45c9768eb3d8f90237d22345a03773ddaf470a904778ad17101ffa89a5918696

Analysis

max time kernel
105s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

466e4c3c38504ef3fd77f076c1449740N.exe
Size

95KB
MD5

466e4c3c38504ef3fd77f076c1449740
SHA1

17093773e811dabf58eedd620c8e3640eaabca2f
SHA256

45c9768eb3d8f90237d22345a03773ddaf470a904778ad17101ffa89a5918696
SHA512

57dc01478bc86a4d5a5cfd163c88f8797d6f379624cdc7a89cf7e06db293dd9a192c1ed4532d22e233b5fee80aee3eea87b9ea9835d434d6bfa54f9e109db406
SSDEEP

1536:MeBqEI8GXrCuppZYfMno/dJPHEzgNHvCVtbwuPCk8knPcBhSgs8D/i0LXU/2IOMD:PBtI8NupTYSUfE8NPCVFwuaCnUtK0LX4

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe

Executes dropped EXE 64 IoCs

pid	Process
4676	Menjdbgj.exe
2296	Mnebeogl.exe
2060	Ndokbi32.exe
4140	Nepgjaeg.exe
3988	Nljofl32.exe
3524	Ndaggimg.exe
2892	Ngpccdlj.exe
4964	Nnjlpo32.exe
5068	Nphhmj32.exe
3076	Ngbpidjh.exe
4572	Njqmepik.exe
2216	Nloiakho.exe
1880	Ncianepl.exe
2100	Njciko32.exe
3232	Nlaegk32.exe
1240	Njefqo32.exe
4732	Olcbmj32.exe
5060	Ocnjidkf.exe
4752	Ojgbfocc.exe
3400	Odmgcgbi.exe
4044	Ofnckp32.exe
4420	Oneklm32.exe
4528	Opdghh32.exe
4508	Ognpebpj.exe
1352	Ofqpqo32.exe
888	Onhhamgg.exe
2832	Ocdqjceo.exe
4360	Ofcmfodb.exe
4992	Olmeci32.exe
4004	Ocgmpccl.exe
3284	Ofeilobp.exe
1876	Ojaelm32.exe
5092	Pqknig32.exe
2120	Pcijeb32.exe
2044	Pfhfan32.exe
3464	Pmannhhj.exe
3728	Pqmjog32.exe
1888	Pclgkb32.exe
4416	Pjeoglgc.exe
4112	Pmdkch32.exe
8	Pdkcde32.exe
736	Pflplnlg.exe
3672	Pjhlml32.exe
3028	Pmfhig32.exe
1620	Pdmpje32.exe
5076	Pgllfp32.exe
4624	Pjjhbl32.exe
2952	Pmidog32.exe
972	Pdpmpdbd.exe
2640	Pfaigm32.exe
3968	Qnhahj32.exe
3324	Qqfmde32.exe
4204	Qceiaa32.exe
2912	Qfcfml32.exe
4912	Qmmnjfnl.exe
2272	Qddfkd32.exe
656	Qffbbldm.exe
1004	Anmjcieo.exe
2872	Aqkgpedc.exe
368	Ageolo32.exe
4768	Afhohlbj.exe
4936	Anogiicl.exe
2544	Aqncedbp.exe
1656	Aclpap32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Chfgkj32.dll	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mnebeogl.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5676	6092	WerFault.exe	213

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffpf32.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	466e4c3c38504ef3fd77f076c1449740N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 4676	4552	466e4c3c38504ef3fd77f076c1449740N.exe	84
PID 4552 wrote to memory of 4676	4552	466e4c3c38504ef3fd77f076c1449740N.exe	84
PID 4552 wrote to memory of 4676	4552	466e4c3c38504ef3fd77f076c1449740N.exe	84
PID 4676 wrote to memory of 2296	4676	Menjdbgj.exe	85
PID 4676 wrote to memory of 2296	4676	Menjdbgj.exe	85
PID 4676 wrote to memory of 2296	4676	Menjdbgj.exe	85
PID 2296 wrote to memory of 2060	2296	Mnebeogl.exe	86
PID 2296 wrote to memory of 2060	2296	Mnebeogl.exe	86
PID 2296 wrote to memory of 2060	2296	Mnebeogl.exe	86
PID 2060 wrote to memory of 4140	2060	Ndokbi32.exe	87
PID 2060 wrote to memory of 4140	2060	Ndokbi32.exe	87
PID 2060 wrote to memory of 4140	2060	Ndokbi32.exe	87
PID 4140 wrote to memory of 3988	4140	Nepgjaeg.exe	88
PID 4140 wrote to memory of 3988	4140	Nepgjaeg.exe	88
PID 4140 wrote to memory of 3988	4140	Nepgjaeg.exe	88
PID 3988 wrote to memory of 3524	3988	Nljofl32.exe	89
PID 3988 wrote to memory of 3524	3988	Nljofl32.exe	89
PID 3988 wrote to memory of 3524	3988	Nljofl32.exe	89
PID 3524 wrote to memory of 2892	3524	Ndaggimg.exe	90
PID 3524 wrote to memory of 2892	3524	Ndaggimg.exe	90
PID 3524 wrote to memory of 2892	3524	Ndaggimg.exe	90
PID 2892 wrote to memory of 4964	2892	Ngpccdlj.exe	91
PID 2892 wrote to memory of 4964	2892	Ngpccdlj.exe	91
PID 2892 wrote to memory of 4964	2892	Ngpccdlj.exe	91
PID 4964 wrote to memory of 5068	4964	Nnjlpo32.exe	92
PID 4964 wrote to memory of 5068	4964	Nnjlpo32.exe	92
PID 4964 wrote to memory of 5068	4964	Nnjlpo32.exe	92
PID 5068 wrote to memory of 3076	5068	Nphhmj32.exe	94
PID 5068 wrote to memory of 3076	5068	Nphhmj32.exe	94
PID 5068 wrote to memory of 3076	5068	Nphhmj32.exe	94
PID 3076 wrote to memory of 4572	3076	Ngbpidjh.exe	95
PID 3076 wrote to memory of 4572	3076	Ngbpidjh.exe	95
PID 3076 wrote to memory of 4572	3076	Ngbpidjh.exe	95
PID 4572 wrote to memory of 2216	4572	Njqmepik.exe	96
PID 4572 wrote to memory of 2216	4572	Njqmepik.exe	96
PID 4572 wrote to memory of 2216	4572	Njqmepik.exe	96
PID 2216 wrote to memory of 1880	2216	Nloiakho.exe	97
PID 2216 wrote to memory of 1880	2216	Nloiakho.exe	97
PID 2216 wrote to memory of 1880	2216	Nloiakho.exe	97
PID 1880 wrote to memory of 2100	1880	Ncianepl.exe	98
PID 1880 wrote to memory of 2100	1880	Ncianepl.exe	98
PID 1880 wrote to memory of 2100	1880	Ncianepl.exe	98
PID 2100 wrote to memory of 3232	2100	Njciko32.exe	99
PID 2100 wrote to memory of 3232	2100	Njciko32.exe	99
PID 2100 wrote to memory of 3232	2100	Njciko32.exe	99
PID 3232 wrote to memory of 1240	3232	Nlaegk32.exe	100
PID 3232 wrote to memory of 1240	3232	Nlaegk32.exe	100
PID 3232 wrote to memory of 1240	3232	Nlaegk32.exe	100
PID 1240 wrote to memory of 4732	1240	Njefqo32.exe	102
PID 1240 wrote to memory of 4732	1240	Njefqo32.exe	102
PID 1240 wrote to memory of 4732	1240	Njefqo32.exe	102
PID 4732 wrote to memory of 5060	4732	Olcbmj32.exe	103
PID 4732 wrote to memory of 5060	4732	Olcbmj32.exe	103
PID 4732 wrote to memory of 5060	4732	Olcbmj32.exe	103
PID 5060 wrote to memory of 4752	5060	Ocnjidkf.exe	104
PID 5060 wrote to memory of 4752	5060	Ocnjidkf.exe	104
PID 5060 wrote to memory of 4752	5060	Ocnjidkf.exe	104
PID 4752 wrote to memory of 3400	4752	Ojgbfocc.exe	105
PID 4752 wrote to memory of 3400	4752	Ojgbfocc.exe	105
PID 4752 wrote to memory of 3400	4752	Ojgbfocc.exe	105
PID 3400 wrote to memory of 4044	3400	Odmgcgbi.exe	107
PID 3400 wrote to memory of 4044	3400	Odmgcgbi.exe	107
PID 3400 wrote to memory of 4044	3400	Odmgcgbi.exe	107
PID 4044 wrote to memory of 4420	4044	Ofnckp32.exe	108

C:\Users\Admin\AppData\Local\Temp\466e4c3c38504ef3fd77f076c1449740N.exe
"C:\Users\Admin\AppData\Local\Temp\466e4c3c38504ef3fd77f076c1449740N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Windows\SysWOW64\Menjdbgj.exe
  C:\Windows\system32\Menjdbgj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\SysWOW64\Mnebeogl.exe
    C:\Windows\system32\Mnebeogl.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SysWOW64\Ndokbi32.exe
      C:\Windows\system32\Ndokbi32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4140
      - C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:888
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3728
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:736
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        50⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        52⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3324
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:656
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        59⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:368
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3752
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        68⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        75⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1104
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        80⤵
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        88⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        96⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        100⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        112⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        116⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        118⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        120⤵
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 420
        126⤵
        Program crash
        
        PID:5676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6092 -ip 6092
1⤵
PID:5524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
95KB

MD5
3504a6745ac2f5d2303b7775528f0b71

SHA1
30df76f8da8774449ce3ae9bb979746d55b9f547

SHA256
9cebb8d3181ec76cdb538405a8cf6bb7e480fe7660cb3c934c42deee237e654f

SHA512
6f536377fe98df3d00ef2aed7b70cc8eb592aa936de4e655d81a92e63b08a69ed96844ff0ccdc2042a86e18cb914f064a714b5d484e58d2f077226f0a6344811

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
95KB

MD5
0d3dc7263fbedf1ddc1d1041ccb90df8

SHA1
8ddec7841b54be5daad3ed01e068c36ab817f6b5

SHA256
460f8ad6cd2bbc5e51e26e4ec604c242c6dec3160c4a0ba1bbe39e8beda5618b

SHA512
48e95bdd54cfd191eb937aaba7be49ff4e239fc0808be4d16a8dac10606b34659338142ded379cd71f9881d02ccd88f50317832ffe7420d4a43ab1ea2ae99f0a

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
95KB

MD5
5933a824b2a69224f44346472ad80aa4

SHA1
f0251c15110ba88e0beaaf15599e58be47a731ab

SHA256
8215c0c8918592ed70918d157086aec47d61891b8401797f6284e6d0a8962c5b

SHA512
29caf6265f1bc5850a7c5687427470a8a521396a8b7f8ebebea13a610463bf453666df8be650eb823248565ea3ddd94cd896967c17a9d03306670b4c37bfbea1

Download Submit
C:\Windows\SysWOW64\Chfgkj32.dll

Filesize
7KB

MD5
c9dee70de9334c2077b00e35a28fe568

SHA1
e13c4c24514d2b16a2dcdd8adb7ac3b4af1f8ce2

SHA256
90ff97cfc602ed1935fd8a889080eb096171f594adbe234f9da89e0cc61b2a13

SHA512
58a368a54490d645a1d003982145c474fc2196909fe7e9d800a40e5f6aaab460c0ae8a2bd0de4034b33dc826e95d25affadb161e286d7ac329aacdad0aa77804

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
95KB

MD5
ea9d78e34962d8724d12db29015fcbf5

SHA1
8ff1dcff3eb5aafb9769115780049640e267fe45

SHA256
2f814516db7dcb61d61352f7bb88e4c992d41555e65b5f67f48017341010b6f5

SHA512
7f54fbf010f52971650fde9560d903e62ecddd6a5a4d704e43ba013ca7a2fbd9e21a288cf95cfca27c40201471ce76d021d17c72344adc3dcf0287a47ec1a24a

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
95KB

MD5
ca7a8781dc8b3e27891d77ac352d5985

SHA1
3fdc7efebd962d15b0edcf9df076cb595d19afb5

SHA256
e7105d078f437ece9e7263a71775084237a73ce580b4e33138c510b5a42b249f

SHA512
d8d8fe21381086246572026f44763a7bdb015c517850217caf91b0e840e0c804b1ea3ce002242a4421c98fa0d7901335acc220d2781fa420430e199d42bf0117

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
95KB

MD5
1c31025c6531747584d067c1ccd0f0a5

SHA1
ef82ed6a1e25b95b4f568326618c80a0bfb017be

SHA256
54912cfc73a890a92267e9da03a8e28b936ca59868be11e1ee03acf136e1aa3e

SHA512
47bc62474cda3f6f795bfe23c38fac94a572af1aa151b0dd0b42bbd21d8e3eb7866303bc005ee656125824fc418ad17dba5440f319a1e74b8ad329dc246e6be4

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
95KB

MD5
e5530c5f879224a7f87662ff44f415d7

SHA1
ab5aae8a978510ccbb1975389f0e3d2e8f5f220e

SHA256
7cc917aa3659e181fe8e938792ea64416016cb2348f19feb244f2aa516908487

SHA512
9d7cf1530f72d86eaf5825b5e6b16c522be4a02470de06906b114e821688839132935abbfe4eeb00cd88a68121f9a5939383a89d83b00ecf485a8d168cf82859

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
95KB

MD5
527aa018b23c9b28f533f6d917b7be29

SHA1
3028b80ff255ef2537f182eb561300fabc93d61b

SHA256
3b7e053bd1ba6a7ffd6240a93ea3f8a7b3689e5e75e74c9013a1f967751ff81d

SHA512
c96fc05b201e590ecacb6bc5211d292b45b3a76e30162c13f6697b21f01fcf3f98f7b946e165303c8860791571dd54b701c3ec5271c112593402090eec3592a2

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
95KB

MD5
6fffec6b3a55dfd2aa5e60553728186d

SHA1
bc0f140834462754b2830e22ed053352e79b01d0

SHA256
084c1802822f8074363ff1d7e4b121f29c6cac3d591d5f6bc874a82c1df3f41f

SHA512
207dd153ea62ddbeb499e8131976b377ced709a9378e4b0356ecceccdd10fcb9b6126497ceea93e9fd3e8125ae9a794c69c9cdc8e4a37f10265566691862b13b

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
95KB

MD5
0c6c53b8fd6a3c9fb4e817b3fbafd98a

SHA1
59ac79734a627bec23bca3ebb285a3d59a257799

SHA256
558e3cb0c782779c6542911258ce8ebfe60c2dca188deb42bdfa8c0f4ec6f533

SHA512
9ca4c7a184dc20ecd10ec5c4ed7c9459518ee3a77b07aa4c4fb054e30cd0277577950c7c90fc6f767ab36e1c874af8e02e7e954375fb95a4284520107bc48243

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
95KB

MD5
fe947f6873ddfbb737c0631225dd9dc3

SHA1
39969b200bd44d6c3d9000cf2febf7254ec941ff

SHA256
111a96215ad5e8727c7520b5c6b6dde38b37294b3e79967a008e25635caf8834

SHA512
48338ce1b6ebf518b270f07ae28b333ac850eaf8d4f997e455ad3800f50d05c3b52dd3687045d9969350fa29f30118a85ddd6733e55224d11630b6a2f9b1d50a

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
95KB

MD5
57cd7a606f5894b8eee36bd2b4781a81

SHA1
c73844faa18e3c4ccd406d1a4717ba0f32219a68

SHA256
4af70a73224e33b4c158f8b70b8704a6e369fbb22451a30247605b1380939fd0

SHA512
6072d69ef68bedd41056da126e798f15392899fc64990fc7c822e5d372f1f5dc98934dced1a8127eef25b0f4f6c9ed9a4517a4308ffc292ae253fbdfe7491c3a

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
95KB

MD5
cf3c708ae7d8bb827ce051a601b2cf05

SHA1
a050fb71e8be02e8d215429f6a416720bf5970a7

SHA256
bc52d1d6387e6d3a617a8cce8936e381e54d8ff7073874f8ca6991c974c3a9a4

SHA512
3f32d72c5c8806a2d729460b6d4b445411ecd2ec7a376131f5309af66a0ac3f0ca7dde71fd246d93bf73d16dd0dce253860b5c12cffec004091cc70df351cc37

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
95KB

MD5
ab7bb09869b9f9b6be4173b4ac3d2a8c

SHA1
caddd4e09b5b9ee3eff28033b765e824494994b8

SHA256
4e38378046584d0c2996b82b67f7c91bafaf8116bc3623cef2f90489b4b0ff36

SHA512
c4a2231b6596f1262d7f1c3563ea91cc9e56065585447169e58f47a1850465c3ea3dda4eab7200a968221f616607f0108e7546973af4f56a22de23f74b53506f

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
95KB

MD5
8e8981afd4d7df000831765135dcbd19

SHA1
c6902f4742c81e1927cdf31aab7ac79c9fb223c2

SHA256
95355618409b4b4b40eaf1e53c246e98714ff459d1c2cd846f3528c2eda38eed

SHA512
d1038f7ce721b30cd0bffe5cfb518e88e699dba4ddde9fcdb271a9eb265e11e283fa624b0bb5de7d4ffd7289e8a0a05916351ca1ae8bd56878239ae370c7bf6f

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
95KB

MD5
35ad53c806493b6beece1f1f10b4b197

SHA1
386472a5de82ed5849219c11cff53f543d985083

SHA256
e55b9c627540039c611b116464f03eb7d61d36ba5a3f1cf908e463bd7b6d2ae1

SHA512
eb4462cca0fd7949a67e03416b321213287b4e2c60533d586dc35b38074d51a7cfb7f1dda7eca9e1bebceed925f7917c4b756186c528a2aa7ad5745540f7eb64

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
95KB

MD5
f99166e4c419ebe3c66f7622c41fa7c8

SHA1
6743a9ee383885a8aa574858b7fa1476e2a37f2c

SHA256
ab2e20bd79800319e56a6f8e8bd7e234b471959103864308691d56da337a9dbe

SHA512
fd9ee86342049d057b5c9dda718e761eb5d9eefba7cfe8a2e6fff3802ceb0353927ddc74ca23323f686978019ca64376ebf647cf87ae6ccd79d6ee0319eb701c

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
95KB

MD5
1b1f99838f6349b82bbb3544b3a76447

SHA1
589d537a6d7391db71a5f6b5dea3310e756fed64

SHA256
3be581a7b0a2fd9b82beecbe5885946f2e2c3cb10e98ba1ae7b1b0e901be2bc1

SHA512
32c73c6c2dccf731d36ab8bb541e356cce553b90e276737baa6f1727c5237dd7a62111c7dff8a0a483800134b13f95d8262e7632bd0c1f3ed6048235f2dc247e

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
95KB

MD5
99ebf140fe19a8330bd8873bc38b56cc

SHA1
29479f70fc08471cfba4df012e593c1fb3daeae8

SHA256
c52fe5e9cd72b4d01b683c978464c3daec47c73cd1918749a190c4f4520faeb0

SHA512
f689d026c374d36ec6951a648cdf0a8773b4a20b12585f569012d3205314965428d79364adcea9bb0dfd9870c1f98db277a59e724f13d512aa5d8ec7b03604b8

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
95KB

MD5
91d0726d188d1f504174eff6ece115cf

SHA1
a50829fada18a497b9af5eccb70c1a1179cbd807

SHA256
23f6494b3734bb2e0fd46059a27780035b291f3bffcae763349267d7d03e220a

SHA512
177308c732d9ec9c85b9ba90390149258e0b5adc0e4fd775915050a8dc4197a09655f73b7e3fc1802d756382ef1152acfd2574465a8e6ee03c92f5f65f66da2b

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
95KB

MD5
a757c65c999efc9b461a495881787220

SHA1
dd7c6b9fad8399d2cafb0b58ae3877232f2cc192

SHA256
0843edd610ec264177e929f086e0f47cf4a7eb1bedb3e3f396638e57028cea63

SHA512
0ad7ef608892b7a50ab8321e974b8500ecdb1f975c8ad343dba63ba31e02ceac906ace5a04eb323e7309956ba523b17dafe8623d86ead6848669c33b2632b08b

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
95KB

MD5
cd976e0d68655b6ebb783469d1ffd09d

SHA1
2e23c1b4601a8a72ec80a206e04f4a12587f7fe7

SHA256
f8c0d20ac868b56ce6a985b6e7a02eebe262eef86277ca2eebfcce5968f11158

SHA512
813aa9133e86d847df1a188eb27038144e47438b7f62104f473b149323158b236e5178f98d81193a2ed1c58721eb17f0297c01ad0cc3706a07f88cbf40df2b73

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
95KB

MD5
6435b8a3a1815e3d710684ae76d10cc2

SHA1
805553969ff9646a3f23b37817642a5546087086

SHA256
5df9d728f622e2353569db3f4d7d08c069a0b0890bcdab6272765a0426362ca2

SHA512
b1df3ce3df05570fe1998a16f047254d53c98b75a2c33a1672ba05895a49c8b09ace7891e0bcac9fed880ae70c46c14be8dbfb6f011001a1e584082c656495cd

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
95KB

MD5
da8b582716f2a22bf056eb717066786b

SHA1
8f935eab54156a235d58a1d8c042198d465f1ecc

SHA256
4bec4b058054b6f8a169fdd5f760fec6aec62ba108f352429369d123c263bc06

SHA512
e5362182edaeb03093378cb86467839e6c7047c9c112eebb11c25c1ca3adbf7c34433ebd20f8eb8f6fd4a8ba442d4ec4baba4879495ca662c3e3293de0df3fdf

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
95KB

MD5
a50d236192e6b46bf8fceeb980c7e521

SHA1
fa564a87cfacb429f1e1c2b748cdaadddf036cf5

SHA256
ed40ae10497fd1ef37c46a733dd03e64b416b6d7de3a51640824b37db2284deb

SHA512
1bd3ad361a15b88dede8a23a4fc9e362a90f20129e9c7a8c8e25fc2f4e6c06d6ca607d6b8ef19a853e1911510ef7c8e9b25684bde40873529d98b5b8dc3e30e1

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
95KB

MD5
ab94a90698f52e5a3016e1385cc64aca

SHA1
401af64f9787f0ac13e02fa2619c1f561ca07c48

SHA256
c7c480353341ade32ccb400cdae4500e39dc090173280cb8cffd4aeb2736fab9

SHA512
b7ac23f203143c658cad9c135ea9e6f865f26e0bb9843f9e2d68f05a117203fb7876a759c8b25d7065c08da59483c8bbd12bf9bab8797478695af91d43dc0ea3

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
95KB

MD5
b2257cbc6975ba04311d42579eb69302

SHA1
9c4869f1c9e9403e5dd6755eef7b19acc782c5ba

SHA256
8421e60be93bbf63fa0f66884f0ff586d2f6956aa22b553d3afd209adeda2398

SHA512
f0cb20b25f785fe5a095314a30f665a816f645be1702fd294aca2b82dc6f4c925d904b8e38114dd978c16f247a701b18d2176a4b6d636794adea0bacbf17ecff

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
95KB

MD5
3c70487fd68349b6948429a45ea71688

SHA1
2b6b3e054aaca746fd54254d1728dcc7e078cfd2

SHA256
3583ff068ab852725ee15baec389de17826043d9d9a3c12c38f5775cdcf47922

SHA512
3587a45dcea81e9e2c04f551d85ea05ea7a9a74fef6c25d156e9012c6c0b939edb87d5df8abea589feff0301b8ed5d92ca57cc56b256da084377b4c4a2bf08bb

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
95KB

MD5
e77638759a35e49edba47fcd41bb0a9f

SHA1
fbb9d779a2d11ecd94376d7eb79a9331915557c6

SHA256
5ead130b480dd016246576dded2a5d89954ac98e7fb1deed5d43c4072d144148

SHA512
80d17fee28fd4b845be2c73b0997340cdf07505676e3b79671680d633d5527ab33fb40efcd440c7ebc9a4cb2a4720f9f8f63572ccbd8ad81e518b8ae6b7e4190

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
95KB

MD5
dbd64a021fb87b47ec0d664a64d03cba

SHA1
1076f624442b7e43ce4671d88897323f5edf6b2b

SHA256
605e398a0d5f4daed34baef71b8367454f036adf931d2fb32d370b774596b154

SHA512
ece51514f7e5994fc107eb8a7d114cc6690c2d87178b41dfcd1d4c4c2a37e7d4c56da9ec73ebec9765ee4ef6ceb0b8df59c2a76e106f2c7cb783cbd4145105d1

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
95KB

MD5
caee989da6dd45745d31860f309d9ffb

SHA1
b3e00a47456ed2c11aafdabb58198138e666c2e4

SHA256
810b06a78ba0b3e66940f242bd58f46c919a36a17a5f30ccf7b24acb79dbbef8

SHA512
f0469711ce463ed8a11454e6220a971a91e847e80167e00b8c5a8a32d679fba415d8f8d10b0dcf60a35306a834448033c26466b4e1587476511a4de146b4a201

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
95KB

MD5
e439a219984c396316febb2453f91155

SHA1
0abca45061b4d3a9cade5aaab9b0ed7873dd48f3

SHA256
bb05ab3be1b83ddaff21882ae7bad39a32aadbc4322a4c20a051f7be8b06e276

SHA512
cac670b788f1e418f1a8b1604e3419d0bcde0b063de37e5cf917d136bad26f128cc1e12292f18e3a6fed083f8b8ed2008d7898451aef61a85d76c0a2e555c418

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
95KB

MD5
ee175e20370a363e2213af0115508283

SHA1
fe63205b2bf6fb01b5d9b655527ceb7a978dc68e

SHA256
19c5e221e4d719ccd9bcd37014045f5e7e318c51501097a92be2d8169f0cb685

SHA512
8a17e64023a8a7873d6576b36c91d5d3f1cec636f3b8e321551e96218aa0576dcdcf3bb514867fc55d8e7ee01bdec5806c68bf7995aae5c02cc5e35f323761ec

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
95KB

MD5
1ac09e840a6725ce61444516ba39bdd4

SHA1
6d136f8dcbf5345b5478672563bc7012ce142392

SHA256
ded9c53e644df0c87a4042a52fe91a985b8487fca6470d679dcffb4900c35ff3

SHA512
7d9f9e6aafb7396ce5779b7a90c190fd9bb2842be82f1796e0a108943090c2df2d335b4017366d54a195c5fb8f2e7a4ab4dcc99b20634af0e608901c52d9edf0

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
95KB

MD5
8b15e792d16867309bed2fce6030211a

SHA1
3280cc96659fd7a9bccd8ba02a055d54a0579c7a

SHA256
09fa0157337a516d0d08906aac721d0c2c37190f0a23bdd0dd857a302245f072

SHA512
a51e5a26e1fedd6ed110e708af09c4d76bceeb804e3b6869ff9d1f3540e3a23dc1a93cf0ededb101bc8ee526dc1c1b33bd4ed67537c07f9bb6526f1b7b8a8f79

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
95KB

MD5
3660a0c88cee23370e6c186191c15502

SHA1
913066d37c43ccfc78b535ca20198e9782ed6763

SHA256
36ff0eace078a5c760c2eeb0b7ae3184c394397a6b20848b980ea47f08dae995

SHA512
2c6df08554468b8363ab49955caeaea82604ebd367e93e1b27fc4f538284e9822a6c3d82694ea3ff99984f4304dd8b7235274fed79fd072cdbc3b22de3a3bbdf

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
95KB

MD5
12f4a9b9d8603545ffeebb4d4ecaa615

SHA1
663bb45d139cb453bed8bca33de9f6938426e76d

SHA256
e0693fd52650e68032b15427ec3946d1326780e2ab34bb37d4cd508b19b00bb3

SHA512
953eb0c7a68c5b167572548a085ae941735c509350838f9bc030c6bf31d411a99d842cf184ba4ca074f79c92c76aebe57bef06d4c1088e662a69c5343f7e7f98

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
95KB

MD5
c3fff8c6eb62be5efcd91a1a44805219

SHA1
5f267c059ffffc7d75878ecffad02119523eb0f6

SHA256
b36a941c703d427665e1d166a02bb14c4a6b456a097b7d18f40e6efd4730bc2a

SHA512
5255ed1f99b3261fb59dd5fd8e26e95e6ec2d7cba588dbda809e0d9ca5841a96cce249615a8c0c32bb7f3c33a22a358ff5c3a8b18ec626ce0a15386612b5d75e

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
95KB

MD5
b2d96d0a69f1559e6548a38ad313a79e

SHA1
03891a735c78cdbea7af743d6f4d79f9a10d3715

SHA256
e2a61d24c243261310feb7d1d34b0aadf5c66ce645fd1415dfea631f70f694ce

SHA512
812c6ed0959b9f56c571bead1cc360c2e2db86c413db1e96649f50703f47b86b3e82ac0838cce7e3f22eb4a30d5dd2412bb4a6db85284db63937de3cb0b9f4cc

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
95KB

MD5
04f90873dd371ba0f2237cb563dd2914

SHA1
673920f3e987d0afcf7e96e82c5361a48ded32e3

SHA256
b178143783fab05679fb4afd0463c54cd2e7da69d3e30fb613ab09417a4eed11

SHA512
37930b9f7e0b619b64c11610522e3073c33fd6cbdaa44ef5b5a3c2db368dfa92100fa4c8e797cf8d75ad1023f314a186926eaf17493bf2d2a4f3ae08a96b89cf

Download Submit
memory/8-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/368-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/656-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/736-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/780-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/812-497-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/888-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/972-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1004-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1104-527-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1240-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1352-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1656-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1764-503-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1876-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1880-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1888-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2044-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2060-560-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2060-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2100-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2216-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2272-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2296-553-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2296-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2544-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2640-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2832-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2872-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2892-588-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2892-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2912-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2952-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3028-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3076-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3232-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3284-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3312-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3324-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3400-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3432-521-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3464-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3524-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3524-581-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3568-509-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3672-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3728-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3752-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3876-533-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3968-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3984-540-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3988-574-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3988-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3996-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4004-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4044-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4112-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4140-567-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4140-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4360-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4416-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4420-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4508-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4512-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4552-539-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4552-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4572-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4612-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4624-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-515-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4676-12-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4676-546-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4732-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4752-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4828-491-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-547-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4912-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4936-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4964-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4992-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5060-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5068-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5076-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5092-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5132-554-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5176-561-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5220-568-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5268-575-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5312-582-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5360-589-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads