a533c1c3a21ad5411d8b1098cde935e42ddd4af08de4573e637ba7c6d285e552

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 20:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6c4f9d165a512408641b4ec80e4ff820N.exe
Size

59KB
MD5

6c4f9d165a512408641b4ec80e4ff820
SHA1

60594f2b7ce89609ce0b72cc39cddbcd26b89c03
SHA256

a533c1c3a21ad5411d8b1098cde935e42ddd4af08de4573e637ba7c6d285e552
SHA512

b73d644a7c80d29aded112f49d77c25a9319bfad48d0dc0a7ebfafecbf7fe6d56d9db22c7ac565629738efe17deb45516e0621fe4d916558667c37748e66373d
SSDEEP

768:XXhUoVX0YS15AwvWGc/VsOR560ifyMgCVhmdNkCS2p/1H57XdnhfXaXdnh:HqjYSBvWGcpb60QyMnmdNk/2LvO

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe

Executes dropped EXE 64 IoCs

pid	Process
3712	Mgkjhe32.exe
3240	Menjdbgj.exe
1764	Mnebeogl.exe
2772	Mlhbal32.exe
3412	Nepgjaeg.exe
1432	Nngokoej.exe
1364	Ndaggimg.exe
3496	Ngpccdlj.exe
816	Njnpppkn.exe
2012	Nlmllkja.exe
3416	Ndcdmikd.exe
2664	Neeqea32.exe
1996	Njqmepik.exe
3172	Npjebj32.exe
920	Ndfqbhia.exe
4456	Ngdmod32.exe
1748	Njciko32.exe
3328	Npmagine.exe
1868	Nckndeni.exe
2344	Nfjjppmm.exe
2812	Nnqbanmo.exe
4892	Olcbmj32.exe
1036	Ocnjidkf.exe
1268	Oflgep32.exe
3264	Oncofm32.exe
2300	Opakbi32.exe
848	Ocpgod32.exe
4112	Ofnckp32.exe
4748	Oneklm32.exe
4340	Olhlhjpd.exe
924	Odocigqg.exe
4788	Ognpebpj.exe
952	Ojllan32.exe
4956	Olkhmi32.exe
5024	Ocdqjceo.exe
4032	Ogpmjb32.exe
4696	Ojoign32.exe
224	Olmeci32.exe
1652	Oddmdf32.exe
4116	Ocgmpccl.exe
2384	Ofeilobp.exe
2032	Ojaelm32.exe
1948	Pmoahijl.exe
1620	Pcijeb32.exe
320	Pfhfan32.exe
4260	Pnonbk32.exe
1872	Pqmjog32.exe
4280	Pclgkb32.exe
1964	Pggbkagp.exe
2824	Pnakhkol.exe
3736	Pqpgdfnp.exe
3564	Pdkcde32.exe
3004	Pflplnlg.exe
4020	Pncgmkmj.exe
1000	Pqbdjfln.exe
4404	Pcppfaka.exe
2912	Pfolbmje.exe
1860	Pnfdcjkg.exe
1348	Pqdqof32.exe
184	Pgnilpah.exe
1604	Pjmehkqk.exe
748	Qmkadgpo.exe
1852	Qdbiedpa.exe
5052	Qgqeappe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Lemphdgj.dll	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Njqmepik.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ojllan32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6092	5936	WerFault.exe	214

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ojllan32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 3712	4036	6c4f9d165a512408641b4ec80e4ff820N.exe	83
PID 4036 wrote to memory of 3712	4036	6c4f9d165a512408641b4ec80e4ff820N.exe	83
PID 4036 wrote to memory of 3712	4036	6c4f9d165a512408641b4ec80e4ff820N.exe	83
PID 3712 wrote to memory of 3240	3712	Mgkjhe32.exe	84
PID 3712 wrote to memory of 3240	3712	Mgkjhe32.exe	84
PID 3712 wrote to memory of 3240	3712	Mgkjhe32.exe	84
PID 3240 wrote to memory of 1764	3240	Menjdbgj.exe	85
PID 3240 wrote to memory of 1764	3240	Menjdbgj.exe	85
PID 3240 wrote to memory of 1764	3240	Menjdbgj.exe	85
PID 1764 wrote to memory of 2772	1764	Mnebeogl.exe	87
PID 1764 wrote to memory of 2772	1764	Mnebeogl.exe	87
PID 1764 wrote to memory of 2772	1764	Mnebeogl.exe	87
PID 2772 wrote to memory of 3412	2772	Mlhbal32.exe	88
PID 2772 wrote to memory of 3412	2772	Mlhbal32.exe	88
PID 2772 wrote to memory of 3412	2772	Mlhbal32.exe	88
PID 3412 wrote to memory of 1432	3412	Nepgjaeg.exe	90
PID 3412 wrote to memory of 1432	3412	Nepgjaeg.exe	90
PID 3412 wrote to memory of 1432	3412	Nepgjaeg.exe	90
PID 1432 wrote to memory of 1364	1432	Nngokoej.exe	91
PID 1432 wrote to memory of 1364	1432	Nngokoej.exe	91
PID 1432 wrote to memory of 1364	1432	Nngokoej.exe	91
PID 1364 wrote to memory of 3496	1364	Ndaggimg.exe	92
PID 1364 wrote to memory of 3496	1364	Ndaggimg.exe	92
PID 1364 wrote to memory of 3496	1364	Ndaggimg.exe	92
PID 3496 wrote to memory of 816	3496	Ngpccdlj.exe	93
PID 3496 wrote to memory of 816	3496	Ngpccdlj.exe	93
PID 3496 wrote to memory of 816	3496	Ngpccdlj.exe	93
PID 816 wrote to memory of 2012	816	Njnpppkn.exe	94
PID 816 wrote to memory of 2012	816	Njnpppkn.exe	94
PID 816 wrote to memory of 2012	816	Njnpppkn.exe	94
PID 2012 wrote to memory of 3416	2012	Nlmllkja.exe	95
PID 2012 wrote to memory of 3416	2012	Nlmllkja.exe	95
PID 2012 wrote to memory of 3416	2012	Nlmllkja.exe	95
PID 3416 wrote to memory of 2664	3416	Ndcdmikd.exe	96
PID 3416 wrote to memory of 2664	3416	Ndcdmikd.exe	96
PID 3416 wrote to memory of 2664	3416	Ndcdmikd.exe	96
PID 2664 wrote to memory of 1996	2664	Neeqea32.exe	98
PID 2664 wrote to memory of 1996	2664	Neeqea32.exe	98
PID 2664 wrote to memory of 1996	2664	Neeqea32.exe	98
PID 1996 wrote to memory of 3172	1996	Njqmepik.exe	99
PID 1996 wrote to memory of 3172	1996	Njqmepik.exe	99
PID 1996 wrote to memory of 3172	1996	Njqmepik.exe	99
PID 3172 wrote to memory of 920	3172	Npjebj32.exe	100
PID 3172 wrote to memory of 920	3172	Npjebj32.exe	100
PID 3172 wrote to memory of 920	3172	Npjebj32.exe	100
PID 920 wrote to memory of 4456	920	Ndfqbhia.exe	101
PID 920 wrote to memory of 4456	920	Ndfqbhia.exe	101
PID 920 wrote to memory of 4456	920	Ndfqbhia.exe	101
PID 4456 wrote to memory of 1748	4456	Ngdmod32.exe	102
PID 4456 wrote to memory of 1748	4456	Ngdmod32.exe	102
PID 4456 wrote to memory of 1748	4456	Ngdmod32.exe	102
PID 1748 wrote to memory of 3328	1748	Njciko32.exe	103
PID 1748 wrote to memory of 3328	1748	Njciko32.exe	103
PID 1748 wrote to memory of 3328	1748	Njciko32.exe	103
PID 3328 wrote to memory of 1868	3328	Npmagine.exe	104
PID 3328 wrote to memory of 1868	3328	Npmagine.exe	104
PID 3328 wrote to memory of 1868	3328	Npmagine.exe	104
PID 1868 wrote to memory of 2344	1868	Nckndeni.exe	105
PID 1868 wrote to memory of 2344	1868	Nckndeni.exe	105
PID 1868 wrote to memory of 2344	1868	Nckndeni.exe	105
PID 2344 wrote to memory of 2812	2344	Nfjjppmm.exe	106
PID 2344 wrote to memory of 2812	2344	Nfjjppmm.exe	106
PID 2344 wrote to memory of 2812	2344	Nfjjppmm.exe	106
PID 2812 wrote to memory of 4892	2812	Nnqbanmo.exe	107

C:\Users\Admin\AppData\Local\Temp\6c4f9d165a512408641b4ec80e4ff820N.exe
"C:\Users\Admin\AppData\Local\Temp\6c4f9d165a512408641b4ec80e4ff820N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\SysWOW64\Mgkjhe32.exe
  C:\Windows\system32\Mgkjhe32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\SysWOW64\Menjdbgj.exe
    C:\Windows\system32\Menjdbgj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Windows\SysWOW64\Mnebeogl.exe
      C:\Windows\system32\Mnebeogl.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        27⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        31⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1872
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        49⤵
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        51⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:184
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        68⤵
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        74⤵
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        76⤵
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        78⤵
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3928
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3900
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        82⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        85⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4356
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3700
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        90⤵
        Drops file in System32 directory
        
        PID:4016
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        98⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        100⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        102⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        108⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        113⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2736
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        120⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        121⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        127⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        128⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5936 -s 404
        129⤵
        Program crash
        
        PID:6092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5936 -ip 5936
1⤵
PID:6048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amgapeea.exe

Filesize
59KB

MD5
15ce33e6b401b70fce221ff52db74646

SHA1
11bb7a19ab67b0329010188f1206665519a1ee2e

SHA256
d63d95a739b18462effc84d28bc3eb12c026b1ed7ba2d2c88cfce4317c6314f7

SHA512
09f2ccecfe474cff9eeda53723d1bf5bf7d98a49a66651db53e4d927754259f44899e5184373efb6b702bb3f3c3cae26111613d7a8373712a50449ee973f2558

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
59KB

MD5
9a407d94a2f9f2a6e51402cf1ac8d0e7

SHA1
98fb078be6890bc6699aaf47bb9bc06919172504

SHA256
2934ada889a2b00bed0c8cc1a4bcca9c9c8acfde9a775abedaf1f0d2039679b5

SHA512
d8d8c10fd039581fb1ead76f8af24debe88203cdfcd4d9938f9d15cf0ffb183c067b7350b1ad4d337aeb6a616cdd166b82ddf0f9b8dce71f6e22ab8cc9157206

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
59KB

MD5
dcc251f3a3b0addb9e2d21b4e4710eba

SHA1
82db7f0d1ebc326485f7b5c171d63ca39bbbe92f

SHA256
cf366e9ff8254d3d8a62373b9d587b06efc49c350769f407d26047818537ba31

SHA512
14433c9b90febaa477640fc74187f6ba57e1b3249ea1162267539c6067024a6ae25aabe939fb8cf20ed7bdc87f519ee16c0383e3c6493eb94b2bb52019aa76a5

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
59KB

MD5
c7273f45efd444457d84c1a87f820883

SHA1
a1cf4188e068169bd6a1d7123aa41d43a4ef7c22

SHA256
0a4d5202b6d49b26724539eb02e0cdc0c3012e8f2b0ab9cb04721bfb1cd22e83

SHA512
856951c3cc90e8176a1aaff15766632504c71bfb093198c3f4e7b118ea812504aa53fc3c07fd4989f82911051f0437499c0010c60b9fa997eb75f827e08c5301

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
59KB

MD5
abe254f5bb7fcaf8e4dc9b8a6e6f7c6b

SHA1
332538d415773f64442736220d0749123c4b4baf

SHA256
a467bd7abeea0963f39337c12b7069af6650128b3dea3a3c79aaaebee87ce360

SHA512
70a6be160abfb11dec2f43fe3049dbc3dcb8f1f7eb34850b3b6b7b457e491326b3bbf38ccbcbf56a11db95aff4a8bd4706b1e29914d516cf30cd71ac04c4f218

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
59KB

MD5
72d8c7d8bbaeaa7b9320c3b132babfff

SHA1
198ddd3d347cabb3cc5cf906289638afd85a04a0

SHA256
486296abc94f5f60cfa3c2b7f99050eab570311cc5d26eae34dc6b9ba3663df6

SHA512
ebe44c3ef65f7a040c4ec454211529fef39b25c379dca87990938c1593580787388399ad04e9102f7cbebed001fdc5d97176f4dfe2942e7431548498cf3a3e81

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
59KB

MD5
dcf961c91b7a0bc8645cd7882f3d2018

SHA1
7954ae818dc67fdc7002b7349f88ab613711f47a

SHA256
5c78895c9e079613ba2287f7c1e5a88eff1c98d4067f9e06d2f4a13ec64d77f7

SHA512
dccb8b0540df36bbe030203c85777f50e34d25e4cd926601a066c68f440ebd6c6c15b07b5ed0c58b4b84cd114c9298b4e25ef05a716dd5afe2091f1250fc330d

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
59KB

MD5
8d4b4c0d39f8529e0abb368bc0232f1c

SHA1
c90bdb0a84b132d945900c7892896bc0ecb5c5e9

SHA256
3ea456e8c678dc4b580148f73399a13190e3bd23536fcb999c5f40d6aa69ecd4

SHA512
ea1c1b24169970bcf6d797e92e6736075fc578c3f1d320106d4930950666e64d4bdf3165a5c23bddd558300900af39cbe333732a49aaf499fd65bee45c660d06

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
59KB

MD5
d516e93ef144bd0e1dbd3ad644a34057

SHA1
fb281bb8a25c2891b35e7a97e409611db4631014

SHA256
18f1e61ba5d49930e9d26388f400c5b8df96d7de35f721ac0d586fd0bc2deaa5

SHA512
2b30cb8f9bb6c5cdbb3bfbbc64a6f57ddb88cadb0668a43f3a33f3bf6d2cad84bc3608ab3a60890558b3953080cc27d54478341f92b54d2fa3929cf0138ff24f

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
59KB

MD5
a871584fe7e93360e0a8d937817bae69

SHA1
cb7c6355b997adf0cfee8e8a44d8d821d4e41f9b

SHA256
360711b8cf0f8f4325c07907106449c0359e19454ba376316dd42d2372c16ea7

SHA512
84318879afb9a2fc8dea947ae3b5c578cb525125812ee8e4c8e65a381458794297a4e4666df46cf18d1a296e6251ce3f0d5273ae43a7eb343fcdb04b8f465d8e

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
59KB

MD5
a406c81ce9d6757897e18616c9ef4bdb

SHA1
8f8c54d656bf3fd428ce6272bd7b93a5a179db75

SHA256
f3c9426bbd8bb9db1564bd07c91fc6b66639246f2e342d6f8d922cdc529dca19

SHA512
8f656c3b5384626d44a2b736f8dd7c372c72b7ed5a6ef04ad2d50fe45741baf913e57e9f34d0b1872e819f69d9589ce04b1db6b4d2b8269abcc99df62ab2623d

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
59KB

MD5
4659a33d07ac433d1a02fcf856e95688

SHA1
0ce0c589dcf21fcec69007b3bca31881287b11da

SHA256
4703eaa101bbab1e85d6a993d41cc5d5dfe2d2b4284ac606a347d20cfddb4fa8

SHA512
a2f7d1d1a8e627b76630d4b4d71a5cf8d5de553f087945fee4f0bb323d3747cce262abc80d3a31cb30329bf0c19818f842559663e16802aacc20da83d1767d90

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
59KB

MD5
c8dd2efdcb72e7c341df4187a2f48556

SHA1
6f139ead4d8d1e1aca1d8484e8ef8bcff40a531a

SHA256
7568d6c6a5da2451a7a7b2bda53076a1a3265db98e01b161aded29dd6fe61fd4

SHA512
713ad8ed653d504d79fac9c6970183f1b393d672a42368198c4370290d60fd725ec82298c673d8153d3f2b1767e4e6f3576f03a691b1554c6920092f1131de21

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
59KB

MD5
01eb7d3da1f61412b83bd7dcf3862eb2

SHA1
0228940c559a6dfab2f9b29655822260bcc54a9b

SHA256
e58296178bba238990ef618fa6d53e49dfeca4dd045b5568827945b2b05e1aa3

SHA512
fd8e0cfcc11766245ddf11fd9d66584909ada1b8190046ffe33640647c9bc62867357a56e1edd9bc9b4e5c123da1385915a0d5817b3286629ae38af3eba63c66

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
59KB

MD5
daec8f788fc9ad0e7a882c2483304978

SHA1
7aaf832e338abade6496be3b3c735eb8f948d419

SHA256
b7a11ff750d203e59d2f43d9b9d789a111d7b76622945bd9e778de1077a7ced0

SHA512
d93239d09bedee8ae8ec1d7fdb78f02e5cab095a23461fe7b95f5d1b25d883aecaa6879ef629c2bfa0eae0b6ed834ffc6f05c3e352b88df548563276f35d53b5

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
59KB

MD5
62c0434f9398e0d140153d0d780ed55e

SHA1
3490da50987a8d1dadb5fa8f1349031b211e28f4

SHA256
2bb238c1fa101c694333c300c0833356d393dc8772f67d00816a0289e0334147

SHA512
11d23f5e6114127b3ae7937ffec88a3635166c443827aae40bed3d500c7f9f5b2670224d25597bc0db8ffb1e0bcdffab95cc89c5f1e5f964b28835c1dc4ed7d8

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
59KB

MD5
182b6b4a16b5b18c963db943a9d44de0

SHA1
091636ef7be99c3a82f08f996b3763acfa0af2e8

SHA256
06f38a03f52a94c9094861bf9efd800a98b4730aac757e41baae15bac55885fb

SHA512
654282dc2faefcdae32d9b5e12a13217a77c7b90d7423e5184c9abd66b03152e7d2649980100c029c6985b791ff071bfc2a3ce0fe5fa8bc3ffd0e91878ecdc97

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
59KB

MD5
0a8f8f8e9a96a78a02b39fae6b3cc44e

SHA1
28048f6f8093a25b72cade8f520ee180eb474312

SHA256
d6e91196ceb7c7be9cd1802b1cbe352dbab28fbfb705009debd229e41778ffe8

SHA512
37beed77bd96fa24cbd0f1864fcb1501316c84bd5fbb7fd86ad45786c6fcdcd5864cc4aa97b758d74d5e958dc7d742ba3c3dca197e54a80189dae04e2209cd3d

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
59KB

MD5
5abb70e3cdea813c32a436edb4215fe4

SHA1
150ad7b3e83f010746b0abb0ef06c37548c528f5

SHA256
51682158fca967520d7666de501677daad995dccf39e77655ca7becaf954bca8

SHA512
1c48c7a2da0c900c788e2120bccf5255480bb36399187ec5b8d4fd15032f697f1cd99427c0045f24b6e335784f806dfbc564a7d8c3bd122b878bda65255a4ee0

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
59KB

MD5
9e21e60c35d896f341140360f65c861f

SHA1
173a21ad213ebd092d622f457fa6c59cc2a04156

SHA256
0f1808ff059fa86eb4c5fe8c90d061917e2964437dd13e947b850c17ef07faba

SHA512
8424f4cab3726124ea3b9503da0184c5ad0414b1f0f46f5d89e81dbacab2440e68d9df7227b16751cd48b675885a641f20dce280121f13584275aabc586300e3

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
59KB

MD5
5fce6f3cce4837e9498dd09676b4cc3d

SHA1
e1a5962f177ac7f95a00e345699b8cc789cb2ef7

SHA256
f75bfce53146eb9db8e17a7b2caf780a16c58ee796c3da6d04c293bf6fecfa0d

SHA512
a7a7297608deae1d1ec1bccd132f12955a7f941e65fc33a81290580a3f456aa523f77641574fdc2dc308c19cefbfeb7f5f04c887a35cf0a1a24612bc81024cfa

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
59KB

MD5
82bcba4098495c8311971ef97e3421ff

SHA1
4260a46d36f5b530091277bbcbb7b1adf3d6fdb5

SHA256
ac51cf51e1e0930223213ac908b8251f49644db4b1094c179673bdd71167267f

SHA512
ad8f766c7d1140560f1bc48e09e5c4a7a0bd1897bfadbcb6042ba214e32150387a91c43f3543927e1d9e442d0b90fd4459f483ceaf1e1630878055bcc2de3f1e

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
59KB

MD5
27d6bc5cb9c21bc8b893e9d736080ab9

SHA1
b8bf80a1c962410927df1176da32e00d2ee281da

SHA256
96c4116a641335c3508d739c4650caa72cf0c4634ed2ba968d93b950c95fb48c

SHA512
fc11a1cf212b312788277461de91ac085606af5595586f6ed7f495c4f29931f7c6885db9a308dc4835711816fdd812f6031d2fc520b53b57c219c59e8d014980

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
59KB

MD5
e3fb44cafeea622920a647ad26133df4

SHA1
053912d482b781a5f31ef4a4527751b3054cfa80

SHA256
3dad8f341ddfbd91c147fdb83ec026d53bd788b97b68db5ce06a457c4f325c9a

SHA512
8219e2dcd5de5c60612100db72311461cf2ab3deca050f807babf2fb35bb0767c5a728447ff5577a4656715bf4c21f8afd5863c7c6dfca3ef9090bef2ea46da7

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
59KB

MD5
cac433f33879787f0b2d6de188547ce1

SHA1
9fa91e184db8bf9f28557723837cdb756fd7482c

SHA256
411756274779c8b5a016f19f4190e8b840c99e04741bccef03c7aca7c5e5bca0

SHA512
94647e06020ac059507aed9a94090ecaf050244076e851139863b36792a0380d0147619593a07ba87a2c07fc45f72efe2502330b97ad65668070744f80c235b7

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
59KB

MD5
412a1878abf93d93119d9b9eae372dfe

SHA1
755fd6b17d579c5fe0ca384f7b26492693680e14

SHA256
517617348140a553d74daf018c00fa91b0e9088270db60076b9b1e3131f9e433

SHA512
96e41237f95c7fede6523003e65c3709bdf8f6e927705dcfea68cafd6afbef0f0ad3aac24b195e2ebcf5cd1c96768068db7a532e467a175378bd27520e483895

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
59KB

MD5
d3fe5ffba79c9520fd2ae39e1fd2ad9b

SHA1
05125bf74693f4a74e3df4430aa3109a34075a9c

SHA256
64e56a3f1e63dd4eaae4fc5532e4666cde33fe1267cecc8410f98cfa675d9c18

SHA512
f1480dfd6a64175feb4e19d0e2b5b53b37a36051d193229e5376c2063c8e0484aa20107e1fb8b5edd32bdcecdc489e0a803cf1cb4df7889d1cda5270287fc00b

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
59KB

MD5
326741b7657526fabf0e7f858232fc4e

SHA1
e90fff04528b60219ec006ee525f558936046451

SHA256
984cc48021b876d6f157108e5bd01cc3a569b8037170b27c96f6b9eccd771635

SHA512
a987a6f5265c1d178008981a9f2df1d135efa7bb1f5e54f9bdeaca7a5f7c650ed8b1b7b2f7d3b64d15cdadb0fb2169a70eb2557ec27f81b0bcc60f31de2480d4

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
59KB

MD5
8287be6e2ed99cbf908bd655afff9b82

SHA1
0eb87f41e0bc78177d1e06ab2c90899a2ff351e5

SHA256
bc0f071c9b81e9e42d8180782357b99a4cb33ad76983fb42117f0f01aaa812c9

SHA512
55cbe8111bf78b455b221ec15b6f5564c114854fe1b72d1dd4dddc5d69e189ef26647ab686e379f3437cb2f086d1ddbc3cbcd93f87b675f24ade5e2c593902ba

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
59KB

MD5
b13da3f59ff3f796cdc91479527cce0f

SHA1
38c52072c7bd3602cf97d7a953d8435515091751

SHA256
977bb436b0be693f623c035c6426f49d956164cd8bd017de7cbdafaabf35abd1

SHA512
9a8db0e5766d3a5b697f9e2737d33e30b1ea515a4cad0243816b209ffdad52b5246c106976e6e5c47b35033f5c11d78fec6e82bc8e0f49cae33b322c86f12092

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
59KB

MD5
db1550d5c57e2d5b2910e0c489954f99

SHA1
e1d3e7c1a389f7dff97420f5e78d71aea830beca

SHA256
0823532d05348e194c8df6f93a982a0c74e8c2931735792d9b5243232aa04301

SHA512
a4dd21f7447a3d08af0b7f70199f15e7b66de0cc574e30883268d4a9640ba4306cee9d1e3637e5a1c8e84357346b3c34cad557191b56325e679ad4a03e5222da

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
59KB

MD5
7f3b69d6ad3c1d4e7fc5f32333ae8b14

SHA1
1431f6d2cd71fc21d9e76f7e966d12bfed27e394

SHA256
dac674dd95ef3041b3915830c33a531236538f7ba65a972a6a9b96a1e51e8d95

SHA512
239e8230556cb322859db0f3a9a01a8adccba5735bb9d5b61f62a367469f03312c52e66f9f0972541f7f40611606660335a8b6710d3fd53769713f9872df162f

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
59KB

MD5
eaae328be54b71404151cbfcb0ee2afa

SHA1
5a373f098d66198cff572cdb8ccf6d8f841d7ab7

SHA256
92bb6b449048b03ef6b2d437fe04ce8f7e066fabc036fe24ae6265e9b8c8f950

SHA512
7b3050e1fd7944c3e30075494785bcd4f2d4a32f8075ea64db815a6b109e8ee8a57c717d776c2d7b86b9e3534cfad88240d50d14d2ff8a4fdb99c583972455f9

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
59KB

MD5
b1573fde4078cf24a226c7c9bdb13502

SHA1
ebea70ebb876604df990632bdf66ae96b763b91a

SHA256
04900c21421eabe70bbe7eb8acd9872f13ffced4619c554f13f5049dcacccb43

SHA512
969aa18d205ae55e648751f39e7f4e61360b15d936a75361bddab982ead44e9b388dc0b72b8945b7bdc26d789aede7a3e0178508070ac47a424095c65207252f

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
59KB

MD5
b420fc611d67e295c10de891128cac0e

SHA1
5ffc85821fdc07c6b8af88b6da18e1edbe1cc288

SHA256
4e7934ec371471b24542421f38de19cf0ab2e3d64b4d875a8ac783cc9f2c7edd

SHA512
57ac3e21a6748168c365991f107cc440fa759e109f68e992015fa1715ea9bd4677676539da204b671db75d2fda6a83018d1955efe40eb5ea5d0ad3cb6e465766

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
59KB

MD5
fd9ab537bffd3f428e41a54ba3a05e06

SHA1
9f887ab8c416de6e954248ecc64304514dfc4ac4

SHA256
6afad30243bfa6a94f2a7c1dc271894a1a8aee408ac95036b2680f6a7ce560d6

SHA512
4883caedae115d43281496e00d93c32b2442f0d5dc915377609d6c1adb6c230d4a3a43db8e7948cd138a24ac0053ec84b79b83443482ce89736bc104ae15004c

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
59KB

MD5
1bf00f9e3184f6ace8a435119e29ec6f

SHA1
44bdfe78a01a72578d6a5db1fb0b32cbc36fbc71

SHA256
bcb8638e861974c630bdc3cc7eea70e8306bbde3be40d56aa96de1d9dad69806

SHA512
9805cc6c687636a6de0114462ee0bae4b677815b8abb9c6dbdb4eb90a6131ad8d9c9e6634b31128f0dca92bcef4eb56795435669c59d141dd48b81e44445d971

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
59KB

MD5
56be57d665894b85613acbc7fee0d361

SHA1
40f79c065931c96e30aa1521ae175c0d45fa345d

SHA256
414b7cfdb3ffe6b4b1cf879309821bc137fc876ae5c33f11abcc5e78c219b4dc

SHA512
c8c930466172c673b7bd20a7d93e635994c10428d0cdf5b99263f5880d6b02bda7434b0aca025064a6e33303a5a928ae1d8da7e248260cdf636c9f6b56e77bdf

Download Submit
memory/184-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/320-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/892-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/952-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1000-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3388-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3808-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3848-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3928-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-1-0x0000000000433000-0x0000000000434000-memory.dmp

Filesize
4KB

Download
memory/4036-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5124-943-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads