6c5c4cb7dea57ba8e990536628fa07ffd0edebfa5e29cbfc060acd6265e8e14f

Analysis

max time kernel
95s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac63eefff401bca9f02d01033ed70c40N.exe
Size

415KB
MD5

ac63eefff401bca9f02d01033ed70c40
SHA1

da0882658b2e01169a428bbebb42c93d5b5b7c05
SHA256

6c5c4cb7dea57ba8e990536628fa07ffd0edebfa5e29cbfc060acd6265e8e14f
SHA512

7eab309afd69f550edbf9b8727dc9fbc845527f6ab8da4109f6dae911835756b5b44f10676d1ad88afe2f347a6416b2d73301c5eac8a688d25ea0e51eec37cf6
SSDEEP

12288:6EoWj7NtInBBBBBBBBBBBBBBBBBBBBBBBBB0kfBBBBBBBBBBBBBBBBBBBBBBBBBt:Dklp

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe

Executes dropped EXE 64 IoCs

pid	Process
428	Mmbfpp32.exe
2352	Mpablkhc.exe
4776	Mnebeogl.exe
884	Nljofl32.exe
2912	Ngpccdlj.exe
1396	Nnjlpo32.exe
636	Neeqea32.exe
3236	Nnlhfn32.exe
1976	Ncianepl.exe
4788	Nfgmjqop.exe
572	Nlaegk32.exe
3712	Ndhmhh32.exe
4688	Nggjdc32.exe
1480	Ojgbfocc.exe
1956	Olfobjbg.exe
2564	Odmgcgbi.exe
3528	Ojjolnaq.exe
3304	Oneklm32.exe
2280	Opdghh32.exe
2140	Odocigqg.exe
532	Ocbddc32.exe
4512	Ofqpqo32.exe
5068	Ojllan32.exe
4368	Onhhamgg.exe
1940	Oqfdnhfk.exe
3124	Odapnf32.exe
2816	Ocdqjceo.exe
2984	Ofcmfodb.exe
4724	Onjegled.exe
4296	Oqhacgdh.exe
2452	Ocgmpccl.exe
4176	Ogbipa32.exe
4288	Ofeilobp.exe
4736	Pnlaml32.exe
2028	Pcijeb32.exe
4732	Pgefeajb.exe
2772	Pfhfan32.exe
2348	Pnonbk32.exe
4972	Pmannhhj.exe
960	Pdifoehl.exe
3592	Pclgkb32.exe
3752	Pfjcgn32.exe
4060	Pnakhkol.exe
2324	Pqpgdfnp.exe
3604	Pdkcde32.exe
2604	Pgioqq32.exe
3332	Pjhlml32.exe
1108	Pmfhig32.exe
2420	Pqbdjfln.exe
4352	Pcppfaka.exe
3280	Pfolbmje.exe
4768	Pmidog32.exe
2908	Pdpmpdbd.exe
716	Pgnilpah.exe
3628	Pfaigm32.exe
4556	Qnhahj32.exe
4500	Qqfmde32.exe
4472	Qdbiedpa.exe
1008	Qgqeappe.exe
2192	Qjoankoi.exe
4540	Qnjnnj32.exe
1724	Qqijje32.exe
1508	Qcgffqei.exe
1076	Qgcbgo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5856	5456	WerFault.exe	212

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 428	4876	ac63eefff401bca9f02d01033ed70c40N.exe	83
PID 4876 wrote to memory of 428	4876	ac63eefff401bca9f02d01033ed70c40N.exe	83
PID 4876 wrote to memory of 428	4876	ac63eefff401bca9f02d01033ed70c40N.exe	83
PID 428 wrote to memory of 2352	428	Mmbfpp32.exe	84
PID 428 wrote to memory of 2352	428	Mmbfpp32.exe	84
PID 428 wrote to memory of 2352	428	Mmbfpp32.exe	84
PID 2352 wrote to memory of 4776	2352	Mpablkhc.exe	85
PID 2352 wrote to memory of 4776	2352	Mpablkhc.exe	85
PID 2352 wrote to memory of 4776	2352	Mpablkhc.exe	85
PID 4776 wrote to memory of 884	4776	Mnebeogl.exe	88
PID 4776 wrote to memory of 884	4776	Mnebeogl.exe	88
PID 4776 wrote to memory of 884	4776	Mnebeogl.exe	88
PID 884 wrote to memory of 2912	884	Nljofl32.exe	89
PID 884 wrote to memory of 2912	884	Nljofl32.exe	89
PID 884 wrote to memory of 2912	884	Nljofl32.exe	89
PID 2912 wrote to memory of 1396	2912	Ngpccdlj.exe	91
PID 2912 wrote to memory of 1396	2912	Ngpccdlj.exe	91
PID 2912 wrote to memory of 1396	2912	Ngpccdlj.exe	91
PID 1396 wrote to memory of 636	1396	Nnjlpo32.exe	92
PID 1396 wrote to memory of 636	1396	Nnjlpo32.exe	92
PID 1396 wrote to memory of 636	1396	Nnjlpo32.exe	92
PID 636 wrote to memory of 3236	636	Neeqea32.exe	93
PID 636 wrote to memory of 3236	636	Neeqea32.exe	93
PID 636 wrote to memory of 3236	636	Neeqea32.exe	93
PID 3236 wrote to memory of 1976	3236	Nnlhfn32.exe	94
PID 3236 wrote to memory of 1976	3236	Nnlhfn32.exe	94
PID 3236 wrote to memory of 1976	3236	Nnlhfn32.exe	94
PID 1976 wrote to memory of 4788	1976	Ncianepl.exe	95
PID 1976 wrote to memory of 4788	1976	Ncianepl.exe	95
PID 1976 wrote to memory of 4788	1976	Ncianepl.exe	95
PID 4788 wrote to memory of 572	4788	Nfgmjqop.exe	96
PID 4788 wrote to memory of 572	4788	Nfgmjqop.exe	96
PID 4788 wrote to memory of 572	4788	Nfgmjqop.exe	96
PID 572 wrote to memory of 3712	572	Nlaegk32.exe	97
PID 572 wrote to memory of 3712	572	Nlaegk32.exe	97
PID 572 wrote to memory of 3712	572	Nlaegk32.exe	97
PID 3712 wrote to memory of 4688	3712	Ndhmhh32.exe	98
PID 3712 wrote to memory of 4688	3712	Ndhmhh32.exe	98
PID 3712 wrote to memory of 4688	3712	Ndhmhh32.exe	98
PID 4688 wrote to memory of 1480	4688	Nggjdc32.exe	99
PID 4688 wrote to memory of 1480	4688	Nggjdc32.exe	99
PID 4688 wrote to memory of 1480	4688	Nggjdc32.exe	99
PID 1480 wrote to memory of 1956	1480	Ojgbfocc.exe	100
PID 1480 wrote to memory of 1956	1480	Ojgbfocc.exe	100
PID 1480 wrote to memory of 1956	1480	Ojgbfocc.exe	100
PID 1956 wrote to memory of 2564	1956	Olfobjbg.exe	101
PID 1956 wrote to memory of 2564	1956	Olfobjbg.exe	101
PID 1956 wrote to memory of 2564	1956	Olfobjbg.exe	101
PID 2564 wrote to memory of 3528	2564	Odmgcgbi.exe	102
PID 2564 wrote to memory of 3528	2564	Odmgcgbi.exe	102
PID 2564 wrote to memory of 3528	2564	Odmgcgbi.exe	102
PID 3528 wrote to memory of 3304	3528	Ojjolnaq.exe	103
PID 3528 wrote to memory of 3304	3528	Ojjolnaq.exe	103
PID 3528 wrote to memory of 3304	3528	Ojjolnaq.exe	103
PID 3304 wrote to memory of 2280	3304	Oneklm32.exe	104
PID 3304 wrote to memory of 2280	3304	Oneklm32.exe	104
PID 3304 wrote to memory of 2280	3304	Oneklm32.exe	104
PID 2280 wrote to memory of 2140	2280	Opdghh32.exe	105
PID 2280 wrote to memory of 2140	2280	Opdghh32.exe	105
PID 2280 wrote to memory of 2140	2280	Opdghh32.exe	105
PID 2140 wrote to memory of 532	2140	Odocigqg.exe	106
PID 2140 wrote to memory of 532	2140	Odocigqg.exe	106
PID 2140 wrote to memory of 532	2140	Odocigqg.exe	106
PID 532 wrote to memory of 4512	532	Ocbddc32.exe	107

C:\Users\Admin\AppData\Local\Temp\ac63eefff401bca9f02d01033ed70c40N.exe
"C:\Users\Admin\AppData\Local\Temp\ac63eefff401bca9f02d01033ed70c40N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\SysWOW64\Mmbfpp32.exe
  C:\Windows\system32\Mmbfpp32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\SysWOW64\Mpablkhc.exe
    C:\Windows\system32\Mpablkhc.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\Mnebeogl.exe
      C:\Windows\system32\Mnebeogl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4776
    - - C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
      - C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        24⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        35⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        44⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3332
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:612
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        54⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1008
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        71⤵
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        72⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        73⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        74⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        77⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        83⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        84⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        85⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        92⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1584
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:720
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        111⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        114⤵
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        117⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        121⤵
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        122⤵
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        123⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 396
        129⤵
        Program crash
        
        PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5456 -ip 5456
1⤵
PID:5828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
415KB

MD5
ed43859853eb3bdf5eb1e6dc4a9c0991

SHA1
b9055110582e013857dc6da3890a665c210f4531

SHA256
23aa9824134a98acaec79f4bbd7f859d28f728c7b92de73535e7dd18b1b49f52

SHA512
ed556c1429a6e49cb96e7b46d1da371d969695b482c085c70360a8b5f8de9b5dcdfe9c3d85d804c0c0173e12beb5cd8f4724687ca8ca3586612a98586fa0ab16

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
415KB

MD5
c3150427ae873e0816ed1875b2433c34

SHA1
ef28f3bca182b18e7c1129f50a366e4bfa8d8f81

SHA256
7d6ccf937d48b9ea8a4cffa234268e97d4e9c79bf277183d880164d19b094a69

SHA512
072c52a91c96f219f5c2d33b807cb1c9881dba94110af9676979ddec9c0dbef8a2465e9d9c348fe78547e106a2e6f563a84a055464ef9136a0d7f2f83931d4b3

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
415KB

MD5
a169b04224eab3e09b85782bc241b24a

SHA1
bdc69a8f03660930d1096eca169fd61fa9810c7b

SHA256
5fa0bb0b1e0fafe123d6b2c500ae810486b2f2543c1ee853cc337ad0ec8e9910

SHA512
a4ac435c6d6ebfb1a074c97792a219f0d02a9fd7e75e9cea8e1538fb3b741ff7620d7f90adf3bec22510b1b36f324da10b0cc9146f4fedc30e58c5a8d633107e

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
415KB

MD5
6c925d671d9c2c890fa336de77f2a44c

SHA1
b0f93bb10f0d5d24ee802a2ec5d8618321d957fd

SHA256
542f4281699ad05faf81be1325a4b89c51c2ab8502a931bf7792ba5b637caedc

SHA512
dac0d38348081fa48213e3b78615c7e5d7c63d2bf9b595c3a48fceedc895fb4adc392b0d99ff4b9a40e71a91b673ebde62b72de4da849e617834763c935e05f6

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
415KB

MD5
6b3bbf31d7edabd8a224d285f64a9a42

SHA1
d9c1d7a4e0446e2b2370ec77f69baf1f91c40b3e

SHA256
ec203bbf08435e83e40433c8c802c417013b3e3f342d389d7163beed974c6068

SHA512
403a001d1229731169347282f0824e27b782584f65704f44b7903b062524ecd402ccc36fc8b755febf40dfb20a1367abba644668de648afd6baa86e757ad3bf0

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
415KB

MD5
cb29df0d708dd80bf8bb8081de78114d

SHA1
436ffdc1a775e2d6aea4b7172eda4d661bc979b1

SHA256
c4b8d1a0e0c4533131f1ebc18cef6ddce50773ec77ca13d54d9c509842aa2c99

SHA512
18d7397ec7f16ffe5f6030f84cdef9166261a23a238c8f4470c431906b3475c05a4b36dca98b32f1d6c412ec35d7b87b964f22652b04f97e4d077c08e1a43639

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
415KB

MD5
e6affdf6d008b1c4275dcbf84cf611f7

SHA1
0f46d125bf982f5500c3ac05ce7ac0f0815bf2ad

SHA256
9273aa5eea8ab2f39fc6041d7be0b3c2b1f3516f7dc55c5706f9bb62117db1e9

SHA512
4b7ad30dd6abb762e74dccee991b8a764f7c6f1dbd9f284e03d87095085fd0c34a11092e5f03052564937c7680ed59375f70a9db500cd6735edcab247187bd6e

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
415KB

MD5
49547101bb0769f3bbde633027d98c73

SHA1
70028fb12740d52f9d797247b6af40f49997277f

SHA256
f9904125d4d03faa2c5e81e6b0623b9a84bbf60541d122a718c7825d17bdda2c

SHA512
5722b5b9834c3d641e82629138a7bade88312c6727b69d6063e169bad37cabfe695aea6881c085870e4b2771aa83c402dd086957c66aad437651ab6f1ed32854

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
415KB

MD5
0860c293c1023679ad7983f07caf370d

SHA1
5bc3c12048791a660077975808ebb16f6e42848f

SHA256
ea8fccdf5b7782b66fab5c8e5eda5862b96016b9332b168800458753804ebf71

SHA512
e21dcb17cb804ae90b48ca6c38bbc50c25a7f1756984c983f1d633a072f6ebe141928f773301e31c107e389e3e8c8a677bd7b8737c6f879a8442978b787158f1

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
415KB

MD5
d9d8988834170325df475dfbfa2b8f28

SHA1
e56a7015dd9daca645310ed5ede90c3cc5b545b8

SHA256
eb8b500a5291c3343a8851b24583ed3a4d9db0b21b085d596049d8b0af75f2d2

SHA512
df912f2c442e042bbce1d952306f2c712a18cacfcedff9712fe874ac4dfbf5ae236cafe4dfb25ff25e67aafed3f9b926a36929d32344444c71f175f6cb28ae37

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
415KB

MD5
4b4fbfb9e9758d957276df72342eefc7

SHA1
db7f9785ce55040ac99142a85d823dff8f5076ea

SHA256
6a4f80dfb675ed628cde5ec8942359e0479c84d6a06c8d12b1ab69212af9b200

SHA512
cee21c9556daf7ffff6a4c81b7dc40f3fc0d6870efce02b457ceeab0dc81ff7047517df13a38e7658c843f34025acf5b4f19036c30c4e7a86ecfebe9ae080f48

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
415KB

MD5
8f3178c67517ba17094362a25b960a22

SHA1
8bfa1bd80107fff69d2f956638711f782940cd11

SHA256
9f273d0186a045dad0d896c6122d1abd388d1d50d3b119b7a84b051de4d372e5

SHA512
5d1985bc03ada79307dade64e7850f6e3a0efae348922dbecfd9f4c6bfe5abbd6a07ee51b0d5f0e3ae3dca8a7fe91bfa8a1dcf4a6647f3c9a0d1594a9a219e7d

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
415KB

MD5
c162dc88b186ad0383ccfc16ca24bbfa

SHA1
2569978c4d850b2ccb066d36d8718678bdeafac7

SHA256
69c0a47065cf652c0a9784c4b0f4c7dd8704d6f1f61aee19985c7e7e2b15be8a

SHA512
c680e1db3db08188e3be1865f1d6d5a6de0cb486400cb90d9775c9e888eedbf310879ecd5117955769becac8703813adfb9e68caf531c7a57dd7c930e50e63bc

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
415KB

MD5
c010e5a7a6e3e9d7bd3822918aa713c9

SHA1
2b9fd3c69e800f2153033fa86fdd764d8ed00e2d

SHA256
5520ee0cfdba5b75ee417960cd94c6a5172c840bdf39f2a2693c889f27da5f1a

SHA512
093a6b1be07d515071e81450fd4f1871f446ea70bac24663dfe9c27a06ffff11a5aeb9c31cbcd5a6d610685b722555dde928174809ebe1cfd5113ccb1b44ef6f

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
415KB

MD5
8a32e6ea53cb2b318d6ac2509d483795

SHA1
bec6ac3adcdf6340ce544bcbc7683c4b86acc983

SHA256
f389afbca5ca836a80fcfbf5f006f5daa364f8e2dd02791c794d9179f362c496

SHA512
249159383419ba86d54dfc51dc63393547d4a07285e3a00addb9ac650f83a28357d9ea11e11604d423779e4cc75329af6d16a2bde80092c7663a4814951c34ea

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
415KB

MD5
85009bf5018e1986e6163b5524668c2f

SHA1
020c20b4c2bddd3aa2fc5a3b461aabe7ea1176d7

SHA256
608899f4ba8b407b0b8607ef5b226862917a638db173789aa96de648a6ecb16e

SHA512
e5e2770cb5654318a38fd648f87c24e528770a0bb5c44abdd3273eaeb0c254b532171146275b278a0c30ed2905e9596082b236e665faf2fa68bc680facc70058

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
415KB

MD5
3341417cc08361065077590a656ff930

SHA1
944c0ab9073c9ac33fe13bae0a191eb50bfea6bf

SHA256
7cf929eb5813d7c113b1f837c94a3c38b0018824d57052bc0a8283470c0f8fd2

SHA512
a5c1d494cde48cac7c37fa12788d621654e87d5b65f6466d65011e51b9388b4f00dee675aa0b87b978ddad868dbc2afa969f2aa0d5b71ddf2b7330fda400f346

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
415KB

MD5
300cce8a05b4d5497402598c019258af

SHA1
da3232c1440ba285fb7f651e2e842517c92665b2

SHA256
46651d2c9c14dbaae80153a6a624c86852d62e7d3b5345d934daba1d3287ddeb

SHA512
e82802eb6d4e09b5dd36a6436471f3980c9a571179ac401229f2682482b3aaab846777c5553d3bec12eafc3109d729deb3c734d16c79193a1284ec0ba0956010

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
415KB

MD5
d05e4a5325c37afea0ccd5be0a146d7b

SHA1
03c29780031db3b7b3810254f7afbd789682b35e

SHA256
42c7327305950fe6514e9b84d42cc173a36ef2ab8c675f8970b42d879d670bcf

SHA512
d328c571c46df3e293524be9e8d7e400ef9cfc7e1e446d1e66855b83754377f11bf15fe0caee1c42e9095bcf5fb6e9274757a9ce637059a12a3c50550371fd4a

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
415KB

MD5
d91e76b19e878191bac2602f582b8951

SHA1
15b814e8701da5fa05501a1ced583e73a442af37

SHA256
e5f2ce8b31b20e25a097f019bcbbc4b70ecc16959961eec871fc14dbd923afe9

SHA512
798a910178bd85ffc221267f7e8aa92b87d281bd28b71e6bf5315929dc97d9f4fb16bb93c6f3e5baad715785670b3f47b6f872bb6e87d865a95a8ba2ea3a9512

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
415KB

MD5
43f950e2669737e5a0f847c0a5f9cf70

SHA1
c7ea9bc6cf4aadfcc5e14f2940f39ae92ea31426

SHA256
871183307b231c70f2038693840e20965691a9cfeef265184293e4a73daf890d

SHA512
1d5e8aacfc2cf4265285ef377e89566e985b7b6c3dbe18099da47d000fdf34424f8e1e5740397075d84951220ab514b901ccab0e70cf1d28c80a1bc0ed5a1e59

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
415KB

MD5
01316a8a3d90d6f99588d72dbbaf7333

SHA1
538b63fc78000778f73793566ad79364d3ae6fab

SHA256
49433e74cf88f88b8b0a5150e6bcd8bff343e3bdd0d0e6c69fcf7679f4ab959e

SHA512
9e13f5a3a66fb78bc046094a9f8c0ecc299fab7bd23191655ab91c7e76240604d1b9ecb28569be413729e86f48bfd5a597de9f398530a55b195c70d4609627a5

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
415KB

MD5
3432b261760cfc5df27e940f3449001c

SHA1
f21885c8e1c3c2e7aeba6a99d6507ec18d1b681a

SHA256
25c0f55629a5e68a76db93f2cd25b5aff8f3c86f920de11a3525c6bb9f75127a

SHA512
e53202de5c2f466a3d7a8f05ffc5ee4fc9d5b86110cde4f97263b8e4ceb3883f1659a973f0c94bd9ba865bd9874f6814cf8856f627dc99dd229bfec3de36e219

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
415KB

MD5
9884f64ef3f6a0bdc719771d8a28a49a

SHA1
f1289070cf599455c2de83e38d59dee2d4f5f163

SHA256
edd35a413e9ccb2f5809592b373ff24e31fba6b9d7af59cd02c7450f20a8b1ae

SHA512
c7a856b76d1ce1c89fdd4f93cd1b2c858770afff89dd7d15df2fa9dc455a211ed08e1e1606ca0f6aca81c747d5d0874daea37a40627cc0b5c3315efd36a63e3d

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
415KB

MD5
73325228c2949e8bef9cdd10e51b815a

SHA1
ea45a76076b387c729ede021e973481e6699064a

SHA256
6361c0f8b14d6237ebe5ef7d553194eefc1691bd5b13f2efa1e5bedc64e23ccb

SHA512
ffa2a0054604a26cf2ef7983baa8999bd2a324caa7385b82703158c7a45b30f430f2b9658577d5faa9b56d997c33951447585b64d02dba8f2c4d52b1d3f981c8

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
415KB

MD5
4e92c4bdba816f5eb4e643ea119e850a

SHA1
3deb1e325610d4202e8d2746f843664ef5a308fa

SHA256
1a84a816ceede52a036bdb061a1c2c1ba96a9c25738c55383c1bf2ca9203cb99

SHA512
fdc2af68a8c37dfadda99e0bf5265111f33cc0b3aa954ac99354e7385b4155aeb18694b3ba572b3f7dfccadde399e6617e58e8038e5f63ca07073a677ae9c0bc

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
415KB

MD5
a949c44611d28a7d19d940de5aea1b73

SHA1
d2e6c33ec8878389b07cfc478572ab7f5b961852

SHA256
45f62bf35ae4f951081442788a43bfa12018442ff77763fa430ee1fc912c93fe

SHA512
7288680e9798738c68940c797fbebb9d4226bf6c7b41c09e44a4c67371b9efac0a8370738f0b6251bcc73083d8d029ab177a753d6bc54c55d634a9de9c89ed54

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
415KB

MD5
b8033bb40052138043755dc104179dc7

SHA1
af499ebee4575a75c23bf822d793b1f2b747928e

SHA256
355a034d4f150fd04cb9bea2372ec10d2597a158b4b1112ff708d2399f0d1883

SHA512
4975c0d95170fd5f4774de248385f9bbb5928c3315556885eb9908c79573a045f870586f7d127244e65631c3137ddba42803c9f1704a039c242c7dd1f67ccdb5

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
415KB

MD5
21fb5bb39d2290afff236e24cc0b5ea0

SHA1
096eef4740d5642a7b2839fc03528d8fbbeb87f0

SHA256
a6bf79fd7485895880c5096ceafa80850eaa3d1faf5d04dca476b4a35c58c4ab

SHA512
47b14db0dd393c8e71f42d4fc3e7b693bd7dd5ba59094bf1892efbb3eb3c13a6c5301a461a714495d33f9632432adc0d4377758c6b7f8e21b6b0e66775991fb7

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
415KB

MD5
2e3f6ffe59c48e35ee81cf48051bea31

SHA1
91e4a3b25998cbab43146bf4abc7fe79aebb5c39

SHA256
7f44989a3274bd2af1b36079406794c896b46f0db21fa2fccb71a2784f0f480a

SHA512
401a9922df295c502711a38bbcd68f6b3f9b8d5e0ea12a1767f78aee605dc57da3f10e2de5ae99ad8e89ca5b1d3291e12742ae02bbe7c75221e776220341dc41

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
415KB

MD5
91f12a88a9162c9789dc76d5b517dcac

SHA1
d064c917e6178ca420f0bb95a87cd95572003d8b

SHA256
fd4406fd6a9a805819fa2379f0e0a34df352ca1e10ea1d43486344f09221ab52

SHA512
6e4bcc8dbeda945a3c470fba3123fe74be9597d4386bd26860bd719f50996b94d67c1d2120e05f86117561979deece23517ae19d2559ae2bcae1113f5d375f62

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
415KB

MD5
ddf43624fb24321b708663ee52fecfe0

SHA1
ad14c29e9317b54fb3b3d7eb842a1597ccaff631

SHA256
f92b84bec9aaeac2d3af22661da9858bc262494473a6ff3a119c4be64ee3a6c5

SHA512
9a9d49e13d5243e40000f9ce2053f26fce45aef85d98970577701ac2e93a4f9c39bf5d638c2618ae60ff0071f29e32eddc6bd3a9a2ed3df59923e324ce5b2f90

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
415KB

MD5
ec52c58365cff0d94b455204dec6b327

SHA1
093917f4de958c71ccb4c90879ff736e0664036b

SHA256
ea3b8be8731861b42aea39563437a5baeda6a4114e468b08d65e79e8390317e7

SHA512
673d35ca8efe2047de34bf5a00bdc79d9a4bcd830a2e783490a6c0692fe4b76c6262e2daf165f9b8d5229f7a70100491a96d40f5afde5919a61ac36d18066af4

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
415KB

MD5
1cf2afff596f3bae0ad3118f02addc89

SHA1
d1a48276502b5e179e93f1b811e4ac2bf365599e

SHA256
ab7ea44715c302c0fc33eaff9abfb230b1c565f4ab530a9db5d56e1d14a88023

SHA512
ba9e5f226f84ea1a2933929a4a5d9a6b05e7a53aff6056e2b7dc52415de41f1f952035574151fee330be6053854e9b740ef2bde0c604956243eb2136b13b48b7

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
415KB

MD5
ae8f1a99dc47eee72711a4793ea71b24

SHA1
d475d4477d2f9047cf687fb8753b9887a2cb8422

SHA256
0fc49b377ea719b02aa4df9ca7722992ab8c9d8f66a5ea3a11da25bbd94f8413

SHA512
c09ef333b4db89459cffcbdc5eea2b283c9069f44be1ce0955de0e54999c6a520416dfbb7ce3ae560fee862d4d4fd473e3457c1222719bec10dd60a255f3d96f

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
415KB

MD5
665d08d0ef2ea27b8b851a7f169bc626

SHA1
d5690896c9884d2dad140b7c14b88dd091335f7c

SHA256
61b9bdd06347fc449d1e3ebc13e734c0129075f3b1a6f91f6bf2b8c2a775fbf5

SHA512
9638bb76c9301902953c635357b72bbb2ba0400c8cb55aa2043c91e0e9a2eea38e7b687de133989d9f814f38eb3690f75062a02a8be1fd6205906eed70df5609

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
415KB

MD5
21706c095fc8f486c420e44641fcde81

SHA1
8d327ef7cce82de70024fbd6c59994186492c7ff

SHA256
c704b00ce43d6eaac9f588c67a9028323bd1d806915ebc0a1e203e880f245710

SHA512
b4b15a7221f509a3942ab536dae2b57b55a29b1916cab5f9578e641e9d65a2b0d111fbe5274fa0ad9594a38c19d0da82b204f4ba7fd077eed06f2e8b14f0cc74

Download Submit
memory/428-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/572-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/612-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/636-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/636-591-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/716-393-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/720-881-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/884-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/884-570-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/960-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1008-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1396-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1396-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1956-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-429-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-471-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-297-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-556-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2420-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2452-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2564-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2772-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3236-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3236-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3280-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3304-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3332-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3528-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3592-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3604-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3628-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3636-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3712-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4060-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4176-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4288-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4296-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4352-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4472-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4500-411-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4512-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4556-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4688-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4724-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4732-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4736-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4768-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-564-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-537-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4932-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4972-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5136-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5176-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5216-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5256-513-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5304-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5336-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5376-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5416-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5460-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5500-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5524-875-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5540-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5584-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5624-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5684-574-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5760-581-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5804-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads