b24e675a32a08c7e22cd5666392a4d2f11a05ae94d2a1db5a762a5ab1d2941aa

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b24e675a32a08c7e22cd5666392a4d2f11a05ae94d2a1db5a762a5ab1d2941aa.exe
Size

55KB
MD5

903c22789b9be6e0db080a7559af4e50
SHA1

16586a2e4640856d4cf7937b75a43cf63601cda7
SHA256

b24e675a32a08c7e22cd5666392a4d2f11a05ae94d2a1db5a762a5ab1d2941aa
SHA512

981d507af63d83a1c29be45588bab615a832e7714aca8be05f1b165f6335ebcedebbf966e5cf126dfccc182dd8c7dfdf307ea115b500620395da11fc3d993f92
SSDEEP

768:ck2uGSwhGmmsHgE1Hqmi3iopqACSMivhsg7NxkzfPdYW4o8tihboJZ/1H5hPtXdh:cHhGVIgioplvhvNxSfPdYXdtt3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b24e675a32a08c7e22cd5666392a4d2f11a05ae94d2a1db5a762a5ab1d2941aa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe

Executes dropped EXE 64 IoCs

pid	Process
4780	Miemjaci.exe
1584	Mpoefk32.exe
3264	Mcmabg32.exe
4500	Melnob32.exe
4024	Mlefklpj.exe
3564	Mdmnlj32.exe
1944	Mgkjhe32.exe
3340	Miifeq32.exe
4004	Mlhbal32.exe
628	Ndokbi32.exe
4828	Nepgjaeg.exe
1432	Nngokoej.exe
2436	Npfkgjdn.exe
2752	Ncdgcf32.exe
2372	Nebdoa32.exe
5064	Nphhmj32.exe
868	Neeqea32.exe
1188	Npjebj32.exe
3796	Ncianepl.exe
4776	Nfgmjqop.exe
2632	Nlaegk32.exe
2620	Ndhmhh32.exe
1920	Nggjdc32.exe
2760	Nnqbanmo.exe
3136	Oponmilc.exe
3308	Ocnjidkf.exe
208	Ogifjcdp.exe
1232	Oncofm32.exe
4356	Olfobjbg.exe
3724	Ogkcpbam.exe
560	Oneklm32.exe
4464	Olhlhjpd.exe
4008	Ocbddc32.exe
4496	Ofqpqo32.exe
3704	Onhhamgg.exe
4996	Odapnf32.exe
3056	Ocdqjceo.exe
3108	Ofcmfodb.exe
1976	Olmeci32.exe
4752	Oddmdf32.exe
1568	Ogbipa32.exe
1404	Pnlaml32.exe
3700	Pdfjifjo.exe
3272	Pfhfan32.exe
1192	Pjcbbmif.exe
2544	Pmannhhj.exe
1100	Pdifoehl.exe
5032	Pggbkagp.exe
3096	Pnakhkol.exe
384	Pmdkch32.exe
3592	Pdkcde32.exe
4076	Pflplnlg.exe
4344	Pncgmkmj.exe
3900	Pqbdjfln.exe
4868	Pgllfp32.exe
4116	Pjjhbl32.exe
2484	Pmidog32.exe
3076	Acjclpcf.exe
4000	Afhohlbj.exe
1916	Ajckij32.exe
1088	Ambgef32.exe
4696	Aeiofcji.exe
2708	Agglboim.exe
4272	Anadoi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nngokoej.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Mcmabg32.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nngokoej.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Oponmilc.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Deagdn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5116	5416	WerFault.exe	203

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b24e675a32a08c7e22cd5666392a4d2f11a05ae94d2a1db5a762a5ab1d2941aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b24e675a32a08c7e22cd5666392a4d2f11a05ae94d2a1db5a762a5ab1d2941aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b24e675a32a08c7e22cd5666392a4d2f11a05ae94d2a1db5a762a5ab1d2941aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqpqo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 4780	4596	b24e675a32a08c7e22cd5666392a4d2f11a05ae94d2a1db5a762a5ab1d2941aa.exe	83
PID 4596 wrote to memory of 4780	4596	b24e675a32a08c7e22cd5666392a4d2f11a05ae94d2a1db5a762a5ab1d2941aa.exe	83
PID 4596 wrote to memory of 4780	4596	b24e675a32a08c7e22cd5666392a4d2f11a05ae94d2a1db5a762a5ab1d2941aa.exe	83
PID 4780 wrote to memory of 1584	4780	Miemjaci.exe	84
PID 4780 wrote to memory of 1584	4780	Miemjaci.exe	84
PID 4780 wrote to memory of 1584	4780	Miemjaci.exe	84
PID 1584 wrote to memory of 3264	1584	Mpoefk32.exe	85
PID 1584 wrote to memory of 3264	1584	Mpoefk32.exe	85
PID 1584 wrote to memory of 3264	1584	Mpoefk32.exe	85
PID 3264 wrote to memory of 4500	3264	Mcmabg32.exe	86
PID 3264 wrote to memory of 4500	3264	Mcmabg32.exe	86
PID 3264 wrote to memory of 4500	3264	Mcmabg32.exe	86
PID 4500 wrote to memory of 4024	4500	Melnob32.exe	87
PID 4500 wrote to memory of 4024	4500	Melnob32.exe	87
PID 4500 wrote to memory of 4024	4500	Melnob32.exe	87
PID 4024 wrote to memory of 3564	4024	Mlefklpj.exe	88
PID 4024 wrote to memory of 3564	4024	Mlefklpj.exe	88
PID 4024 wrote to memory of 3564	4024	Mlefklpj.exe	88
PID 3564 wrote to memory of 1944	3564	Mdmnlj32.exe	89
PID 3564 wrote to memory of 1944	3564	Mdmnlj32.exe	89
PID 3564 wrote to memory of 1944	3564	Mdmnlj32.exe	89
PID 1944 wrote to memory of 3340	1944	Mgkjhe32.exe	90
PID 1944 wrote to memory of 3340	1944	Mgkjhe32.exe	90
PID 1944 wrote to memory of 3340	1944	Mgkjhe32.exe	90
PID 3340 wrote to memory of 4004	3340	Miifeq32.exe	92
PID 3340 wrote to memory of 4004	3340	Miifeq32.exe	92
PID 3340 wrote to memory of 4004	3340	Miifeq32.exe	92
PID 4004 wrote to memory of 628	4004	Mlhbal32.exe	93
PID 4004 wrote to memory of 628	4004	Mlhbal32.exe	93
PID 4004 wrote to memory of 628	4004	Mlhbal32.exe	93
PID 628 wrote to memory of 4828	628	Ndokbi32.exe	94
PID 628 wrote to memory of 4828	628	Ndokbi32.exe	94
PID 628 wrote to memory of 4828	628	Ndokbi32.exe	94
PID 4828 wrote to memory of 1432	4828	Nepgjaeg.exe	95
PID 4828 wrote to memory of 1432	4828	Nepgjaeg.exe	95
PID 4828 wrote to memory of 1432	4828	Nepgjaeg.exe	95
PID 1432 wrote to memory of 2436	1432	Nngokoej.exe	96
PID 1432 wrote to memory of 2436	1432	Nngokoej.exe	96
PID 1432 wrote to memory of 2436	1432	Nngokoej.exe	96
PID 2436 wrote to memory of 2752	2436	Npfkgjdn.exe	97
PID 2436 wrote to memory of 2752	2436	Npfkgjdn.exe	97
PID 2436 wrote to memory of 2752	2436	Npfkgjdn.exe	97
PID 2752 wrote to memory of 2372	2752	Ncdgcf32.exe	98
PID 2752 wrote to memory of 2372	2752	Ncdgcf32.exe	98
PID 2752 wrote to memory of 2372	2752	Ncdgcf32.exe	98
PID 2372 wrote to memory of 5064	2372	Nebdoa32.exe	100
PID 2372 wrote to memory of 5064	2372	Nebdoa32.exe	100
PID 2372 wrote to memory of 5064	2372	Nebdoa32.exe	100
PID 5064 wrote to memory of 868	5064	Nphhmj32.exe	102
PID 5064 wrote to memory of 868	5064	Nphhmj32.exe	102
PID 5064 wrote to memory of 868	5064	Nphhmj32.exe	102
PID 868 wrote to memory of 1188	868	Neeqea32.exe	103
PID 868 wrote to memory of 1188	868	Neeqea32.exe	103
PID 868 wrote to memory of 1188	868	Neeqea32.exe	103
PID 1188 wrote to memory of 3796	1188	Npjebj32.exe	104
PID 1188 wrote to memory of 3796	1188	Npjebj32.exe	104
PID 1188 wrote to memory of 3796	1188	Npjebj32.exe	104
PID 3796 wrote to memory of 4776	3796	Ncianepl.exe	105
PID 3796 wrote to memory of 4776	3796	Ncianepl.exe	105
PID 3796 wrote to memory of 4776	3796	Ncianepl.exe	105
PID 4776 wrote to memory of 2632	4776	Nfgmjqop.exe	106
PID 4776 wrote to memory of 2632	4776	Nfgmjqop.exe	106
PID 4776 wrote to memory of 2632	4776	Nfgmjqop.exe	106
PID 2632 wrote to memory of 2620	2632	Nlaegk32.exe	107

C:\Users\Admin\AppData\Local\Temp\b24e675a32a08c7e22cd5666392a4d2f11a05ae94d2a1db5a762a5ab1d2941aa.exe
"C:\Users\Admin\AppData\Local\Temp\b24e675a32a08c7e22cd5666392a4d2f11a05ae94d2a1db5a762a5ab1d2941aa.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\SysWOW64\Miemjaci.exe
  C:\Windows\system32\Miemjaci.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\Mpoefk32.exe
    C:\Windows\system32\Mpoefk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\SysWOW64\Mcmabg32.exe
      C:\Windows\system32\Mcmabg32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3264
    - - C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
      - C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3724
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        34⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        36⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        38⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        40⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        55⤵
        Executes dropped EXE
        
        PID:3900
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        59⤵
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        79⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        84⤵
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        89⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        96⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        98⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        108⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        110⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        116⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 228
        118⤵
        Program crash
        
        PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5416 -ip 5416
1⤵
PID:5528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
55KB

MD5
dcf2f683621ba933dfacc9fab07f30ac

SHA1
63035696d14820e4f7370e38ce78aa3abd8786b7

SHA256
e154b58676bf28663c664211c206e565ec97d2140d49c5ed9339561df6f607bc

SHA512
641cb9a41d890316b2e8ac950b8f3e0f93cc9ee360e0210c278c68624ffecd909ad7ff7babdf6d440fb04cba78f770128049a7ecdfba75fc7612b84e12a9d1b5

Download Submit
C:\Windows\SysWOW64\Aadifclh.exe

Filesize
55KB

MD5
9a382971d4d9eba512a224bc2ac0b4a7

SHA1
6a2dadb67136f502fc6d6c2e45196e5fddddd14a

SHA256
df9b743f4ef406fed4a342813dde26c9386a76e580bc3b8235dc5827dfef2e98

SHA512
5911d90c415a4a9c62425114c44e5fb32733b23f172ff5f52a18ae8357fa1bb66d2bd275476e6fb44515260b6b48996f790309c4028c7e732ac6c98e8c5313b2

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
55KB

MD5
7c1f65333d1af8ed83236c4ffffb70b4

SHA1
b8cb8c6c6a943caf898793f4697e47d63375f6a4

SHA256
0dc409729e0caf0be8277697563827e25c830b1c23f78481c08e2501a5b67a37

SHA512
221bff64167c84fae982c96f3fd5b901e492a7303fe0d674c28e4c3f9401349ae05b6d72c1afb4b9280945c5814f7d78790cf7fc8238890a597ebdbb8959a4a7

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
55KB

MD5
ecf6e58154c8a6c274266a69edf883b9

SHA1
72d3fc66e100a9f928242d3d07508e4a14c85b86

SHA256
14a43f4f732892e435e3ca2060a5a3af1d0c04d8a442a73b4c3b340fd6b3f3e9

SHA512
b3bbf8c2682ebdc53390e2eb22f6416bab7cfb655613a7c79260efd639ff2092d3975b57c6ee77765675e892fb9db870614c4043c0309ddef1006b23db0f612c

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
55KB

MD5
a34e670251e439c98743f19126e3c962

SHA1
fdeea179a8f4f3eb1f77246e2d40a719bc06e7e5

SHA256
13e83c90324ab92bcc605b6925efc95571da19728b47a426f0d6ffbb3c559b0a

SHA512
1c7728a8eb0dfa757c1386572a7822fa95bce09c64900b6f21f0e5b24745fdc962e271b82e5877be65489e7227e3a4db91fab8899d7fb54fc49187aa593bb9f7

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
55KB

MD5
635585a348895b3b1ba1c807a796395b

SHA1
4a4b40c028f4a1d45cc07c40d0767060b24b0b18

SHA256
5d277238edd9dedaa9898a813ca75cbcb48decba2982587bb83d82e24f3c11b5

SHA512
e50568a44549fc6bf06ba224af431a80c7b4cb39e3774e3d74fcc73ddd0a587c60c5996b04b72f89fa1e8061a9a7c4516bade86f44896eb7ac0468476c552448

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
55KB

MD5
0fb6031253cdafdc0b90a58814b9ce63

SHA1
1e2e985db877f744f60c1ccf14d026227eb81cdd

SHA256
1f7d99d17ec129090748cf09069aeca11445165a262f1db3505357cf4543e21b

SHA512
68ef7df7c43596c345969790fa93fd2e6278100423097064b26ac00ece33e304151e1ba8790816bcaf95c9967cd2a632c0a20c59e712afc393ec75901614068b

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
55KB

MD5
c0042870e20ec4eaefc7aa0ed8c5e40b

SHA1
8da57a5af0308bc90185b2773ce42032aa43914b

SHA256
e6bc207c73713ffe4313d76d6ef861b243459518838089cf29c793e6189fe7bc

SHA512
1798553d4e54ea1f6fc99c0af275dbc2858bd0810a3c376712d9cd6664cb75425d2ea0cc7d359f05e262469944bebb00376a3849b043e73b5c53ae8fd40d71a9

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
55KB

MD5
8a31beb97b120dcf955ff1353b26c6f6

SHA1
d364b7eb6dae89451f1c8c4c798a884f49f8727e

SHA256
03d64fde66500217b40feca74b3838f09399c72ae68a965564b88b3f81d62999

SHA512
7e5ee2d3dcd2e0716586532df02962f6970bc9a43dedd7da07e9f79ead8a65c4ff9b91edf06143048e511d0671ce080207c2dec5ebef15e2449b4a7988049aea

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
55KB

MD5
05fef7c63b0e0e9903f59422894c778e

SHA1
5344734df37b82ed14eff8928d8b524f67896eff

SHA256
c1776b60c2dd5e008527a2b0f78827ef827f1a847b8ec260ae8a2effca931bc1

SHA512
4e1718a2701fe75f6ea97130d8683b4e3d1d7c36a4629fec07aaab160595b03efa5091daa3310d4d3efcd4f76d1241171a8ae9363d22180f39e22da4cddcfaa7

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
55KB

MD5
81f42550662b51e520e5de8debdbab77

SHA1
55a9c657b2d0c4b1f2c42cf79a0b0045d10739e3

SHA256
89d4eae87a67b0244a4b845ae5598a4e221d2c73075e92848faa79552486f387

SHA512
9d35f067df3f57a9473d3dfbaf63f78d6bc5503c66aaa400f129428a5323507c543d27e0d1108de67a4f5af6877b115c1144e296032ce8fab099a31e12bf824c

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
55KB

MD5
dd3a18500107c08eabe81d7aca465f88

SHA1
1f08bd9b739ea09915893a71600d20ee5590b1a7

SHA256
589c0de0889f17b9c5c8a26be6613408e1bd7f12be61ede269980944df1c3342

SHA512
4e0b0d52aa4626ea272667b73155ac4f05385fbf84e2efec9cf6e6ecaf4250656a85b2d870ff05d152ef00e18a529785953f619e87b78c247e64e10d25f85b7e

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
55KB

MD5
959c165796e0472aa513fcba464de95f

SHA1
42dc277701b86e3543ba8a2155289ff94210a2d8

SHA256
38f3bb6f11781cadeaf5bcde14702ae770dca660247ef53376c5f4050615a1d2

SHA512
658633b8889366918d8a90b7ecc28fe0b372c731a3ce2b08bc5c702dd4fb15a401a4a077edf3d108f0136f1465f62e32859875619ddd07ff98b60ba660232ffa

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
55KB

MD5
ce6ae8e74cfb230f68a3b9b48d422aef

SHA1
af21e759395231342d927022721ac3bc639047c8

SHA256
f03d6c9a711e8d2d4b0dff0a16fc49502585d4b493c2ecb5e1d96e77f7db1471

SHA512
1a98bd2496583818556084b4f55dffd27fb23bc9ff9e58765913a9c74f193330c0b582b49449962cbf47ad5e147147b0877ea74e175d0cda50042e589012515c

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
55KB

MD5
be649ef5f68d974a91b13f1ad5bd6803

SHA1
65616c1fd2ba329c24368f5523a80f515ebec0d6

SHA256
e9c08c8ff661f04d07c6f9f930b5a7386f62cc19d946d5be8e5ab7e55fdbda06

SHA512
9fab4e7c982e5ab6368119189a07df2a90fbc9679664e021bd592a0a6b687c57fe85b662eeb978088f0154c8f204f292b1d3df8eb7da76f72ec31dde42b7d8c2

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
55KB

MD5
03fbb107a4b1b4944c1cc64042b22fa0

SHA1
3ce9dc16143e2343a1b6bd385b41204f5c22496e

SHA256
b872cb31bf67b91a045370dbc10adf9511bfd690feaa3d32c1a4dab535f923b7

SHA512
9ad71891c908aa0ee07911c12d8595202d00d336a316ec246269645ce5ea8dd013c5a839ebfc475523293c98c0814993d67f7986c5254ab0da079a2a7f1296a7

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
55KB

MD5
79e9766e51b1ea713871ab35fd0ff260

SHA1
ddd60f85ec01d50ab13a38b054b794136e4a1dc9

SHA256
8d420697abac7601a7c244a6036fecb3d4b99723ed7a52a607ca9ea322da4c41

SHA512
08e6e99976a2ccf4e3c4dc2d93d0dd175641846edfccccfead5879b7a1c316e46cf40bd3ee8e2f3b921343f248e5d4c6f9f7868870bf094422878b5df660dc1e

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
55KB

MD5
4b16e6b6defabf7c0ad232ed091b2765

SHA1
1804aaa3c2d67152b57709f8e034896fd4ae3ccb

SHA256
1ebbddc06ebb93bde6624daff5f6f7ed7251e49b30dc09d03e8e2f0255fe74aa

SHA512
8c24a56eae28b85936d48b57c4c25474aa9536413146c781500597b9d3bc943455c5e8c79a7e6da19a8539f4270041e690d33928b41a3c6657c0da5a35885f17

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
55KB

MD5
17b72f377539bc1f31dc159da0baa78b

SHA1
4dd2fb1f08487c40e30dab8b34dd00b111075be9

SHA256
001954e1649642a9f5888e908e0a857dff08f52262735af9eae268d243810d59

SHA512
d8d5c83ba933fbec8536df2979bb1c9df87d778ffbe1856d5f04ea8bfb2d9372aa7f6592956970ef05ce5015574fc4de932e955b80dc5d9ae53fc5719801a2d0

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
55KB

MD5
93462aa35c2c398c5cc16923ecef1cda

SHA1
ecc6952054f0e4da24a733e4eacb187e22cd004c

SHA256
bf20f38aebdb7a413bb73e54a896b2c2a3123c0eb7ccab7276e5a56a15408ac2

SHA512
55ec755e6be4931d7ff986cbd4334b59022045450bd96ca330e1404005a7ffa070d4b6012e08ce03834fd88fd134bc75901e747dde068185cbfb517f01d3cf02

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
55KB

MD5
e0f3bac5518dbabbb0832f638d48a166

SHA1
9ea12dcdad54204d5d5a132eb0493a568b82eb52

SHA256
0500839b6b8ee98103bfad72a99ed0f02ccde2ea73dfb5e3c10a79336898b7f8

SHA512
6859c9b6a1a9fdfbba9d752cb861741ba611d26244eaab4d23112032ee9186ee19aed49f9ccf531cb6656ce4b1f08e9a28fa6ae1afa0c10d4e07bd6855ff11a7

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
55KB

MD5
317784a9169f0ac67bfc7c21c6a517a3

SHA1
ff7195933a0188083161e36f19d87f1792d90c75

SHA256
0a16edc7c0fb445a84fdfe778d5f3abc1a2beda98100dc72427b922b0be21165

SHA512
928a0d87c9a63f9fb25dfcb7f41e2bfcb132d2915ec5a4cdb51f1da9ab754fb4f5882b3662629c84f6e6daf405ce680e465a8c570f3c6e039b1fdacc2d5d8bb2

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
55KB

MD5
3d4c033f79301cc18ac17335877838da

SHA1
caaaa87da169baf7044b973d889efb720a65d6ce

SHA256
ef880a1076eec09af91679393bdb9ce79124fadb7dcf00753784e7076320f9ab

SHA512
4854ea4ca90e549c9bcd3dfbd9492def25d19cf1474e064749a08a57fdab45774dc309cc6351ce18a173957508f5ce0397c3c2517045aa95ae1c0aef2008a417

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
55KB

MD5
559ed47ae26778fd72fae4d1fbcccbaf

SHA1
94f6a55cccd69db7b8df8e16b6f29b8cd772b501

SHA256
5fa9e5e67b427d7f39971345d281e66931c95db550798d01006cb8dd7b4388c5

SHA512
cf06025780a0e0d0911c00ec3529503279d81aabc4c7d50dc19f1dd64384db9bbcb60b399b97645ab36bed339893608b99c2829a3b927d8460b4f9d08a623bf6

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
55KB

MD5
43c8b8163d70574cb2d2d21035f0fed5

SHA1
08992d954914f02ba28e9c4339769e97dc11344a

SHA256
0137ed18d09a2bfbb17f77e4cda2aa6d279798dd03f3b7b2a8b8985c5ff5aad6

SHA512
ca39bab4493e9687e02a80d0d9f1e3784bb27e59c2d41ae38038f4eb5295a3bca796475bf3a9e02e01470c9808e2ce7c7d95bbc0ef252ab1747ab07a9eac3e4e

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
55KB

MD5
dfa0f4ce1f006d0805d0cad659f473c4

SHA1
c261515d7b5a292464985fee28115791be3d5a2e

SHA256
e1b7956d548f631094c14a7bd792cf882cfa8d5073f1d668884d6150780655b2

SHA512
2876ff4e47563138dbf35477fddc301e9c11ee22a894c58b80c8d96ecf80f84b535db4f465be6b298feb70086619c7e3fa2b1c79e23cce134d99cfdec2a2483d

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
55KB

MD5
66d22b1778483516a491a19987d1dd8f

SHA1
5e5c94c3b1664758130665257a756d363fb5dcb9

SHA256
0d7bbed285e010780ea1778e490e6d54b95bc341549506926520ed3d47cd3a2c

SHA512
75b9d4bb01443c537cff6078d5606ccde0307ebd7a68e126afa066cfa86b3b9ce3c29f98ce416b4e92220ee7064a3d2260d9fcaa785c67c97c47dda437dffdd1

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
55KB

MD5
4d6c4a8fa3c691500f40cbb859daa78a

SHA1
444ad6241e2c7fa98a47a0e9a0bb5ec8725834f1

SHA256
3a56deb772507b2b51f4a0f5d731672d76ef9d9456a784ebab1c7b4c507be8ce

SHA512
cb281d8e78eaa372ac0cb865dbfde313bd9d8cf01cc6def40ae248126cbf94c8095a606d73d23e714d3d8d060d85a330b984e45e5fc937d0a748767257ee5d6a

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
55KB

MD5
f3c08c9dc79852c80a75df3ecbf53568

SHA1
859d1ce92bc38baf0ace86fd8989435877892c24

SHA256
4e3da55b2e7bb65f6a330a8399d9adb993cccab169bebecd629997a0980aec3f

SHA512
06b39a690d8e7aaef13a2425f12d7a83e30581e7be5c1f80d2a8f6532c3a89bc830f6436622480cd1bc370139474de04f21c034c52a6dc0d06bf5fb0c18cdc32

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
55KB

MD5
66da0928674787cb2f172fe05d350be8

SHA1
88bd00fb75ecb5eb482a4550a55797d1903b5427

SHA256
701d49f682004b44c988c91824eeb173a544eb6a11e9192927a160f5384653b2

SHA512
dd861814bd84021f3a5cb9de9b2d60c19b407a70fd973ed22e841ff5e01693a360cc46a8b0c0e3b7bf41b8f651944ea3668b73579cefbb7e63a02c06e18a9ccf

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
55KB

MD5
05bcfe65476d8d0210c530e82dcb8986

SHA1
0a3c25a0f0cfab7c5b0eac826f0f49a1d72e9fa3

SHA256
7c6790bb7c5bdf18266f9850cdd10ac8a2b3ee9d5f8c5a2f5a8ead8d7955193c

SHA512
d621625e617266acf968e965e5975df75c673d5247555348ba461dcdd74180ea60c7f5d51bad10db0fadc12cdc81f55eedb10c6bbb0360e4828554bae99a0ba7

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
55KB

MD5
18fab57050a7c3c620268151387acb0d

SHA1
c805f08d28ff7f90493bef5321e724e65a62df50

SHA256
9a96c9a6d231e029930483a50fb182915dff247640345a274b58198d792e647f

SHA512
d971a2652f88b86b6881c42da4762e64866a9bd8460285b666e1a82733d9632be307f06fba75f8c348f3ed90c5db4815b527d7c62660ebd7c28fb75cd1fcf2c9

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
55KB

MD5
1cd192f1ce71a86571a3955b52269de4

SHA1
7a56584663759ecd1b7eb4d6b3164111d72b0e4d

SHA256
492611f635e4101ea82c3cf80c143c214fb7919687fa8ce9eda19d4a538c44c4

SHA512
cc148ec5ae3d974a99fad18453bccc9df35ca5baa4f081d21abbfb18db058e1891517af11256c93290197c343168dd28269549eb8646564bfe2e2684421e8ffe

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
55KB

MD5
aaf020d4cf0a8fab0b759bff3e143d48

SHA1
d60d132b89a40cbaf033254260c2eedfbcb627b3

SHA256
7f846fdb4c7d049bf6a84525de3325f010295bd91530f5ac89edddacc6e30642

SHA512
0417a5b607e4e0918f01924dc36e62d7582504dcdbf98ce4b71ef43a26b613aeaab2ba01591bbde97036aa568e006004df58ef8591d483c35c65aac9df5db651

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
55KB

MD5
a5c5497e168e37240e7b0ccf084efd04

SHA1
fffc3a9eca08e6e5b4a9dc20fe03b5a0aa4dbdc4

SHA256
e5ecf0456d40e1ab2e8d79fe177427b55a8df5241100a0f704a570c14f3f863b

SHA512
91694e286f7fb77be67bb06b93ef2c7af9663910b42a760cd96cd8fe3d905b167085615f1c1cda478c5cc5db2c4876abc2ce1b8438bc29bf88504e5f3b779d24

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
55KB

MD5
a83ab579ef2c2f0f49372fa7c7519f58

SHA1
fbc67e7f81a2c4a65d419404381a1edeeb0e5bf1

SHA256
4404808db951b0a2e6810b887e27cfdcd2e3e4420ecc3fa064099a551ae627da

SHA512
57c3cd17602f894d65be921ab08dd0f816ad7bada0c889d4fe648b0853f0bf3830bae926f94e412da63c0e3375b9d130a135568e5daec1dc3362fb571c3ef3c7

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
55KB

MD5
b474c0d86cb579bad481e5788787a8ff

SHA1
9f03ef7859624dee1fd27bb9290b6dd10b4f61d3

SHA256
05103b3230b785e3930b02a1753a9c0438775b381335e08b2b10e7be49e5b7d3

SHA512
2c2f82fb8a06aae729caf525d55def03e4b1cf6e5ff9260c61726305871708887ba3be11cf63e1e36b976b0592b04e002c77d78ca102d3be2a0c2bd1a8d4698e

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
55KB

MD5
1d09b69a5639ec34019db968e61b1f09

SHA1
c84efe1c30c06f4d7bb10414af7bf169ae52e5a1

SHA256
bccdc62f45524d531aa533221ea0c133155f916fcb4eebc2a90616134c0e8144

SHA512
4f0323ddde72f26079f8565e0dcbf5ef12ca49f551ef16c236e3b9b9eb51760510a62911375f5fa515c99786a7193f37b051a76b40c6dc069ffa78e290d8f77d

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
55KB

MD5
62f80d38662ddf11a215a2ea271f8be7

SHA1
50929d6554d01c15d162d83bbdad4c40c5a41cef

SHA256
13fd6c43e1f4dcedcc85871bb7ac035d4bb85ac29f3025ec17cd44cf9a06c4e1

SHA512
6714a57a031deadc2c8019b43b8fa0b81d4600d47de47c5ee80c255c597825b3f67017d3037eb3a7db5ca21b59b17ebf336971ff9035185bbe75497c31765641

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
55KB

MD5
fa641c15e0e883ab0f78e6902b3057c4

SHA1
27cfb87b5c35b0b1bd4ef248e6ddbf9677c203df

SHA256
d30da664b1bf8553ba0976c2ed9ca529a6ab5f94b1979555d0dd536dffab12ef

SHA512
6d3a8ad75830ac23181be6995c1be7ec59cb287a4e2fe824132bd43e41504f01e3d152f58f2b4d20f2f9889411c533042f370bc9c1284519cf2bad5cc76f2cae

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
55KB

MD5
7cafd3498cb698f2fac3043242730264

SHA1
327cf7ee93bb633fc708dec3fd83beea77bafa1a

SHA256
4051a850cf65a71aeeeb4919f39d269f451526fde9e57f04973cf3afd3afde2f

SHA512
834d5657e3aed9b557bbd02ca1c4525ade89c1987eae6a7d069d2b72b659225fedc22f90b5a6fcd0fea9dfa3ff179543784f4d60d146a6331a89710b33e8473f

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
55KB

MD5
ff0888a255539759ae814d616a107328

SHA1
b15173173d116a7213674e1dafd55949e3e13c9e

SHA256
f23a08624187f095002d0cee85792045a99511a8257ecf6fed0aa04e67218170

SHA512
989b3350832523c224ab4a8074d08b84a891c47bb3de6f1ca6188ae536f9ac0f784e98abcbad072828f7ab21e58c11dc55cdaf4ac8f44c75756085de8e486e61

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
55KB

MD5
2f17d20145dcf3fd47831fafee720dbc

SHA1
6b951e91d8f6361c8dcefc9589148f77ebdc972e

SHA256
5598bcc6273061a1e2da79afcfe95f85a18c0c55400f3912f798e38bc64d5ce4

SHA512
07ff0652fbe4e877f016079f9fcd350abc3d459483a953165cb03506b403b333e27b950033d24fe93f9cc592b0b2dd471fd7f783b7ebfcc552c389ab4cf19a58

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
55KB

MD5
e7d100b83c2deadf68b2f1fdac922561

SHA1
46c8cc9f02ead629ece06dca3d91f89a9cff0289

SHA256
d5cb4e8adb2f15e8d7fbc21c0f3a2b89e048a92886164b2a2df8771910c08c0a

SHA512
ede84c2b542586d79bedb24053a7fe2ed89cc8897fd6caa6548b03da21fde7806bb16166e37ac286d040cdd92617db5e64b76926f86cb07c8259e67238509a1f

Download Submit
memory/208-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/560-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-859-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-857-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4696-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5180-841-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5224-840-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5268-839-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5356-836-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5400-835-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5844-815-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5976-810-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads