0a24fca934c261526ae86e96f5f57c9f11700f463856aada5525a78501ded88e

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb169c5e49ef0f097723deb47fd54f20N.exe
Size

112KB
MD5

bb169c5e49ef0f097723deb47fd54f20
SHA1

4616358154a45362b1ac5fcc3b5eb110554ea39a
SHA256

0a24fca934c261526ae86e96f5f57c9f11700f463856aada5525a78501ded88e
SHA512

eb14df6c9a28b1acc03f082c5c47e44bc791ff1707a16b16bda6dd7919686e98d62a35b9037cb793fdc2b493f9496996d085bbb19caf347a3e454b504ccc113c
SSDEEP

3072:wMQPmUnYhtRRa/q09DrLXfzoeqarm9mTE:wMQ1nY70RXfxqySSE

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe

Executes dropped EXE 64 IoCs

pid	Process
892	Mnebeogl.exe
2612	Ndokbi32.exe
1132	Nepgjaeg.exe
1868	Nljofl32.exe
4968	Ncdgcf32.exe
2548	Nebdoa32.exe
2480	Nlmllkja.exe
5096	Ndcdmikd.exe
4660	Neeqea32.exe
4888	Nloiakho.exe
1432	Ndfqbhia.exe
812	Ngdmod32.exe
4916	Npmagine.exe
3984	Nckndeni.exe
2016	Njefqo32.exe
1448	Oponmilc.exe
4164	Oflgep32.exe
2824	Olfobjbg.exe
5060	Odmgcgbi.exe
336	Ogkcpbam.exe
2168	Oneklm32.exe
880	Odocigqg.exe
2704	Ocbddc32.exe
3888	Ojllan32.exe
4528	Ocdqjceo.exe
3920	Ojoign32.exe
5104	Oqhacgdh.exe
1852	Ocgmpccl.exe
568	Ofeilobp.exe
4368	Pnlaml32.exe
2456	Pmoahijl.exe
4960	Pdfjifjo.exe
432	Pgefeajb.exe
2736	Pjcbbmif.exe
1876	Pmannhhj.exe
5092	Pdifoehl.exe
3264	Pclgkb32.exe
3608	Pfjcgn32.exe
2796	Pnakhkol.exe
4384	Pqpgdfnp.exe
4524	Pcncpbmd.exe
2176	Pflplnlg.exe
4416	Pmfhig32.exe
4864	Pdmpje32.exe
1908	Pfolbmje.exe
3012	Pnfdcjkg.exe
3336	Pqdqof32.exe
1952	Pcbmka32.exe
4224	Pgnilpah.exe
4816	Pjmehkqk.exe
404	Qmkadgpo.exe
3268	Qdbiedpa.exe
4320	Qgqeappe.exe
4372	Qfcfml32.exe
4488	Qmmnjfnl.exe
2484	Qddfkd32.exe
4216	Qgcbgo32.exe
4924	Ajanck32.exe
4964	Ampkof32.exe
3092	Adgbpc32.exe
2624	Acjclpcf.exe
4612	Afhohlbj.exe
3668	Anogiicl.exe
1764	Aqncedbp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Nljofl32.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Nepgjaeg.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nloiakho.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5400	5248	WerFault.exe	202

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 892	232	bb169c5e49ef0f097723deb47fd54f20N.exe	83
PID 232 wrote to memory of 892	232	bb169c5e49ef0f097723deb47fd54f20N.exe	83
PID 232 wrote to memory of 892	232	bb169c5e49ef0f097723deb47fd54f20N.exe	83
PID 892 wrote to memory of 2612	892	Mnebeogl.exe	84
PID 892 wrote to memory of 2612	892	Mnebeogl.exe	84
PID 892 wrote to memory of 2612	892	Mnebeogl.exe	84
PID 2612 wrote to memory of 1132	2612	Ndokbi32.exe	85
PID 2612 wrote to memory of 1132	2612	Ndokbi32.exe	85
PID 2612 wrote to memory of 1132	2612	Ndokbi32.exe	85
PID 1132 wrote to memory of 1868	1132	Nepgjaeg.exe	86
PID 1132 wrote to memory of 1868	1132	Nepgjaeg.exe	86
PID 1132 wrote to memory of 1868	1132	Nepgjaeg.exe	86
PID 1868 wrote to memory of 4968	1868	Nljofl32.exe	87
PID 1868 wrote to memory of 4968	1868	Nljofl32.exe	87
PID 1868 wrote to memory of 4968	1868	Nljofl32.exe	87
PID 4968 wrote to memory of 2548	4968	Ncdgcf32.exe	88
PID 4968 wrote to memory of 2548	4968	Ncdgcf32.exe	88
PID 4968 wrote to memory of 2548	4968	Ncdgcf32.exe	88
PID 2548 wrote to memory of 2480	2548	Nebdoa32.exe	89
PID 2548 wrote to memory of 2480	2548	Nebdoa32.exe	89
PID 2548 wrote to memory of 2480	2548	Nebdoa32.exe	89
PID 2480 wrote to memory of 5096	2480	Nlmllkja.exe	90
PID 2480 wrote to memory of 5096	2480	Nlmllkja.exe	90
PID 2480 wrote to memory of 5096	2480	Nlmllkja.exe	90
PID 5096 wrote to memory of 4660	5096	Ndcdmikd.exe	92
PID 5096 wrote to memory of 4660	5096	Ndcdmikd.exe	92
PID 5096 wrote to memory of 4660	5096	Ndcdmikd.exe	92
PID 4660 wrote to memory of 4888	4660	Neeqea32.exe	93
PID 4660 wrote to memory of 4888	4660	Neeqea32.exe	93
PID 4660 wrote to memory of 4888	4660	Neeqea32.exe	93
PID 4888 wrote to memory of 1432	4888	Nloiakho.exe	94
PID 4888 wrote to memory of 1432	4888	Nloiakho.exe	94
PID 4888 wrote to memory of 1432	4888	Nloiakho.exe	94
PID 1432 wrote to memory of 812	1432	Ndfqbhia.exe	95
PID 1432 wrote to memory of 812	1432	Ndfqbhia.exe	95
PID 1432 wrote to memory of 812	1432	Ndfqbhia.exe	95
PID 812 wrote to memory of 4916	812	Ngdmod32.exe	96
PID 812 wrote to memory of 4916	812	Ngdmod32.exe	96
PID 812 wrote to memory of 4916	812	Ngdmod32.exe	96
PID 4916 wrote to memory of 3984	4916	Npmagine.exe	98
PID 4916 wrote to memory of 3984	4916	Npmagine.exe	98
PID 4916 wrote to memory of 3984	4916	Npmagine.exe	98
PID 3984 wrote to memory of 2016	3984	Nckndeni.exe	99
PID 3984 wrote to memory of 2016	3984	Nckndeni.exe	99
PID 3984 wrote to memory of 2016	3984	Nckndeni.exe	99
PID 2016 wrote to memory of 1448	2016	Njefqo32.exe	100
PID 2016 wrote to memory of 1448	2016	Njefqo32.exe	100
PID 2016 wrote to memory of 1448	2016	Njefqo32.exe	100
PID 1448 wrote to memory of 4164	1448	Oponmilc.exe	102
PID 1448 wrote to memory of 4164	1448	Oponmilc.exe	102
PID 1448 wrote to memory of 4164	1448	Oponmilc.exe	102
PID 4164 wrote to memory of 2824	4164	Oflgep32.exe	103
PID 4164 wrote to memory of 2824	4164	Oflgep32.exe	103
PID 4164 wrote to memory of 2824	4164	Oflgep32.exe	103
PID 2824 wrote to memory of 5060	2824	Olfobjbg.exe	104
PID 2824 wrote to memory of 5060	2824	Olfobjbg.exe	104
PID 2824 wrote to memory of 5060	2824	Olfobjbg.exe	104
PID 5060 wrote to memory of 336	5060	Odmgcgbi.exe	105
PID 5060 wrote to memory of 336	5060	Odmgcgbi.exe	105
PID 5060 wrote to memory of 336	5060	Odmgcgbi.exe	105
PID 336 wrote to memory of 2168	336	Ogkcpbam.exe	106
PID 336 wrote to memory of 2168	336	Ogkcpbam.exe	106
PID 336 wrote to memory of 2168	336	Ogkcpbam.exe	106
PID 2168 wrote to memory of 880	2168	Oneklm32.exe	107

C:\Users\Admin\AppData\Local\Temp\bb169c5e49ef0f097723deb47fd54f20N.exe
"C:\Users\Admin\AppData\Local\Temp\bb169c5e49ef0f097723deb47fd54f20N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:232
- C:\Windows\SysWOW64\Mnebeogl.exe
  C:\Windows\system32\Mnebeogl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\Ndokbi32.exe
    C:\Windows\system32\Ndokbi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\Nepgjaeg.exe
      C:\Windows\system32\Nepgjaeg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        36⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        44⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:404
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        65⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        66⤵
        Drops file in System32 directory
        
        PID:784
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        68⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4580
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3172
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        81⤵
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2952
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        89⤵
        
        PID:780
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        94⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        103⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        105⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        109⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        112⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        117⤵
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 408
        119⤵
        Program crash
        
        PID:5400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5248 -ip 5248
1⤵
PID:5368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bagflcje.exe

Filesize
112KB

MD5
3705e7bde75e6c037daaa8333a87b059

SHA1
36e6d94ea7dd98782d9b8cf828f58b7f669cbda9

SHA256
81e04efa625c0babf9880e82b5ca089473cbc7cebc9b20c07d61de3298c2301b

SHA512
4618499cc8f7e15df564a57692ecbf2a1c57c9517cacf8e584692984d1bf2c6050e8b382e3ed710662120f712e43f168fb82c587c1474b4ad4b92be7ea538595

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
112KB

MD5
efb5cc041d53dd02cfba055285803383

SHA1
d365b39da1e97acb288fdb4e6481200a591697d8

SHA256
f4aca035624aabed49d79347c96b36c285feb15dd499e7dd77b6607d23ef86bb

SHA512
cf417aaba5f59e298870c25ab8f52a1effce6098456f65303bd7b136a0b8ea2a3ceab48387e216e314c423e5f18542bc9746911bc43ff047c0769314b2e2bab1

Download Submit
C:\Windows\SysWOW64\Dapgdeib.dll

Filesize
7KB

MD5
b4af628f050fde2ec6f1f97e4d3db862

SHA1
823b61aa159fa8b3b57b48dd002df7661de30f73

SHA256
057bb9a6abc675581951e414a611b21861e8068958272c91eef8f4dccc5a6d93

SHA512
8a3257847aebc59e32f88c2daa56485ad04836c9ca6da9b6088727f0797380f3ea3a4ce5f281cdc18a6ea3b156f17dd3e501a926bf2b6f00b1f7b4e50db6b120

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
112KB

MD5
121b0ef0d49c3f330d0115a48fd7e0b4

SHA1
57578c1be30cc658f629ff8e3b225d28874628e0

SHA256
e1e165dc2a5bd75c000af20c09ad37a04d7fd494a0a333e38bfb1818dbf47e92

SHA512
f0f0162934795cb3c3c6a471c8cecbc9dd2a1c75ecbbb6021eefdb6d1dac74ccc7f735015a58085dcc98ec65b2dd119432d6a68a02d92a20d4706607c482240b

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
112KB

MD5
0422397bf06e606b56d99ad46041a6a7

SHA1
96f514af2172f0f02c838c91986932bbc12a8c15

SHA256
e4982fda4a889e1816c2118d62436c0aa87d0e0615e18e8450c6563a64e586c6

SHA512
3a9b0817cb08811dc537717ac21d9c34aa6a3b97084cab6eca80447417833e7166ac9df0e99e76b7900eb411f0f1496205357d371e439a6e5ab17913ada56d8b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
112KB

MD5
bf783b0a846258f454f47b833a4862c4

SHA1
61341595988a4472e471c992969e3cc9b7d5b759

SHA256
4e7c6ca82379d2ef3b32f1c619db7c82e37c2bc907ab83b758df958c075d50ba

SHA512
ae38ea855a5dbf90dd2e1c59ad22a33ea87f8c05846cc64f24c2a35ffbd0540f5c640084347902e37a8637c051262d72e7493376e9ab7a9fb46a8c89a2cb8d77

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
112KB

MD5
241d321938bcd97392ede5d46bfdf209

SHA1
60c540c6abe25505505743306406f8ec7a510507

SHA256
4e54243db7eda8246d9512a108ca31ecd30a70836365e1f82708ba740fba2c61

SHA512
f01f0d6ded7798cc60fdb75c4465fd2e5214d8a23f3a917037e2945a5b5ece64941be66c4f1b7ec7eb073da5be00a82419082ece48fe9c39e2df820222db49ec

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
112KB

MD5
a594d120fc71939936eb4f06796e1e5b

SHA1
0ad557fbfda4b38d2cfd923c2b2d1fd2cc54022c

SHA256
9cb8882ebe25b6ec95154f11628895a69269414c8edd38836308f6b93115323b

SHA512
0216bfd6065ca3dac1cbbc0fa9f415e1ab232c6088cd4407f97e6699eec0be87d797dcb429271fb0e57b0eaf28690878145322df1cd64554e85b423b0d288aa7

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
112KB

MD5
ac72736a77b7708d3520700c02984f9a

SHA1
53e8807a786afade2bd308057477d9145a95d579

SHA256
7b77105294417ae44abeaed01e3dc02e5c0828ed894fd5efc11ab212523998b4

SHA512
75f9a003a3f08859e9506bdc04f4e1b50e24248e2c68ebb899a67035282643731c0f958a8048a82f0f2ab0637c2f9609a26c2911c9f9fa0bd0136af1848e22b9

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
112KB

MD5
9c17636c7836f6df9a41577268f94b33

SHA1
21230d227a60b84b391b4fe5ca869550bc5b02f1

SHA256
c7f74ef41803083963d947c8090fc5c98819dc1c232595abd94f74b84860fcc6

SHA512
91b5055cfabcb4a43c89f298cb3ab9fbda05cf216d5bc35bee795cd665100ee57ae42b22f0618ebac72f97cb2882bd1a2d7566490c431c004405ac8a77a5dc92

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
112KB

MD5
75b2c6a64e161731bc916ddb401a18d7

SHA1
14a5af9258d0d02473ce2bd6d84c86b618bef55e

SHA256
9093b944473e84047420a198633cb74e1a15b306a9a3ea92abcd969aa7450fdb

SHA512
2ecbe94a6c79042e53cc6672afc9d4e2d4e7f9849d2e10a405edc2e2bb3793896343589f1d6af1b8ad441b22a6c6b830ec15664013784343337c8df6ad70e66d

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
112KB

MD5
08bc529958dae21b8df8ad4e0282fca9

SHA1
0456177b3276ae35bfc419f2bd73f3db0ad93e61

SHA256
6bca159ec983a88b5c876ac86431d8949e01ef8fc703b545f1987c6b2085d52c

SHA512
e9e8a21ecb10ed944952fd7b382aaaf582eff28bc2f1453da364004aa2598caf1582e8e056234d93eafd7c511c1951f8d25f5de9f4dd72fe5b8fd06df9656fc2

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
112KB

MD5
63afc3d73e26458d2da297550cf8b8e0

SHA1
e1d10176b9e062943bcc5b922e15fe26d3c03cb1

SHA256
5373bdcc9b68bf4b859790b129ba55e243274a0612f27b15410ea84eb74d8131

SHA512
857b82c6ab43485b4496535fa2371d913a13da640dc08ed54f95fae48213a9c3934f92c1312931bce117e268b6b850dd57e664f2447ffdac6ae13af34522f0f1

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
112KB

MD5
fcf16c6d4f2b97f51142c7e4fd7720c7

SHA1
66a1bc998a39fb304c566ebc1f52d4fd124d93c5

SHA256
217100cd689ed804700e060a3b3e0294002bb2530a34c64d179d9d6886d70cf5

SHA512
cfe819190b2ac736ae2460c0a061c860752435ccdc54e70c6b78caff50c9bc59f51aa1bd19bb2c7fa3782269850bd4144348adb46aabcefabdd770d25c008b0e

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
112KB

MD5
26e48f27994bf60bfb2d6bd02193a09e

SHA1
a91516c8664c1ffe1bf59ebfb3830fb5cbd1e5c2

SHA256
659084c25ceecc8407b9ea285e2fa2b05e752101f1618f6ec247dfd8832387c3

SHA512
8d56cc7f5c7d0fd8cb94fc9986c5702e34513397a863dfed790fd38fcee091d6fee78ca8b6a9596d32ccc92e9c69560eb3b891d31daebf257509adc2be75b557

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
112KB

MD5
72a9b6da5afdd6c6d91b8deede8df8cf

SHA1
450f77345d489771e089288176b0f61b879f5582

SHA256
91edd746aef179d3c01cfa196ca8e890e98ffb0ec2cb1bdb9b7f7dce35eab3c2

SHA512
a937046ecf1b345995b8047df109272bb43e4931e1015bb5423de92ea91bbfc00040367468a219a7819bc10e90a9e4c4d0a34ffa5c0f62c28284d0488c9bd1f9

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
112KB

MD5
b0807fda18556dec0e1e847a129e1184

SHA1
fcd7c6894865d8fe5c614cabfb499f1400f88a81

SHA256
420eb7b517bf35a3295002e44cbcbb265d6e84a2083f4a0a418c9c09710bc549

SHA512
d191e3898075745950177be61b8ba6286d89d3ab3b73f6040b24bde8fcea94c905ca967b1f33bf24db2541a44b5be884cc744f629132eb11fc8cab8acb7d1c8c

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
112KB

MD5
9da854d3499f2a9118a6127702bba9d5

SHA1
0365409ed1f59f4833a194f7e3b1913e40005aa4

SHA256
b0e9a04cb9867cd3e3b4edaaab4f67f2c71d0be318bea4d65ee378f3ff5a34d1

SHA512
35bfcf7fc76230d87d66c19f17710c7fb67e42283755c7eaa9e8caa7410448a3c222ba0994eb7572d1d4cb726a18ba690057cba09410d9dd4445372a91799cbb

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
112KB

MD5
65ccb08e686b7a52718687c48d1b1a9b

SHA1
27c2221525c93fafefbc8a364126e05380403830

SHA256
83b25837ec5173200e7e6b8cf3cb6caf5610a82fa8b5daa50062683b0dd6111a

SHA512
4931046f267f6a352880a7632dee568921e6e33fd8ad150329badee3310ef33723ecfb05e99edc54c2ae07a71f3aca5b92b79c930abda0af1c8f67401932eb82

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
112KB

MD5
4712b2af65e196352248e4a55c35f1d2

SHA1
8d34987cf0e593cbbb6c8b32ae3b171b9274b42b

SHA256
271107f8ccadba4ae0ec2057dd874769b255e823af50022eee22e2287f788b5f

SHA512
5ff798bf022bc672eca3131749c1bfe1638847a192e1ff4f4eff4e23f5ad36d46b195a3986eacade2fcf70542cc917eddc7b94cb405946b3bb879662c953a97f

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
112KB

MD5
2dde662b2a17f29ef4e065ecf7797ef2

SHA1
8033706c19513241b4024bbaed973596918c62ee

SHA256
9cc38d150c5f9658dd617872bf9d20767c8a107581301b37a4f2d53aa29f8f7d

SHA512
be70516380337c20b50bd95e56b04c35de10c54a5cdc2a016c3e0b66081752418c47c771325dfc90c6fb93beca6b58bedb8cc24245e3d32df0f1995a14d478b3

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
112KB

MD5
5bcf2c5ef202e82ea21396671b9adc17

SHA1
dfcedc0fbf9c1a4135e57f0dab1b46fd0a60af56

SHA256
528775c4aa15b4fb5e2e18363b512bb94e1d6c27f61563cb054a0cf39059ce60

SHA512
4adac4b2394b8fd298519f2e1565a37e6680eb2bd51dba6c87d348cd73e375f45f485993f5dd3959a363ec6856d8e72ef6e3935d4f53b8d33ceb37a74b4be1af

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
112KB

MD5
3d7de9d001457ffdbec98f57458587fd

SHA1
bd1909468b6b95363bb4e96f120fb3172672dcc7

SHA256
c1ce5b9191b55a8c0d8198be810ad055abbd2f1633935dc078a4936b43530d92

SHA512
320540e297e7a62ec0006df9a0b2e257052c348475b4d28a467c3e2fb08363e70612a940445f00d1c06b2e3013f746d686a21c673a709697e242ba5aa423f7bb

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
112KB

MD5
80f1832352c131ef2ba5dd3b1a9a1c0d

SHA1
cb7de5126a46d2ccd470ab9068a9f921c9a65dec

SHA256
c2d2851e5342009c65b4535d1096e1ef0b34a0d12970cc4c0f95f2aa5c13dc6c

SHA512
960a0932fa2f328f73ba972d028a514594bc43119173edfda9c0baa1c57d91b99696f605675d72aee18046a6dfb68431b8d3f831a7bf605b5fd9d8803d850ceb

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
112KB

MD5
a265f8ee959f1215c12b8d94bc51bedb

SHA1
fdce8e68777793ec30533d19e5d9455f1e5538f9

SHA256
4013edfe6bc3fed465dfad89df1cee187d0f66f7e59e1dde6cc525949a34d5f9

SHA512
860f689a63af1c3d469ee90e08fa61f3644398e0efe08c78eb3d50c0a082b2a1ea37a221590e30d266ca25448d1a89a581820732cf319f82b4f02f5cff6342a3

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
112KB

MD5
2f3501c4cc99045ec2fa3db4582eac11

SHA1
bb3bbc940c45a23efef8757d8fa66c2e64ff2782

SHA256
bddf93fb4a4d2351fa59e229cf973f3d1a3a7b72d104bca4c11a8b458ceaeb2a

SHA512
997d2e0b1305fe31b1cef436496601267fa666210dc6f88586601e3ccb462849d55d068a8a4ff6ff4ed6500211ec10e4abd1ed9fdd9e98efbc1b6d7ad1d838b3

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
112KB

MD5
10d3110e56180542d1ac8838dd52fe32

SHA1
a6830d440ec884db55a76817ce0606a618f91d55

SHA256
7b492ea466cb58bc5d254bb2d5006ea035f01d88123ac9f76c740f16e4281569

SHA512
a8e28b832f16af8111ecc0c86fbd8170c10dceacba82afa148d509294fb28ef257f6646825b8e0efcea1ed0bce3d9859394b699cb33854d8ce4d598d31f42d21

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
112KB

MD5
83110a038f5ae09acfa172a243560260

SHA1
c5a2f8418bf87bd2840997372ef4a285cc39f0b5

SHA256
06b1847fa541108dd7b7be10b63afda3ec27eb68eaba14dc79f67c01c3260b7a

SHA512
6280f49cb180f64f74419466e151a65e99092ff95fe466b42e1ce19840ad68b8be022a8f739fa2bc415b04e6c28693d6cb7d23b7da331bf7518cbcbf55233d3b

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
112KB

MD5
f4e7451ebf0cd376abbcb7890e819d20

SHA1
7ab3180f49587b72385b094f1139fcbdd4c30f21

SHA256
2fefaff3c5da6699e9980cd29d1f68eb61c5998486f1f9fc2f8acb9ea4fa5741

SHA512
38e696e6a32455edd47ac53f04f03becc74345398a1297d2c9e97838006a13bd703537ece4abcbf4488398c6b949c00c61499ccb4231470abe501d09675a9a35

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
112KB

MD5
4e973249eb6f2bf9f52a5efe72c15ed2

SHA1
2bdb7c33bd4340429c2951fdbb155b9d49ff9daf

SHA256
5c154c3e1950343e516784540401742fb08e0fdf726c5dcf9ebdc80723175a74

SHA512
ad419e1ce9cbac703bf0bf2f86f98e4755e34551e64b82285f2f61c8916cba2f2bae340026a4414f4fff5199a78af4f04d91254dc33b2f76e11c28e36dd3cc01

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
112KB

MD5
44431dabce84f2311a2176b54dd79ae0

SHA1
bc4b850edc7dca6212d14a935c48ab86780bb183

SHA256
299b49a2e91f8f07981d6c18a8f0cb9f01112f5a93b5c9546b0c5916739f2c4c

SHA512
c09653a8da57d130520fc5234997be18b59382e78bbbd402582917ccca5b99c7a1f9168338c9591b30a5aed9ab0d064f75e1042283a0314de8d3564ea35507a0

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
112KB

MD5
17f851ee39d100e13674f3f909dcd70e

SHA1
978f5e2869d11752559c6e0afb6b8f9e6f0fe569

SHA256
d6b7de1755aa601977706779e7398244a9f75509fda0d9746f6593eea9cb4350

SHA512
c17ff4b5912715b05a60ed8347a4a9e107c9474a578b0cbab8c35eef556d8573fb1c9f7bfccdb755ec1568ea0d0b5f06dc5f119ba92c2fd0bdc700fb38c14be0

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
112KB

MD5
9c19be8a18171d060290d22cb9aa84b6

SHA1
1af199635483be1eebc8b464e912b3b224f22063

SHA256
d45f5a9d8c72fc3cfdfad30b91a561ead518382e0864ad7fce57811272da15c3

SHA512
2331b62603b9d084a2a2fb52d0d505e7841e6b7a607a680ed5e6a0ced8253a83b4a51eee52fe3c90a43a64eb3b86bddc1609d16a4ca45f43845937260e6e94d4

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
112KB

MD5
1306cbd47afc9a3742de09e38135a1eb

SHA1
6a75a94b4475392dda0ffff3178baec991b4c107

SHA256
8f35cedbee6c64c7b3fa57bdc47858a1311fa445eaa51b4d72a7698e7aed23ba

SHA512
978b94f99dcba0f115bead5096d3ab8f1e9ca6a6cf1be380b444cc0dad7f744e508f9f3842fdeb8469703c875964e860c7f4b45c539448145567c8a61a11380d

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
112KB

MD5
4c5ec4a1fadab6ce7c6ea7887f8a2f9d

SHA1
71d255dabadf72c10a2567db4fa5bf310e423320

SHA256
e4222288c536623d6b549dd36c941edf90f023ead0850e8b12a349eddcc3c471

SHA512
28afee53f44aeae08389368a50cd4c0402c1c06255c05cf3e31192b489b6a8d9ac98b8a3a358a0fbf4bbc5648157e582ddf1f84787ad6cb1e6ce9f983305c40d

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
112KB

MD5
5261bac0f8f6755ab6692834380b5ab5

SHA1
8aabc4f2285c0a4220d83e0948183afcb8c29d6e

SHA256
2211121135fb4650309b979a29d7bf3dd2204c32ae179a9ac31cb1f9f7897723

SHA512
a83b33da51f21a7f2f09cd31e58a1c2d5fde7eaa6257441b071a96c68282198e543c828a11ac080d901a51e15278ff3a31c62e00a813d8bc443de04dd0bb4fe4

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
112KB

MD5
5b8b7677f17dbd1c5a243f5ef4202e0a

SHA1
d00e09e0c8dfbe52331b7edcf42f91f4e1455b85

SHA256
e6d533596cebac96b2f61cc2528f1e639d3b7cd254503a88f10102d169159ab0

SHA512
5b2909c5cfd8d969e35bd63416f41ba1abe8790a10262c59ee0fc62182609d420ff8be1826701d125e900d33157181ae851796d268092370cd0c5d03f5ff3ccd

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
112KB

MD5
2d63e219ae335c83d3ec272340edd2b6

SHA1
066f14e97ad113e6e573a97e16ff4736c3a895ca

SHA256
a00f53019c3113cea656ec89903a89d1011b172f60ae0ec66f55274df3f563b5

SHA512
19f28c3be88cfa73a03d6c23c54888ae4e045adc5126721daf25960a573bc23aad22464b90dd7a536b012b2e03f690a6822401b6a808a3201f11cbeecd007b98

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
112KB

MD5
52531ff0fbadfc95831f10a1b05ff59b

SHA1
040b9e564dc711ad6608d6a50250862f9a23f8c2

SHA256
a31322520147c4fe8456595495b3971cd6abeade7c4d15a986835e02d86ce796

SHA512
aefb9718267312e9dcd2e4e3fcf69c22cf15c4afe2a901719f89d1ab1803c7c7022ae19f5f570ea19e4fb655bcd37c462c51e7de826fb676db3a670d27060dd8

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
112KB

MD5
069873bb2721f5ce266dd8f1e53b1c92

SHA1
3fd0e8a1004ead269ed3d55d092b82560010f309

SHA256
5c1ac4c94dc01c09fa02d4e87976da4d6e258addf280f69919461c103eacdd20

SHA512
03ed56f6f42eb55e88b3066b67e92cdeb9985ce3fca918443abd9ad17e49c6d27e99a4c4520f41d90dad71b235ff43035a9e12f6dd4e45f04906d3b0ea6b5a72

Download Submit
memory/224-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/232-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/232-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/336-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/404-374-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/408-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/432-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/568-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/784-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/812-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/880-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/892-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/892-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/944-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1004-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1012-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1132-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1132-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1432-93-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1448-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1764-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1852-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1868-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1868-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1876-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1908-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2016-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2024-580-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2164-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2168-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2176-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2404-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2480-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2480-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2528-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2612-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2612-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2624-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2704-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2736-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2756-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2796-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2824-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2952-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2968-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3012-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3092-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3172-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3264-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3268-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3324-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3336-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3400-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3608-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3668-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3888-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3920-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3984-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4036-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4164-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4216-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4224-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-530-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4320-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4368-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4372-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4384-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4416-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4472-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4488-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4512-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4524-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4580-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4612-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4660-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4816-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4864-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4888-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4916-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4924-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4960-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4964-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4968-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4968-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5056-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5060-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5064-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5092-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5096-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5104-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads