86567d8ef2b4478c8c5752c8b12991565f905c90704d453c24129ae4f686b1e8

Analysis

max time kernel
106s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba81d74ae627de9e1196fc628093bc70N.exe
Size

49KB
MD5

ba81d74ae627de9e1196fc628093bc70
SHA1

65aa2b7a4dbcd18fe7b769884db3bc4b6e2610f7
SHA256

86567d8ef2b4478c8c5752c8b12991565f905c90704d453c24129ae4f686b1e8
SHA512

d199b0f90cf7ca44cfc73c6d1494be864c6ac578b6667b36c3d721d7e617d1522b99ce310cc5c81dbebd24ad79f4615870e6eeccc4f95cd14701dab1312a2935
SSDEEP

768:EIIt4rHPsyDmBCGp8zvdtdlWnm4EVm0+N+lRmHP7d/uF/i+HKVVjHYeG3+fpDAVH:E9rB8zltc7YKVVDhDOV6ZK

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ba81d74ae627de9e1196fc628093bc70N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe

Executes dropped EXE 64 IoCs

pid	Process
1532	Nnlhfn32.exe
4688	Npjebj32.exe
2500	Ncianepl.exe
4304	Ngdmod32.exe
4192	Nlaegk32.exe
2640	Ndhmhh32.exe
1460	Nfjjppmm.exe
4516	Olcbmj32.exe
772	Ocnjidkf.exe
4996	Oflgep32.exe
1116	Oncofm32.exe
4472	Odmgcgbi.exe
2576	Ogkcpbam.exe
768	Oneklm32.exe
1336	Olhlhjpd.exe
2880	Ognpebpj.exe
1972	Ojllan32.exe
4536	Olkhmi32.exe
4648	Ocdqjceo.exe
1080	Ogpmjb32.exe
2228	Ojoign32.exe
852	Olmeci32.exe
436	Oddmdf32.exe
4080	Ojaelm32.exe
3360	Pgefeajb.exe
2044	Pjcbbmif.exe
3012	Pmannhhj.exe
5004	Pclgkb32.exe
4464	Pmdkch32.exe
3268	Pdkcde32.exe
2492	Pflplnlg.exe
4172	Pmfhig32.exe
684	Pdmpje32.exe
1064	Pfolbmje.exe
3036	Pnfdcjkg.exe
4152	Pdpmpdbd.exe
3048	Pgnilpah.exe
1244	Pjmehkqk.exe
2628	Qmkadgpo.exe
4568	Qdbiedpa.exe
1428	Qgqeappe.exe
3196	Qjoankoi.exe
424	Qmmnjfnl.exe
3124	Qddfkd32.exe
4288	Ajanck32.exe
1636	Adgbpc32.exe
3052	Ajckij32.exe
2908	Ambgef32.exe
3612	Aclpap32.exe
4548	Anadoi32.exe
1888	Aqppkd32.exe
3992	Agjhgngj.exe
1404	Andqdh32.exe
2060	Aeniabfd.exe
732	Aglemn32.exe
3220	Ajkaii32.exe
1600	Aminee32.exe
1468	Aepefb32.exe
548	Agoabn32.exe
4976	Bjmnoi32.exe
2552	Bmkjkd32.exe
4864	Bebblb32.exe
1592	Bganhm32.exe
5068	Bnkgeg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	ba81d74ae627de9e1196fc628093bc70N.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	ba81d74ae627de9e1196fc628093bc70N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5724	5404	WerFault.exe	202

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba81d74ae627de9e1196fc628093bc70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 1532	3988	ba81d74ae627de9e1196fc628093bc70N.exe	84
PID 3988 wrote to memory of 1532	3988	ba81d74ae627de9e1196fc628093bc70N.exe	84
PID 3988 wrote to memory of 1532	3988	ba81d74ae627de9e1196fc628093bc70N.exe	84
PID 1532 wrote to memory of 4688	1532	Nnlhfn32.exe	85
PID 1532 wrote to memory of 4688	1532	Nnlhfn32.exe	85
PID 1532 wrote to memory of 4688	1532	Nnlhfn32.exe	85
PID 4688 wrote to memory of 2500	4688	Npjebj32.exe	86
PID 4688 wrote to memory of 2500	4688	Npjebj32.exe	86
PID 4688 wrote to memory of 2500	4688	Npjebj32.exe	86
PID 2500 wrote to memory of 4304	2500	Ncianepl.exe	87
PID 2500 wrote to memory of 4304	2500	Ncianepl.exe	87
PID 2500 wrote to memory of 4304	2500	Ncianepl.exe	87
PID 4304 wrote to memory of 4192	4304	Ngdmod32.exe	88
PID 4304 wrote to memory of 4192	4304	Ngdmod32.exe	88
PID 4304 wrote to memory of 4192	4304	Ngdmod32.exe	88
PID 4192 wrote to memory of 2640	4192	Nlaegk32.exe	89
PID 4192 wrote to memory of 2640	4192	Nlaegk32.exe	89
PID 4192 wrote to memory of 2640	4192	Nlaegk32.exe	89
PID 2640 wrote to memory of 1460	2640	Ndhmhh32.exe	90
PID 2640 wrote to memory of 1460	2640	Ndhmhh32.exe	90
PID 2640 wrote to memory of 1460	2640	Ndhmhh32.exe	90
PID 1460 wrote to memory of 4516	1460	Nfjjppmm.exe	91
PID 1460 wrote to memory of 4516	1460	Nfjjppmm.exe	91
PID 1460 wrote to memory of 4516	1460	Nfjjppmm.exe	91
PID 4516 wrote to memory of 772	4516	Olcbmj32.exe	92
PID 4516 wrote to memory of 772	4516	Olcbmj32.exe	92
PID 4516 wrote to memory of 772	4516	Olcbmj32.exe	92
PID 772 wrote to memory of 4996	772	Ocnjidkf.exe	93
PID 772 wrote to memory of 4996	772	Ocnjidkf.exe	93
PID 772 wrote to memory of 4996	772	Ocnjidkf.exe	93
PID 4996 wrote to memory of 1116	4996	Oflgep32.exe	94
PID 4996 wrote to memory of 1116	4996	Oflgep32.exe	94
PID 4996 wrote to memory of 1116	4996	Oflgep32.exe	94
PID 1116 wrote to memory of 4472	1116	Oncofm32.exe	95
PID 1116 wrote to memory of 4472	1116	Oncofm32.exe	95
PID 1116 wrote to memory of 4472	1116	Oncofm32.exe	95
PID 4472 wrote to memory of 2576	4472	Odmgcgbi.exe	96
PID 4472 wrote to memory of 2576	4472	Odmgcgbi.exe	96
PID 4472 wrote to memory of 2576	4472	Odmgcgbi.exe	96
PID 2576 wrote to memory of 768	2576	Ogkcpbam.exe	97
PID 2576 wrote to memory of 768	2576	Ogkcpbam.exe	97
PID 2576 wrote to memory of 768	2576	Ogkcpbam.exe	97
PID 768 wrote to memory of 1336	768	Oneklm32.exe	98
PID 768 wrote to memory of 1336	768	Oneklm32.exe	98
PID 768 wrote to memory of 1336	768	Oneklm32.exe	98
PID 1336 wrote to memory of 2880	1336	Olhlhjpd.exe	99
PID 1336 wrote to memory of 2880	1336	Olhlhjpd.exe	99
PID 1336 wrote to memory of 2880	1336	Olhlhjpd.exe	99
PID 2880 wrote to memory of 1972	2880	Ognpebpj.exe	100
PID 2880 wrote to memory of 1972	2880	Ognpebpj.exe	100
PID 2880 wrote to memory of 1972	2880	Ognpebpj.exe	100
PID 1972 wrote to memory of 4536	1972	Ojllan32.exe	101
PID 1972 wrote to memory of 4536	1972	Ojllan32.exe	101
PID 1972 wrote to memory of 4536	1972	Ojllan32.exe	101
PID 4536 wrote to memory of 4648	4536	Olkhmi32.exe	102
PID 4536 wrote to memory of 4648	4536	Olkhmi32.exe	102
PID 4536 wrote to memory of 4648	4536	Olkhmi32.exe	102
PID 4648 wrote to memory of 1080	4648	Ocdqjceo.exe	103
PID 4648 wrote to memory of 1080	4648	Ocdqjceo.exe	103
PID 4648 wrote to memory of 1080	4648	Ocdqjceo.exe	103
PID 1080 wrote to memory of 2228	1080	Ogpmjb32.exe	105
PID 1080 wrote to memory of 2228	1080	Ogpmjb32.exe	105
PID 1080 wrote to memory of 2228	1080	Ogpmjb32.exe	105
PID 2228 wrote to memory of 852	2228	Ojoign32.exe	106

C:\Users\Admin\AppData\Local\Temp\ba81d74ae627de9e1196fc628093bc70N.exe
"C:\Users\Admin\AppData\Local\Temp\ba81d74ae627de9e1196fc628093bc70N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\SysWOW64\Nnlhfn32.exe
  C:\Windows\system32\Nnlhfn32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\Npjebj32.exe
    C:\Windows\system32\Npjebj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\SysWOW64\Ncianepl.exe
      C:\Windows\system32\Ncianepl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4304
      - C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4152
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1244
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:424
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        45⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        58⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        71⤵
        Drops file in System32 directory
        
        PID:960
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        77⤵
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        86⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        89⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5332
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        104⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6112
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        112⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 212
        113⤵
        Program crash
        
        PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5404 -ip 5404
1⤵
PID:5580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
49KB

MD5
39afafd386670c7adbf7b1163d1b0f0a

SHA1
b66bef5e13fed829d205d2f74b422030291d4e1b

SHA256
256dd548c910c47527ba8f4aff2903b26f3a8ede190a32fa66ea8a9492b9b156

SHA512
84afc22b46a03b0c6f32892dc346e3109decaaad330b1c29cab999bedd8f1dc13b526dcaee2353cdb778456cefe4174375c1c2619f5646ebdad852fcc6ba7c5b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
49KB

MD5
67ae3f7fa383556fccc322c710ddddd9

SHA1
fafb605ca176d65bfb12771901c99a2802744de9

SHA256
74ad2eeef00eddcb89083aca997b4d6c3c5edad28fda5786fea013d66779ca99

SHA512
9fc7f235b6cdc1dc6a2be2ce08c4d744b19a13e5820307a30d420f2cf7f7331b8218441009bbb70ee10297ef461bf00681d05a24adbfc270a7569cbe28a1d96d

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
49KB

MD5
015d57d7e550ac8010faae11da41e39f

SHA1
4528c94dd1ca6cecab485d8d6db809ad597cee15

SHA256
42d5b5a567f07091a81c4c81c7213f894a878e684d3f248b8bc0610a19d55013

SHA512
c91f26469ab21e086f66f837dc1a79eaa020bd25144eeae9571ce227427a966311b197d5669cb8728008b9719030abf5bb6f7ae25fcf093115cb10e9cf91ba59

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
49KB

MD5
896c03178dc06101c00a8015a31582fb

SHA1
0f256ab85a06b31070418cfda31b969ceaa51a47

SHA256
4857d4803c4924eafd5050c2aab09184fcf0accdb128d6fb866785597598dd16

SHA512
4682b0b850cc40e8d99834f95b494676a14b96fe536df3d342b2fa4de3f5bf262cb163719d224079f34bdc858f1ab54cb25986075d4a6f5fbe5a4aef7490bd90

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
49KB

MD5
87327e68ffd931023b33a30e0fb45ad7

SHA1
93902141f430e5828ffef0d5f6877b7b658881a9

SHA256
1be8196eaac64ca06eb329ba8cbe2e60b95e53a6da5117973f8c7c79a9b02c80

SHA512
512646a8f30f5e35c591ab1f71b0da7763b9e7a0e231204c6ed337e4a20732a8c2fdaef9e36f041a27601c082d2135dbc63493c5c83221969059b871a69be41c

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
49KB

MD5
5bac308a56558dcb7c5df1754e9917b0

SHA1
25dd5f5ba4add4cd99e202e576bca83fe8b44252

SHA256
dd1e34ee4b68ae9301912d7cf6ab64eda76e3353c36c44dbcefb0b3293104b46

SHA512
89d0f7bae305f58bf100d5cc2f355e63bfed6fc102d72a993dfeaa932780a24ab511890d44869a782fdcd351bfbe18a96718dd6d19ee16b9be3d4f879934a266

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
49KB

MD5
62e09de1310cf3f539e31444fe8b29a9

SHA1
3d66fed3dd68bd50e6713d9a0a847b88123180c9

SHA256
330bf3c0c9c49bd49d2d7d446ebe4182d2eb6fc3983cdfb6a2897cada1d8ee0a

SHA512
1398a5b8f126d0bebb503c5d591eb6d3552c1e7a714cf4b2a19843e09b3a18c46fa1e6cc5dd7642c4896bd8a25922f6ded20e4a31649bd2059aaa1ba48359ea2

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
49KB

MD5
c3f85e6ad66cbc5837dc82bdc81076d0

SHA1
04035568729cf73d5fcfe676d5367da6998d2153

SHA256
17cb01aa651be65d90ac785c4ee515def1aadb9c2955b229b5eb23c0c643b191

SHA512
7ef4d2b8b049ac31992096920ce5aa1bc24e3eb3946845708d3482726dde303303047686d7c4c340f0112e5426b8ac296ef275da175ab1a8574fa1d460546dd2

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
49KB

MD5
71055dfc9d32ad3356571d6e762209f9

SHA1
ef09432de46ddee05a0de668a9df4905c2b5b4c4

SHA256
6fd51f374fd7f8becdc4f9f45eb1db07d6b498cfab8ff97e31e1048242ce6c87

SHA512
14a83a2fc4e6eec0927d8666072ea991eab8ab4f5d302e2223473e58f37c139104c2b964d7124186270600d4e53cf220b4a005933a20f25c7319f327837099fd

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
49KB

MD5
2e10f698e96a36fe83c48d450ab10a7d

SHA1
28bfbcdacb9ab9ac88a3689a0fc3d41f106d0927

SHA256
dfb26e30ca9747974ea644d43ac49dc38de7315e1c679a4b0e544ae11a389a05

SHA512
daf092787e0e27194ab73c0f035956f78c78e7e51a1aac1ca2d880577ab3735ab60e762f07abd00201c2371bd079b008e902e730a082be2f49118037556c9b7b

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
49KB

MD5
036f3167f201162db3a567d25f9b09e9

SHA1
880292b6def7d9a5f1f5ca16a68da2be03626115

SHA256
9b5e0246698baf7f9477153153baa3ac81778db0b9fc20c4a5a670357c6d43c7

SHA512
79cfa17bbc5f9d051c043cdb143ae9c457a58d35b22d1e1b0ef1b2e69a9eee8975b72f9fc87292e12066c23a87f9f57406a25633499cf8f7ed3704b95ed081fd

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
49KB

MD5
f3710cccaf8f21fcc11bb49b0275f77c

SHA1
6a91325a6ad84abab1d391c7358d0fdd061eef3d

SHA256
f5d818684a4c150487bf3965d51566c70e4dcf1ab178b6e80d67d2223239d44c

SHA512
db15ce542ea59fc0f68734223df4b63c58708eb22eda9e0b0b4be0022729a80ea07fc1670c30cb3158020d1b134cee1c12daf8156eb20703c1996f562c1a79a7

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
49KB

MD5
ac6f9b4c82ff9af61d339dfc6b6381d4

SHA1
34de509d34bc5b85e29fca4162915584c6d22cee

SHA256
b10d55e9b1c7a8efbfaf485d58ca8864be9d1aaa0dc243ddf317f97da2224fe6

SHA512
315a31ef7cabd0cb662301071ab3db55dabe03d3f803de7466c332da74bf4e3410ef09b95427a2e3111f501c2ba18f7480d545f1d8426ec080cf4d2404485982

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
49KB

MD5
84c563433887f040d293f7eb7d6fbb13

SHA1
fed31e34f266681e8f38293694cc75ae78f517dc

SHA256
1346982ebb7bae573b8cdfeacc643c6de0b9efbc859f2c0be4b2850c5ba381d8

SHA512
14c7d9b9f704287f48246a0fecc015b89792d316a087844c8fd4c95cd0092f160e6aee198b75467e2beb82b6bd24e4a56a27a1d923cf54a31572edd92ee1a269

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
49KB

MD5
529d1053313ebc1ccf0e843c869e4e26

SHA1
5e2906717cafa4ddd75a78dba68ef52a8eadc9db

SHA256
71420666b3b3b116faf7aaef739d64d29323c0bcb4927045805436eedb5e8691

SHA512
775599fd585ed68e441f704b3e56d81cca128c9eb78ccc6a16843ce23c37fe23ab1a5e8798923d78c0ba783bf7515d0f5012b8836a4907005c5c05128ba3feeb

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
49KB

MD5
88d23242f8500419068c285cca7867d5

SHA1
1f3e061013631249dab82429649eee0b49f0d5b4

SHA256
411cebb438a5ee86b5ca59d8dfe86f0bd83e572b6d137ec83cd1cdde9ec82ddd

SHA512
aff6bd3f675baa349fa27b9fc7bde11eed70e0908c03a9444fa50a3bad4243e3eb0fd5acc14f4dcb70c155ced123aa7dd17d07160b22feb5dc2b35d9753a4733

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
49KB

MD5
5134a9e131d3bbe8fa918d937a29a688

SHA1
c1a81bb3195e7470a978f7c99e28143c6424ee72

SHA256
968b2d8e121c61c03001546712a588369a0578f1fcd3d7921f95d305ad0a5c67

SHA512
098490c993b4e810c569e9a2bf4039f01d5691149fd81b77aae27ddf7b9aee0eebe318e2b038d18d92e1d60aea5b0b13be3ed624151b80d22eba936209a4b60c

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
49KB

MD5
06a6b43d4caf8fec847857425f658c39

SHA1
454a1eb042aefc15b7549071d3b3376f7bffa56b

SHA256
b8c143e232996e04f15be9afd0ac83872df873ef2f69a7cfa43279770ac5a4db

SHA512
1e9a79c2e9f6b17c49f62dff7f167d5f2b7fcbea850430bb1742787a2866ea8734421ec33c7eaa0bf8de0397ee4917535c929094e47970a8f87ba6ea8090ec98

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
49KB

MD5
a697a19280162aed424cb18cd44c4606

SHA1
d561d954bd051ce662001a00ac61e086502f9a20

SHA256
3cfdac95709ca77b2897b7bbcfa75c82e566f2e77d127ba15bd7a7e20e732dee

SHA512
bbf0929e3c03547359692e1887c970228909c14171840a538a5e76795ea0504bf53c9539872370c80be1035ba04a9de0c46d56ad8ab0a010377f0a76ad70eee9

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
49KB

MD5
7aba659d9eb68b7311c592b8e65c4ea0

SHA1
25e26faae7cf63d982ff5ce9f8f20a34a1b9f8c5

SHA256
89473e32ad7c188b5dbdbc97693fcca5a437de5107dc1915007ac61970e233b4

SHA512
bc5dcc865003112f8866ba57d46376c0419e8ebe2f0ea690157937e3fd8a5ceed5f3bcdf0f32043c7aeccecc4f8d6a539b4ac0d9fd7b8c53b57815e431ec8aba

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
49KB

MD5
a8c7084d2dc52c190c38fc229fe393e1

SHA1
4018d0c3f1fe6e4c62fada1f50ff7cb479d6c7ef

SHA256
3bf67649d775c438093fcf64f0b9e4b78e47050b698b45a72fecbff1b7564163

SHA512
863d46da48fd0a67da48cbbec09fbc88aca22c335110b836e5300c50574f0c8b783d1c4f8259058eda1c76d40a9f4792846b519044603306812c86e81f8dbb63

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
49KB

MD5
f647772e95c883b021379f9b50d183d0

SHA1
c29cc07cb81a94f0f84d24188022c982f92c044d

SHA256
fbc30047f684fbfa884af7895084208db67c7aef4146c85b6a502d4b36081aa9

SHA512
d73e67bfdee4191941b749835a7f5f990f4eabfa4011ecb515cbcb39b8b62005093ed9962e91242bbccd79ce61f8825a24126fcec959e7cd1b866de68ca55f49

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
49KB

MD5
f2c9f6063f4e4593c768f08cefb2ac22

SHA1
9d8158a692acd2106bca18220bd20866e5fc9680

SHA256
e242a8a98d37e2baa004966a6a09a4326fd787d690cad701645eee60a20c8a29

SHA512
87c0f839ff86ebe0418ba2cf620640bdd7cd5a3060888798d6c31a741d43f27690d23c2f35f351b6f838585596a2b98b8e23981a3ac467fd56b6c89e834d60ee

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
49KB

MD5
90635bb9ba3a1a37b35b614c5e61f2e1

SHA1
bac791931e8cfe7d34f5444e3e8f195287cf8120

SHA256
82d54bde83ee6f4724f68810570432cef332570fdb410ba28497e65228f58930

SHA512
d1677a83fe6380f224c13d54380519044256a16f6def764f2868dc578ad2db4e24e96fcbd7c6ea164a01d48bed9e8f727f032ba3e4129352a695d9f8d3ace643

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
49KB

MD5
818ac0fe59d74854668f35b725482d1a

SHA1
a944c669e36c39e6dea05a4e959ba3c96857ac0f

SHA256
08bac4410202d0a0e4510e1865122f01da23ddfcb9f36bc2166f9625f44a87a5

SHA512
a244b802202c6d154e06dc6f02defda85dc627ce22f71249beef03d047a767273f3d440b61a27ed620d2a736105a6987cf84b933e9b2e904aec6a502ba33e9ac

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
49KB

MD5
0c2a38d2996c762174797303d5cded55

SHA1
bf8324e0af3747a6ab08906cc89df97287877e19

SHA256
4903baddb9dff04e74e69789a4e0663568846f51df56823f49f11c2e12deac73

SHA512
a9318fb339a11e9944e82263d908db645ba45adc9ae86a6a900211b220c4402285b2e9c58ab8d914e51d265201b553b0b49ca340c4f7a90915e8138217269a82

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
49KB

MD5
5c39097000fef5d9b2430a16b98f621c

SHA1
f450eacaa5c08bafbed3d609f9afc6bb05a56638

SHA256
8f1d8db237296a1c0b628ebb2f758ac9f0c384cb7e6679430825fa37d8aea505

SHA512
209b685f8a42bd6196c589b833de0867e31857f3918566c1632c8a012ba99a7456a4a7c423f862ebcc4368530444bfcc82e2b3ed04adf6d75c7a3f9cc0fb72c3

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
49KB

MD5
74ebaf661d25a22381424fd144b7695a

SHA1
c31ade0ea39d45a1a2370d1a46d4ddb7678249b4

SHA256
b71aff4486c2495f1271eb43e82a1aac01586ab6c9246f94cd327c73b43e49ef

SHA512
d4333a8bb4d36449b496c8f6261069f4e8a5a95f7921092c6bf5ee42fa2b2ed91c5c6e66ebe3c119c9644b66602805699cf4e07a6fb44eb9571fc429d0cde28c

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
49KB

MD5
22d2ae25fd7cf9ed311f0d6014a57f46

SHA1
28642b74a48d849a85bbb6c4e85216b216eaf49b

SHA256
8b232cfaa4f5583d84b9fb42438397ce8353ba21f404a373a9e425484fcccb4d

SHA512
4de09809c8f8f91e2ec66da8141af3da74db580b3ba3140d3e32597a3bfd1164af5fe5c5dc103662c677682c2bfb5f288efb150369ac00ed489dd5af090ca252

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
49KB

MD5
dd146bc75196bed246fd6a2898f31966

SHA1
769ef204f38d8084f121d794235799d104d39b03

SHA256
8939fca984cff7939758ae019b24c35e39217a3daf80aa5caa3f67b5674f4d4c

SHA512
cf856da6b6d72731dc10b5c38cb57531d4a71066ee50094b3b0009c79b9fa84e270abeb78331771dd905ee5d802d9f12e2f47debb76b1392b36deae0365f724b

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
49KB

MD5
39b25d9aed96d092aac8240fda5d5269

SHA1
e7781bf9b895be40d0480bad7f83e5d7453d7afd

SHA256
e6c6d9d0d53f81b9c71a72b565d5da2e131705a298212cc18ca3eb44b855e860

SHA512
3a83ab1870c82049d599ae36c25262a09bcb1786dad0c9ad467ac0e7f8969437441b2412c7c2d6a81133c50239d2ccac32dd38682c86b04582e7d506de63a876

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
49KB

MD5
38f6bd317523c1f3c31cb1c82d139411

SHA1
346481d458c2a5e74b1f8f7b1ebe2166e6a3fa63

SHA256
3812bf4b274b1b6e31153171b57ff7ef9d2746088f37e6ea5d777a16c348a538

SHA512
066f14984a160e194e0d612234f0f053cb126de4548072fcedf5b7a1f688ecdabf159b5fdf7598cb2d3269f90a6344499225440cb18a509f452bf0d9627ddba9

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
49KB

MD5
4f270bc5750629a65c45bb8fd449ba22

SHA1
94c7a776d936ac06b9087ed1484ca33378bd68d0

SHA256
c11f8590a170dc8e181e1a75051fa74a90ceddc98a5b644129b9291cdf3355f5

SHA512
dab8e1965b37accae5f3dbe23cb797876f6df068e7d174571bfc30ae3127626384392bd764df840a56f0a1ad1902f929ba73573c084b2568d81b6431a7fdcf38

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
49KB

MD5
bd8fc736456b731f30aa85d27b5e133e

SHA1
8bed1225fcd776f871998148ebc619ffbdec384a

SHA256
a547ff41de8fec069dd9ae74de9599f213f0cd3f91b5502b9dbf1f919f4872c3

SHA512
c7a84321776eebb26f8b52ecb3ad10b90a761ecfc85110c3f3d36518e76eec9b9ed2d2767220c695acf02b03bc87e031f9592e5eea260ec7ea75f3309e2011f4

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
49KB

MD5
ab6cec35b73e98500eea96818c93cf8c

SHA1
71fdf44a7cf5ed28706268db495fe6b8e76899a4

SHA256
e854de365172310f984cbfe4793a6807fe17bd05ce2ef6fd802ab4e1e351f047

SHA512
4e8a9c2b887f2d677f914151d795a55b0e9bdafc98b763f1c50ff41cbfe50ab7d92eb0be6a33907c360536fcfb9c1e3cbeb7bc237810eb09726753b7f638f9f9

Download Submit
memory/424-323-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/436-184-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/548-419-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/684-263-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/732-395-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/768-113-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/772-73-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/852-177-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/960-485-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1064-269-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1080-161-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1116-88-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1136-472-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1244-293-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1280-455-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1336-120-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1404-383-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1428-311-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1460-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1460-594-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1468-413-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1492-503-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1532-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1532-552-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1592-443-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1600-407-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1636-341-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1888-371-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1972-136-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2044-209-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2060-389-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2228-168-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2492-248-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2500-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2500-566-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2508-461-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2552-431-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2576-104-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2628-299-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2640-587-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2640-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2880-128-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2908-353-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3012-217-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3036-275-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3048-287-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3052-347-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3120-509-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3124-329-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3196-317-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3220-401-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3268-240-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3360-200-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3472-501-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3552-515-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3612-359-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3784-491-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3988-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3988-539-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3988-1-0x000000000042F000-0x0000000000430000-memory.dmp

Filesize
4KB

Download
memory/3992-382-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4080-192-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4152-281-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4172-256-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4192-580-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4192-40-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4288-335-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4304-573-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4304-33-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4396-473-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4464-232-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4472-97-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4516-64-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4536-144-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4548-365-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4552-521-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4568-305-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4648-152-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4676-479-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4688-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4688-559-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4864-437-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4976-425-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4996-80-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5004-224-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5068-449-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5132-527-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5172-533-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5212-540-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5280-546-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5324-553-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5376-564-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5416-567-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5520-574-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5568-581-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5636-588-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads