6aec0e227b6d7da4bdb03cab099a75a5f4a64fc5b8df4d8d53abead15b5132a7

Analysis

max time kernel
95s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6aec0e227b6d7da4bdb03cab099a75a5f4a64fc5b8df4d8d53abead15b5132a7.exe
Size

128KB
MD5

d38c1c4d61915663542dffed1e6c3640
SHA1

724b9cce95e5bf5a7c2305c91ec82f4018790d51
SHA256

6aec0e227b6d7da4bdb03cab099a75a5f4a64fc5b8df4d8d53abead15b5132a7
SHA512

154171d81d85ae7187b0c7a39347a93b68460963f9f79b986deb83090ecfc77d6a00a769844e691da4500bee37d2b52f4e48cb97a83ad7bcade0e41ac5ae7718
SSDEEP

1536:D8VioDLoXSwwHMhlmuxKvLVA1PBHbjbuRJ6YRQDdRfRa9HprmRfRJCLIXG:oViHXSwwHMhlmhhApFvtYeDd5wkpHxG

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	6aec0e227b6d7da4bdb03cab099a75a5f4a64fc5b8df4d8d53abead15b5132a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgqeappe.exe

Executes dropped EXE 64 IoCs

pid	Process
3712	Ncbknfed.exe
2088	Nngokoej.exe
4788	Nljofl32.exe
3200	Ndaggimg.exe
1604	Ncdgcf32.exe
1860	Nphhmj32.exe
3548	Njqmepik.exe
2752	Ndfqbhia.exe
2020	Ngdmod32.exe
3896	Ndhmhh32.exe
1960	Nggjdc32.exe
4752	Odkjng32.exe
4960	Oflgep32.exe
4776	Opakbi32.exe
2032	Ofnckp32.exe
4756	Ognpebpj.exe
3772	Olkhmi32.exe
3100	Ocdqjceo.exe
4260	Ojoign32.exe
2156	Oddmdf32.exe
4220	Ofeilobp.exe
1504	Pmoahijl.exe
3752	Pfhfan32.exe
1268	Pqmjog32.exe
2284	Pggbkagp.exe
848	Pnakhkol.exe
1016	Pdkcde32.exe
3944	Pjhlml32.exe
840	Pmfhig32.exe
3460	Pnfdcjkg.exe
4008	Pcbmka32.exe
1500	Pjmehkqk.exe
2076	Qqfmde32.exe
696	Qgqeappe.exe
3364	Qnjnnj32.exe
4032	Qddfkd32.exe
3112	Qcgffqei.exe
3492	Anmjcieo.exe
1408	Aqkgpedc.exe
1104	Acjclpcf.exe
3172	Ajckij32.exe
1108	Ambgef32.exe
1620	Aclpap32.exe
2804	Ajfhnjhq.exe
4556	Aqppkd32.exe
2348	Afmhck32.exe
3988	Amgapeea.exe
2988	Acqimo32.exe
8	Afoeiklb.exe
352	Ajkaii32.exe
672	Aminee32.exe
3528	Accfbokl.exe
4340	Bmkjkd32.exe
940	Bfdodjhm.exe
2948	Baicac32.exe
3484	Bchomn32.exe
4440	Bgcknmop.exe
876	Bnmcjg32.exe
1624	Beglgani.exe
4772	Bgehcmmm.exe
3268	Bnpppgdj.exe
4280	Bclhhnca.exe
2824	Bjfaeh32.exe
1036	Bmemac32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	6aec0e227b6d7da4bdb03cab099a75a5f4a64fc5b8df4d8d53abead15b5132a7.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5596	5480	WerFault.exe	179

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6aec0e227b6d7da4bdb03cab099a75a5f4a64fc5b8df4d8d53abead15b5132a7.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	6aec0e227b6d7da4bdb03cab099a75a5f4a64fc5b8df4d8d53abead15b5132a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djdmffnn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3712	2240	6aec0e227b6d7da4bdb03cab099a75a5f4a64fc5b8df4d8d53abead15b5132a7.exe	83
PID 2240 wrote to memory of 3712	2240	6aec0e227b6d7da4bdb03cab099a75a5f4a64fc5b8df4d8d53abead15b5132a7.exe	83
PID 2240 wrote to memory of 3712	2240	6aec0e227b6d7da4bdb03cab099a75a5f4a64fc5b8df4d8d53abead15b5132a7.exe	83
PID 3712 wrote to memory of 2088	3712	Ncbknfed.exe	84
PID 3712 wrote to memory of 2088	3712	Ncbknfed.exe	84
PID 3712 wrote to memory of 2088	3712	Ncbknfed.exe	84
PID 2088 wrote to memory of 4788	2088	Nngokoej.exe	85
PID 2088 wrote to memory of 4788	2088	Nngokoej.exe	85
PID 2088 wrote to memory of 4788	2088	Nngokoej.exe	85
PID 4788 wrote to memory of 3200	4788	Nljofl32.exe	86
PID 4788 wrote to memory of 3200	4788	Nljofl32.exe	86
PID 4788 wrote to memory of 3200	4788	Nljofl32.exe	86
PID 3200 wrote to memory of 1604	3200	Ndaggimg.exe	87
PID 3200 wrote to memory of 1604	3200	Ndaggimg.exe	87
PID 3200 wrote to memory of 1604	3200	Ndaggimg.exe	87
PID 1604 wrote to memory of 1860	1604	Ncdgcf32.exe	88
PID 1604 wrote to memory of 1860	1604	Ncdgcf32.exe	88
PID 1604 wrote to memory of 1860	1604	Ncdgcf32.exe	88
PID 1860 wrote to memory of 3548	1860	Nphhmj32.exe	89
PID 1860 wrote to memory of 3548	1860	Nphhmj32.exe	89
PID 1860 wrote to memory of 3548	1860	Nphhmj32.exe	89
PID 3548 wrote to memory of 2752	3548	Njqmepik.exe	90
PID 3548 wrote to memory of 2752	3548	Njqmepik.exe	90
PID 3548 wrote to memory of 2752	3548	Njqmepik.exe	90
PID 2752 wrote to memory of 2020	2752	Ndfqbhia.exe	91
PID 2752 wrote to memory of 2020	2752	Ndfqbhia.exe	91
PID 2752 wrote to memory of 2020	2752	Ndfqbhia.exe	91
PID 2020 wrote to memory of 3896	2020	Ngdmod32.exe	92
PID 2020 wrote to memory of 3896	2020	Ngdmod32.exe	92
PID 2020 wrote to memory of 3896	2020	Ngdmod32.exe	92
PID 3896 wrote to memory of 1960	3896	Ndhmhh32.exe	93
PID 3896 wrote to memory of 1960	3896	Ndhmhh32.exe	93
PID 3896 wrote to memory of 1960	3896	Ndhmhh32.exe	93
PID 1960 wrote to memory of 4752	1960	Nggjdc32.exe	94
PID 1960 wrote to memory of 4752	1960	Nggjdc32.exe	94
PID 1960 wrote to memory of 4752	1960	Nggjdc32.exe	94
PID 4752 wrote to memory of 4960	4752	Odkjng32.exe	96
PID 4752 wrote to memory of 4960	4752	Odkjng32.exe	96
PID 4752 wrote to memory of 4960	4752	Odkjng32.exe	96
PID 4960 wrote to memory of 4776	4960	Oflgep32.exe	97
PID 4960 wrote to memory of 4776	4960	Oflgep32.exe	97
PID 4960 wrote to memory of 4776	4960	Oflgep32.exe	97
PID 4776 wrote to memory of 2032	4776	Opakbi32.exe	98
PID 4776 wrote to memory of 2032	4776	Opakbi32.exe	98
PID 4776 wrote to memory of 2032	4776	Opakbi32.exe	98
PID 2032 wrote to memory of 4756	2032	Ofnckp32.exe	99
PID 2032 wrote to memory of 4756	2032	Ofnckp32.exe	99
PID 2032 wrote to memory of 4756	2032	Ofnckp32.exe	99
PID 4756 wrote to memory of 3772	4756	Ognpebpj.exe	100
PID 4756 wrote to memory of 3772	4756	Ognpebpj.exe	100
PID 4756 wrote to memory of 3772	4756	Ognpebpj.exe	100
PID 3772 wrote to memory of 3100	3772	Olkhmi32.exe	101
PID 3772 wrote to memory of 3100	3772	Olkhmi32.exe	101
PID 3772 wrote to memory of 3100	3772	Olkhmi32.exe	101
PID 3100 wrote to memory of 4260	3100	Ocdqjceo.exe	102
PID 3100 wrote to memory of 4260	3100	Ocdqjceo.exe	102
PID 3100 wrote to memory of 4260	3100	Ocdqjceo.exe	102
PID 4260 wrote to memory of 2156	4260	Ojoign32.exe	103
PID 4260 wrote to memory of 2156	4260	Ojoign32.exe	103
PID 4260 wrote to memory of 2156	4260	Ojoign32.exe	103
PID 2156 wrote to memory of 4220	2156	Oddmdf32.exe	105
PID 2156 wrote to memory of 4220	2156	Oddmdf32.exe	105
PID 2156 wrote to memory of 4220	2156	Oddmdf32.exe	105
PID 4220 wrote to memory of 1504	4220	Ofeilobp.exe	106

C:\Users\Admin\AppData\Local\Temp\6aec0e227b6d7da4bdb03cab099a75a5f4a64fc5b8df4d8d53abead15b5132a7.exe
"C:\Users\Admin\AppData\Local\Temp\6aec0e227b6d7da4bdb03cab099a75a5f4a64fc5b8df4d8d53abead15b5132a7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\Ncbknfed.exe
  C:\Windows\system32\Ncbknfed.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\SysWOW64\Nngokoej.exe
    C:\Windows\system32\Nngokoej.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\SysWOW64\Nljofl32.exe
      C:\Windows\system32\Nljofl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
      - C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        29⤵
        Executes dropped EXE
        
        PID:3944
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3364
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1408
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1104
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:352
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:672
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        73⤵
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1168
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        89⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 408
        92⤵
        Program crash
        
        PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5480 -ip 5480
1⤵
PID:5548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
128KB

MD5
28ac24f6491f8d83ba0f8e952cba22e0

SHA1
9d86763faf2d26f1793356aefd5f8ca09ef85827

SHA256
9cfbaa0d08d71833eb9d6be2015bd789c43977b779e5269589fee10c6915de2a

SHA512
c4772d020b14c199ecce9fe66dfc8eb5faa5aa092f979b552290e95b346ab50c988d4e91ce4a2c16870711e5958fd159c14c5ab7d0a55a96b08607feb1ec824a

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
128KB

MD5
5a79f9a788605ae969e7f50745e433f0

SHA1
13b46fea6fbde26713d9c7e685834f22db4347f7

SHA256
0057c6e6fda6e855b47993eded15e67e3e636457da7925bb8a7b88270321260c

SHA512
96308b419e806a9701a7b07c431322d644f4f601656cde4021dd54132358e4647e2433dab35c1b09ccdb166d6e54e557d69606a9fa4a4d65c5494acaeb3c98bf

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
128KB

MD5
9394fd08b044f1edee10592a1329b1f5

SHA1
11f962ac65307a00ed62ba4b1deada1adf7f9a8b

SHA256
f12c5f785542b077f24d2c284c1397ef76f5f25300a4393528f0e90715c9c594

SHA512
48878458272ebf83dd788282d86c6e14347a9c16442c12e9cb029d48dd72c97861036bdd2bd33fd3032dc1b16afcffcadb8c8bef9777b3b5b5f2de5ffabe2044

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
128KB

MD5
c9b1d49bbf2dddefa867b1f1db67017f

SHA1
733c09402465cbe23e7285497ea37f73f0bd30c0

SHA256
f916a8c6d576c3e99c991a1a6edc594e9e8adee4ee347d1380f3e1e58626d5b7

SHA512
f7072ae97aca2b9632d88d5ade7433a159cf711ce926fb086bdf7b99fedf5980c4c5d2a1a831d9a50d47a98e214162c8dbbceb1dd22df0fe9399a59149bf6e93

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
128KB

MD5
2556e47f417b61ce9274cb5451fc714f

SHA1
081c3ee9764770e082f1780be29b08cd1eeb8255

SHA256
7153fd150257766e6a4b6ac51099f064a42e30cfd3d138fe2356dbc978a9e493

SHA512
ce56035da6a9e132946822cb9ffbd90a6d1faccdf14d3ada4f1c9a952be7d1a4c2cd806b7c2ee5473e0d338c9d21f4c3345b9fdf172556e36ee1a437568a1b51

Download Submit
C:\Windows\SysWOW64\Dapgdeib.dll

Filesize
7KB

MD5
bbdbd74d04a03a08c723774ca6a66226

SHA1
9744696df4a43d9d9174cd813faea341b21f3167

SHA256
cacdf0e17f607c95c85f5c3cc51d0a1250f767771b41a5e0dec34e63805f3b70

SHA512
641110910b82cf9742a2de6a0f44b7ade05f1e36222db585fcff225fc0c847161a1df3bd6e1a62e4863c2ad178f37c6d326cbf954a5a718af7fa09c02ac9fb79

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
128KB

MD5
7acf4e8af9dc19cb68aa2c19e665b5b5

SHA1
47f13aefc71230f87245695b7528287a622166eb

SHA256
84f865d155f80bc8592faa62c5ad177cb78d03187b1f7f9ec73a369c26ac7cd4

SHA512
ed85ceaed03c734422fc7ce8db9b61d81ed0b0ca53bc66b40cde0faafa9ca76a0f82550095daebb51d8d41561e0d6e77a0267b0e1b2bc5a6b6eac10de9e542fb

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
128KB

MD5
f9b032bdb5457d992ee69903e8abe848

SHA1
5aca8c1318f4b77cb7152ec448559b4c1a64972d

SHA256
ce9d31e9e63d38b4e81dfc769f9222aea1b924b5336bf3c53adf3820b4e02240

SHA512
41d8d70f1be2466c995feb51b56dfadf2244f2f586d805f1fd8d09b16ec1a1bd9bdaf9fdf28fefedd82abfa4c791d7d27df9d50ebef99d3e74d6a6264946ef28

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
128KB

MD5
00d1345a0719df9a106cf0899b6198e6

SHA1
d803f22ef9120ff7cbeeae8aff36dc26f3e38ec1

SHA256
948100cb834ef76e21325e50351c34a753a2eb5f5efa80fcf2a17b4a3de7ddbe

SHA512
7e65e61793ab88815c028dbed0d08a6c8d3d9e069c4fe1ffe2c80dc1516ef817d463666e0f102bf04e5d99c7945290a96079c019945b3b312b72e759b0307016

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
128KB

MD5
fe4c62283216d5dff162bd20e7267bd7

SHA1
bc260d40e6d37bc432695e27016f1fecc6e17cc2

SHA256
f9facccb3b107d45a89e2baf36bad9827e427ce0f2fef2b42ef28ed8b2efc2c1

SHA512
edfd0e600908b693b15e795c519e9dca09644e2859e8205445f79084c0d0f5b05068d6ce95fa58ca48410cd3a5a8c4d488eb7804ba6221856f86d7e095be5d94

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
128KB

MD5
b995ce4ec309b2d4e50ad4775acc9846

SHA1
c0ce4b1fab8bd56fc137803d79fcfabaecead293

SHA256
e781705b69c1fa8f9e674354fd3879945db93f87515a0be6756e290a0856191e

SHA512
e071a83f0bb2fda3e75fa39ea600449185c322980d1516e9a797e5f823abf3e05267bb6198bbb833e5f243160fcd613958120054ba72086aaa32ca02385f4184

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
128KB

MD5
3d9d4ee1c4efbceb1a55dff7a18ebab4

SHA1
abe5896d3de634349e0ed4961e2ebaaf12028bd9

SHA256
1629ba16893c0ac302d366c9f6c9d69c5cb818c16080fd48ff9a92582ce51bed

SHA512
e3fc564776d830136421e1a0f9a9e64fc5de5ca2ea142493bed72a0dfbbda3838d8087dcbc4aab6f687ba21c432403157a9606c8f30c4ddec05b2c721b692523

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
128KB

MD5
98ba9a36220fcb98552f79c55508dfed

SHA1
c7134fac926e89538711694425a2d57f8011791b

SHA256
0346b1424aeb3869380066b77dc363b19a74425aee3b57d88120f6cd98a2e957

SHA512
a4f4ec29da5223c960b3e217cbaf41b02adc058eef091bc4a5e15f9b76aed33ddb92ceff1fafc89a4770691dbe6159d69f3522f5395a086e63b76b59315f6dbd

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
128KB

MD5
8cd57abd98d5efd183e04d2dbb0ba1dd

SHA1
7c6757193e0a9d739058daf2b837dbd2c183e85f

SHA256
ef1426921ae2a0bb591e5740174c63e8e8bc3c5ea5f6de27c0336679e59a6a3d

SHA512
4e103f15d3d441cf073dbceeae4175bf38acb96e9dd517117199befbab04ed041a504296f454eb88072c0372d4777fad7d86b17e86aae7c57505e63af6c98809

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
128KB

MD5
833dfba72154427bd5403328370e8d29

SHA1
1957be9fbfea2eb4888e88d169c989e5bac96fe8

SHA256
1d5ade90649f9615e82508eff2e6e07bec2f996dde4b657336cf6374f32f49bd

SHA512
79a86135fbf1aa08bffaaeb3e841b1d4338e41a1f35800c59bf0272d0fa8b33f81aa918f7c4519908f028eca29ec41e2ac2bd5eae2e5efdbf9d8ac2fe84b8f16

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
128KB

MD5
6fb6f150585bcece644d9f9c9bd788ef

SHA1
7ccd3717fc86748c0178dbad3955e1ec77431301

SHA256
fe7ba58d2ae70b62962974ecce2ddc4305faa0bd26c523fbc0691e942e8d2f78

SHA512
8b61643c2765a2a0fdb2cd6235f8f55b157c0db5a9f2573090be74f3beb031260289a4dacab38ed5b59558fdea1fba601c74a95eecd96fe7cbd26a91ead4a8c4

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
128KB

MD5
1ef56ac31d10e9fbac10b3dee12f6201

SHA1
1749f1b56e165f8be88f90da6a523eb276cea502

SHA256
9ed5d976d90c9897c776e92432239646e0e94e43b3d421ce37060630b686c755

SHA512
2a755021ec6eeac1f683071a89e0d009c1c2f5434d84571542c7f12d9bfdedb1dbf6951008fbc31f2b79a3c9d5438622238b2b4980d24339cc120264c80e5490

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
128KB

MD5
8cf8ef4f127089b1097f2a0735c243d1

SHA1
c1b4680f8b3bdd0f001028d001b61933768c685f

SHA256
b5752b3b91052f7cf0183a3b8785e5656331a25bf66193205b6911db8f3e16a6

SHA512
12375551ed7bb79d587b4dd4e85d5730a6d1c4e8f1d7752de87a4710d2feae301f3a73b3cd393714581fb040193f0ce3729741f320f9dad5b6ae4447ac5827be

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
128KB

MD5
cb3fc1b6502c8598d275326a0e18787f

SHA1
240b795ac5ebee12f23ff4d2b991b6ee6743b92b

SHA256
f57d62ef3af31b2637bd65cf56085d63a991073942097b4733a535ef2b6b80f1

SHA512
cbc8f6eeacd9c77de328bf695fae46dfd4ba0bfcac27aac4b28f93435dc568c0b41c0d9feebcc3ca7386d1310d7af0ce72b4f3796f8758057ef3486764c877bf

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
128KB

MD5
10226ee4c19025db0557dfdaefd27979

SHA1
e0374f7df496eb4e7811b1828121804e57d6154b

SHA256
558d440eac924534c7091421faeb13e0276fec7e91bede8e998fdc13a985c847

SHA512
bc393cba4b9931fc6434d567589dba8d9cbe6712e558f5a6c69963f3900ac35a1701151c8cc7a9ed6b49fe0e6362139d2186e21c8b8dedf41180fe4bde076551

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
128KB

MD5
d75ed2486faf901e1680e5a238a0d515

SHA1
ffddf68496c567d93a84cc191b8d0d28a25bc19d

SHA256
b930122fd40c92b50c017746b5f88aa8552c1824b7d5d59a01b25616336348d7

SHA512
08169ea5cb53a0abe32f3d912b632b4c0f1b99d3bd5f24f6997e90ee4d583c5dabc7c69d3b06a232416f3a40c2616b5ccaf31bec79086b05f0902a257712a407

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
128KB

MD5
efe847a04ec2908b8d80ecb8078742fc

SHA1
e289d09fc289c4075368c6849c01293a663ffcf8

SHA256
6c5f91c1fa1a84fc66aa2ad8750c62948924367389eadbf1771f7f4803fc3dfc

SHA512
0dfd9096c20132b3358ee2d9e9ad19a89a0457f6a045a5fd1351a8d867c4b2f66c3fbf8d2f87771847030ab48f3f3f0541944cbf70e0602f2a43fafcfdb0eace

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
128KB

MD5
e8c1edd10db8664c401cecd604010acc

SHA1
cc48e2be9520c8006cb96d2e395d037129bae35e

SHA256
4d279e0662184337d4c18ac9e0803f757aee43cd207bcb90ff2ea53d29be76df

SHA512
a5ba45dfd0c8acba5ddca5c3cbd9ea1ff34bd6a482b9c52a679859a24da2e8d19ab879d738fbdb978c4cad9b3c43d7dcfe26c8c952048f85a417818b70114b24

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
128KB

MD5
98e07ccdf198d59d9d921262c234835a

SHA1
7153eeb37804920c2e047f702224b6b14211d819

SHA256
99ffc7497e72179cf330e55364310508f11a9e6a0d6d9a637ea632bd6217894b

SHA512
2a02991dfcf8fd4f1852a96ca0c3c5cdd0a2bf097ab8029db14331a8e96893bd3cfa79855e33c3ce6413c779627aff9f2dc07b06d1b258bb1e759108f02fa622

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
128KB

MD5
9841e580fd437d6af97e96c789405fb6

SHA1
e655e85ab0b34195e366f4386fe48e7dce8a1181

SHA256
41c677e824bbf8dc9d2c7d5aa6c9ba51a9069d3fc0f81579a4739711cb925c79

SHA512
184a867389452b2f21dde13ff2c905b4ec0661a500aa2c5a49ab7aafc03d8bcba6a41ff205afa4e87b1dcc43feb9f29c8897cd8433df114f8dd6d271dfedd4d2

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
128KB

MD5
269ae1c834971d11a379ec4d882fab8a

SHA1
0be9784086bc3be782dba2d95832830a6c98b18a

SHA256
c2c4b9247925bbd1a79ad7317bc27dd4223828efd9c4a0e4b6ef3452b6e56083

SHA512
25a091f05e189d48d9a189efdc0b4e1512e8ae6bd7c8f437b3c1dece036a9a979c4ca488ab109b5b47316c2906ac640a9a720d5f976e861903f8d42ba0599d46

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
128KB

MD5
e2b3314c7e5928b56654cebfed1f7024

SHA1
72c5eb70626a139de5788e5199ffa01114235c94

SHA256
4cfa8f5db5edc21adcbe7cafb2f96c24aad930f2bbe50617bb617837d26824d1

SHA512
0c4f2d2564e80c2e40b12f7e01cdc37d1861bd6a6415adfddb2a99062ada09ed2844d6b743f24b4402a698357e121589a581725e99b56788be96ddfe71d53a91

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
128KB

MD5
03b9eeac8858a75c9d30503e95758881

SHA1
057f40703c3e5f7afb78892d7844163d1d2158c7

SHA256
a6ea8484efe77222ea3146a546ac4c8816df0393eff3e8ff9ef34e7ee9a59815

SHA512
176a3166bfada959f0f3bff10272ec7d8b4aca0a0acfc85dceab4b9a3e664ae7b4f2278bf417a3bc1156b37b4499dae9032465183379b5a95c8f8d1aace4ae15

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
128KB

MD5
7fd5b8e88f2cdb624dc4ffff9d233d32

SHA1
cb9bb240e91cd480736ca76b73bd950a35215881

SHA256
f17b25696c89da46b80c121acb5937c1895e2b2830c5dea454e01f59ce734888

SHA512
863d541fb589479c8d3512b4bd5e48622a678f241248efe68fa2fb0628706dcca50a2ac8e506b63d6e857ab68d0d532a6746b55eb2db94de44c2b2c6ea54e898

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
128KB

MD5
dacc27e5049e4f20a70bec748ab1c959

SHA1
5517bd2766b0f83032daa73eeb864fb40c76933b

SHA256
383d1cb5cf1181a5d8b3245d4bda360297700a3f64789c17f1e132fa1b56ea59

SHA512
8cf4343d75da698b89bb8eddc8b8b159ea27ae24916b0299877b86f5680df695f66af5ad28f461954712ef7c75c059f6d33917dc6683725aee0d113873da2c08

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
128KB

MD5
de4bf26a8bc2545d248b4e1ca16f759f

SHA1
952831b955a8d70bd85cc6366b5debe47e3b190b

SHA256
903d3d428b8a65d37972a730b37c1fff881e668eab761b8ac48407a0207786cb

SHA512
24868f16efd4049be0a93ca0da84084dc4f4a108ce8f6619727e81fb91fa262cae11abb70496dc5808e813d75e20d85084851008b5650b0488f25f5b1157f48d

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
128KB

MD5
6baf56a34d3dbf0c2cfd1cd3d82e1825

SHA1
885b66079423eb7372e54a90214238c644fdade8

SHA256
914d1513e0c1aa580f3d4009d205c96c4d2c67593799d453c1cb2fa7caa93d3e

SHA512
9f1c5271b9d54fad6b08010cf4bb9e03a85aeb540e1f3fcd36d426c1abcc8cc1f9ea7958f860cbd689de3d9592106e31726b01a256aae5c7e246b0149ee9abc8

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
128KB

MD5
e63d5120d0e78b9f41e212e13e137ab0

SHA1
5a4f192952383e52369e8f7667f9b5f97caa22d3

SHA256
bb6ef9438b17dc00b77df40d6a693c8e670f4c13ad0766aae91625c8f9b69242

SHA512
95b176212d23b20f66bdee92567d81096bfe701ba6492fca8569c5888a2bc076aaddaa60fe8047b25819c2bdb990d870aaa16c76109bdf25d094cd90f6b991f9

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
128KB

MD5
4dfe961a8eeaf4cf0c60b170a7437f91

SHA1
36dd98e4aa292c029f9ba59358c43e0ff7eb17c8

SHA256
39b365a842c567011967c525b781c60c0f9e60a40656a2d12bc63d819ee66a85

SHA512
fe8379c245cdbe894ae06587c1fd4521120c7b559b82ce56ecccb7bbeca3f80e6c5fa8470c906ea7e12f3d46ae7b7222b36b579ebe167239137875892b9180e8

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
128KB

MD5
05c4e5e924bb95946ff79933d7d457ec

SHA1
f660160d05d1c79e26e38d7277f1594778bd9765

SHA256
606b85c63237488e71e913ee8755397c5ea2b8fb5e26c16ff9dc8392dce4292a

SHA512
cf9dbf789eabbdb642b3b1406f67e1da08b57977f17e4c05e8643590d0425f66fea6d74df569acf0499e0d09226ae63ca8d97a78e80dee674e6918d514e71a03

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
128KB

MD5
3800ddfa0762c50841ee6c077088b1d5

SHA1
4c3dccbeb07b28018b017ae01d4f72498e6af25d

SHA256
e6b78afb2dd0eb7533a7e9cf740a9ab1958fa2bbe80893a0fed4139629447e4e

SHA512
c6bbc0187c580d8731b57921dd90f7ee2c5d4abfe17142f2c95b87e602520a681eb8f1d6cd18349d510b4404170e7f647c7733f344666b6fdf7e64432fc98ebf

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
128KB

MD5
d2e74366880cdfe6335156485c01796d

SHA1
d4ca4e461bdd197a832c4ac37de6ebf5c0b5ef4d

SHA256
4b6d9bb754c0a1a7a98790a8199cfc381fe6ba22f18ce16f653c77736c448f9c

SHA512
184b867a4c57ab77e379c58a9810e4d9e2b966c3acb020c27b50901ab8cfd801d3ecea69effd1fc8c69e90c9cebdc25ccad9d79a52485670d22eaaee2c8c3d86

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
128KB

MD5
197cc279a5e5905ce62508e97ba64599

SHA1
3e62c6e34369516cc4867c6acc5e57bf9d4abc9e

SHA256
6546aede52225f79c3d7920319a2d24a63851d75b3baf41853e9dbdcbdc81a65

SHA512
ca7b48c3b33a5e1807b5b4f97b07dc2a24597e2a6087bbe0d9c2a355490c1db5c9fb3c6a470054d4c84ad7878ba6be5a53bdeb408651744514892bfad724c100

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
128KB

MD5
49dd4b8dd23278e0d8a1ad348ceb0b57

SHA1
89fe35ac656bff3b3a2f10bb208352f9829ba92f

SHA256
7bc044a6e997ac157eea0ccff29cd484216ddbf143d5fb2f18f4d28d32be4101

SHA512
2e5ee2e46ba5437bb9e85ecbcfc1aa223378778b09ed32afa456bffe533e347dbcb1288415ff9eafebea932a9c9d7b3e0127f5025dc50edbd02879a28d57afa5

Download Submit
memory/8-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/352-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/672-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/696-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/736-554-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/840-665-0x0000000000890000-0x000000000094F000-memory.dmp

Filesize
764KB

Download
memory/840-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/848-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/876-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/940-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1016-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1036-449-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1104-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1108-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1168-533-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1268-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1408-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1500-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1504-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1564-497-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1604-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1604-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1860-584-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1860-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1876-521-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1960-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2020-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2076-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-553-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2128-527-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2156-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2240-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2240-539-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2284-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2300-509-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2348-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2516-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2752-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2752-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2772-473-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2804-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2824-443-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2844-503-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2948-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2988-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3100-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3112-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3172-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3200-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3200-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3268-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3328-540-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3364-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3460-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3484-405-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3528-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3548-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3548-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3712-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3712-546-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3744-485-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3752-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3772-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3896-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3944-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3988-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4008-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4016-491-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4032-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4092-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4220-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4260-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4280-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4316-479-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4340-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4416-515-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4440-407-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4524-560-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4556-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4752-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4756-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4772-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4776-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4960-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5128-567-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5180-574-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5228-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5264-588-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads