15749402a13ce8ed60dade16af5da6524c7818fe5d1058575519a4a5d4907f52aff08c592013e7df05a0cd28258ec1

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
313KB

MD5
5ed30e51644a0019e57193afbc80864d

SHA1
90b890b657ddff758680a5fee4657a50c44a75e3

SHA256
006e93ca3417e270e0ee3378077484070685f7f3764bc42ee011dc6666d30163

SHA512
b3045cdfa18dd8efbcb61c2619f72ddbdf026d6bc5f318627a745dfaabf20440ff3503cb2795d9ab0340781960519e032cf6ac8d48c5ca0954507c86f35f19b6

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
313KB

MD5
e1b10dcef8f435b6ff94a7cf9ed85216

SHA1
776353f2518926950266cf5cc6bb36159ee2ed55

SHA256
5f0b133b0e06fb6c00431d27f920ae0f4536ac431df0e5b15944d22159dffdeb

SHA512
73c285e4fc11787d72c5c6e661c86c4e0acc87ef92540c8e68e06bfb1bad6047a1ef5312d89a63fae5090304752324a0bc624cb6f27f91221f93cb7bf2ee7214

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
313KB

MD5
57cb4f97d0be9f3b6695a4259fbe98e6

SHA1
ef54055a9be2a32e74103ea3dfea441a1b246c47

SHA256
758ee4c541c537decd6b4a35212bc7d2aed2dcebcb4c475050bd0ced456f4cce

SHA512
b22c5e69988c844211202c738862aabe6cfd62cef8ad3ae8ad8efdd937729f7e18544b7d559892c6f1ed9b04df98c756184c80b3d4eb935f4b96c9b5a24f415a

Download Submit
memory/216-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/452-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/628-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/884-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/884-592-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/940-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/976-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1064-208-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1348-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1432-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1440-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1452-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1480-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1564-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1616-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1636-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1660-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1784-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1792-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1884-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1884-544-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2060-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2168-114-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2176-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2284-148-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2348-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2392-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2428-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2492-92-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-571-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2556-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2708-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2772-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2776-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2888-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2908-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3000-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3004-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3024-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3144-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3144-551-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3172-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3256-558-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3256-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3284-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3288-181-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3332-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3352-526-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3360-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3424-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3440-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3652-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3824-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3960-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4040-496-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4080-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4196-514-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4212-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4224-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4232-520-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4264-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4296-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4312-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4316-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4364-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4452-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4520-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4532-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4548-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4644-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4648-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4704-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4764-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4804-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4820-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4824-585-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4824-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4860-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4904-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4996-69-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5020-578-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5020-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5028-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5088-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5160-538-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5224-545-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5296-552-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5348-563-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5388-565-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5468-572-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5512-579-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5600-591-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5640-597-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5684-602-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads