43b6e251af0c05784f6cde51eb4a41178ae97150fdfd96eae14c43f07b6e8c6d

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5849bab96d420263becef8372ab8a900N.exe
Size

63KB
MD5

5849bab96d420263becef8372ab8a900
SHA1

c332616a33dba619fc708d69b4305637a109ea85
SHA256

43b6e251af0c05784f6cde51eb4a41178ae97150fdfd96eae14c43f07b6e8c6d
SHA512

98f2704661bb4d36307e05149197e2e327611ba074bf9be048fdca3bd385ed82d6eba1163c945fbe18efe6dc76f510637525155be49a6345f50545dfec087b98
SSDEEP

768:PdC9RSSkjR3wS8mMqN+CgakjdJSH81LcXAffreXdQEiN4yeH/1H59CXdnhg20a0V:Pki3wS7N+CgaEzSgzxEwet/oH1juIZo

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe

Executes dropped EXE 64 IoCs

pid	Process
3388	Mpjlklok.exe
2952	Mgddhf32.exe
4956	Mmnldp32.exe
4808	Mdhdajea.exe
4624	Mgfqmfde.exe
4184	Mmpijp32.exe
452	Mpoefk32.exe
1448	Mgimcebb.exe
2136	Migjoaaf.exe
3152	Mdmnlj32.exe
3160	Mlhbal32.exe
3320	Ndokbi32.exe
1784	Ngmgne32.exe
3748	Nngokoej.exe
4012	Npfkgjdn.exe
2912	Ncdgcf32.exe
3628	Njnpppkn.exe
3940	Nlmllkja.exe
4328	Ncfdie32.exe
624	Njqmepik.exe
3204	Nloiakho.exe
2956	Ncianepl.exe
2080	Njciko32.exe
856	Npmagine.exe
3540	Nckndeni.exe
1888	Nfjjppmm.exe
548	Odkjng32.exe
1812	Ogifjcdp.exe
3856	Oncofm32.exe
4532	Odmgcgbi.exe
1084	Ocpgod32.exe
924	Ojjolnaq.exe
212	Opdghh32.exe
2752	Ognpebpj.exe
3472	Ojllan32.exe
3236	Olkhmi32.exe
5036	Odapnf32.exe
3728	Ogpmjb32.exe
4148	Ojoign32.exe
4852	Olmeci32.exe
3328	Oddmdf32.exe
1768	Ogbipa32.exe
1920	Ojaelm32.exe
5008	Pnlaml32.exe
2560	Pqknig32.exe
4024	Pcijeb32.exe
2360	Pjcbbmif.exe
3508	Pmannhhj.exe
1836	Pqmjog32.exe
820	Pggbkagp.exe
3544	Pjeoglgc.exe
2500	Pmdkch32.exe
2568	Pdkcde32.exe
2220	Pgioqq32.exe
2840	Pncgmkmj.exe
1636	Pqbdjfln.exe
424	Pdmpje32.exe
3432	Pfolbmje.exe
2128	Pmidog32.exe
4256	Pfaigm32.exe
3672	Qmkadgpo.exe
2072	Qdbiedpa.exe
4472	Qjoankoi.exe
2040	Qqijje32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Nloiakho.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Mgddhf32.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Mmnldp32.exe	Mgddhf32.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6140	5476	WerFault.exe	223

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5849bab96d420263becef8372ab8a900N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Odkjng32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 3388	4436	5849bab96d420263becef8372ab8a900N.exe	83
PID 4436 wrote to memory of 3388	4436	5849bab96d420263becef8372ab8a900N.exe	83
PID 4436 wrote to memory of 3388	4436	5849bab96d420263becef8372ab8a900N.exe	83
PID 3388 wrote to memory of 2952	3388	Mpjlklok.exe	84
PID 3388 wrote to memory of 2952	3388	Mpjlklok.exe	84
PID 3388 wrote to memory of 2952	3388	Mpjlklok.exe	84
PID 2952 wrote to memory of 4956	2952	Mgddhf32.exe	85
PID 2952 wrote to memory of 4956	2952	Mgddhf32.exe	85
PID 2952 wrote to memory of 4956	2952	Mgddhf32.exe	85
PID 4956 wrote to memory of 4808	4956	Mmnldp32.exe	86
PID 4956 wrote to memory of 4808	4956	Mmnldp32.exe	86
PID 4956 wrote to memory of 4808	4956	Mmnldp32.exe	86
PID 4808 wrote to memory of 4624	4808	Mdhdajea.exe	87
PID 4808 wrote to memory of 4624	4808	Mdhdajea.exe	87
PID 4808 wrote to memory of 4624	4808	Mdhdajea.exe	87
PID 4624 wrote to memory of 4184	4624	Mgfqmfde.exe	88
PID 4624 wrote to memory of 4184	4624	Mgfqmfde.exe	88
PID 4624 wrote to memory of 4184	4624	Mgfqmfde.exe	88
PID 4184 wrote to memory of 452	4184	Mmpijp32.exe	89
PID 4184 wrote to memory of 452	4184	Mmpijp32.exe	89
PID 4184 wrote to memory of 452	4184	Mmpijp32.exe	89
PID 452 wrote to memory of 1448	452	Mpoefk32.exe	91
PID 452 wrote to memory of 1448	452	Mpoefk32.exe	91
PID 452 wrote to memory of 1448	452	Mpoefk32.exe	91
PID 1448 wrote to memory of 2136	1448	Mgimcebb.exe	92
PID 1448 wrote to memory of 2136	1448	Mgimcebb.exe	92
PID 1448 wrote to memory of 2136	1448	Mgimcebb.exe	92
PID 2136 wrote to memory of 3152	2136	Migjoaaf.exe	93
PID 2136 wrote to memory of 3152	2136	Migjoaaf.exe	93
PID 2136 wrote to memory of 3152	2136	Migjoaaf.exe	93
PID 3152 wrote to memory of 3160	3152	Mdmnlj32.exe	95
PID 3152 wrote to memory of 3160	3152	Mdmnlj32.exe	95
PID 3152 wrote to memory of 3160	3152	Mdmnlj32.exe	95
PID 3160 wrote to memory of 3320	3160	Mlhbal32.exe	96
PID 3160 wrote to memory of 3320	3160	Mlhbal32.exe	96
PID 3160 wrote to memory of 3320	3160	Mlhbal32.exe	96
PID 3320 wrote to memory of 1784	3320	Ndokbi32.exe	97
PID 3320 wrote to memory of 1784	3320	Ndokbi32.exe	97
PID 3320 wrote to memory of 1784	3320	Ndokbi32.exe	97
PID 1784 wrote to memory of 3748	1784	Ngmgne32.exe	98
PID 1784 wrote to memory of 3748	1784	Ngmgne32.exe	98
PID 1784 wrote to memory of 3748	1784	Ngmgne32.exe	98
PID 3748 wrote to memory of 4012	3748	Nngokoej.exe	99
PID 3748 wrote to memory of 4012	3748	Nngokoej.exe	99
PID 3748 wrote to memory of 4012	3748	Nngokoej.exe	99
PID 4012 wrote to memory of 2912	4012	Npfkgjdn.exe	100
PID 4012 wrote to memory of 2912	4012	Npfkgjdn.exe	100
PID 4012 wrote to memory of 2912	4012	Npfkgjdn.exe	100
PID 2912 wrote to memory of 3628	2912	Ncdgcf32.exe	101
PID 2912 wrote to memory of 3628	2912	Ncdgcf32.exe	101
PID 2912 wrote to memory of 3628	2912	Ncdgcf32.exe	101
PID 3628 wrote to memory of 3940	3628	Njnpppkn.exe	103
PID 3628 wrote to memory of 3940	3628	Njnpppkn.exe	103
PID 3628 wrote to memory of 3940	3628	Njnpppkn.exe	103
PID 3940 wrote to memory of 4328	3940	Nlmllkja.exe	104
PID 3940 wrote to memory of 4328	3940	Nlmllkja.exe	104
PID 3940 wrote to memory of 4328	3940	Nlmllkja.exe	104
PID 4328 wrote to memory of 624	4328	Ncfdie32.exe	105
PID 4328 wrote to memory of 624	4328	Ncfdie32.exe	105
PID 4328 wrote to memory of 624	4328	Ncfdie32.exe	105
PID 624 wrote to memory of 3204	624	Njqmepik.exe	106
PID 624 wrote to memory of 3204	624	Njqmepik.exe	106
PID 624 wrote to memory of 3204	624	Njqmepik.exe	106
PID 3204 wrote to memory of 2956	3204	Nloiakho.exe	107

C:\Users\Admin\AppData\Local\Temp\5849bab96d420263becef8372ab8a900N.exe
"C:\Users\Admin\AppData\Local\Temp\5849bab96d420263becef8372ab8a900N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\SysWOW64\Mpjlklok.exe
  C:\Windows\system32\Mpjlklok.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\SysWOW64\Mgddhf32.exe
    C:\Windows\system32\Mgddhf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\Mmnldp32.exe
      C:\Windows\system32\Mmnldp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4956
    - - C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4808
      - C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        29⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        33⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        41⤵
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        44⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        46⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:820
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        56⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:424
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        61⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        65⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        66⤵
        Drops file in System32 directory
        
        PID:364
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        68⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        69⤵
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        78⤵
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        79⤵
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        81⤵
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:100
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3120
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        89⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        92⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        95⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        101⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        105⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        108⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        111⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5520
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        115⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5768
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5332
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        124⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        130⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        135⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 428
        136⤵
        Program crash
        
        PID:6140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5476 -ip 5476
1⤵
PID:6000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agoabn32.exe

Filesize
63KB

MD5
e8fb89813fc8180f38522829617d9045

SHA1
86925e942a5e6d77621d452b4617cafb4872c95d

SHA256
1d0a58becb68e118337e3c5c4b4a8726d5afbe492e82365f24c70ed52688d436

SHA512
604abcdcdb260b97d32066a3f47b4bc4223693b8be2c51b531caf3cafd0f8e35ebe3f73f30ef26d57f4f640914bb8e98bf4e6c98d7f5eeafc4e05164b90aab82

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
63KB

MD5
d8ce43b5ef700de4ab86d2d797278bd1

SHA1
4603cb98ce99b594bb5a4c7816aa9268e00a916a

SHA256
a6e046f53536a10afdf50b5eba905afb1f54e07266d8fa62418e7acf886b51ee

SHA512
32151306494dfe6384ec78fe71523092f16d6370b11ac5ad278ca54b0c7e9ba866b8b5445b39bc43e84e64b9bb020513ecee920705619b53d5584e014557feaa

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
63KB

MD5
bd53ce9ab17f2f34b04e6bdd8b31e692

SHA1
f98dd7ea0ee229c79e78e29c4aab4504b7117c88

SHA256
d882524568260d1c53e60d173345eb72f27b7ebfa76764c94a250cd7c9d5b6ae

SHA512
1e4cb62d5d4ebca7bcb1e366bf7d10ec98f2a73044d8c3ad07054cf495781a91a6df153d4bf24b52d058c1d2d6dfaae55f947cd19323827fbf52821b3a379e21

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
63KB

MD5
cfca6061624c6de4ecd9ec8f7507cdf7

SHA1
4123a894179d323518502a0f46a8611eb1fc3475

SHA256
e98134deba0b49f49b50be8b0556dddd67e99d240d3109d7638b38e6993d3bea

SHA512
d6c1a293c3e4db90ff62f9274442f84ae2d621e5c527c06810771de87e4f86c6e383e438671d6d5be5cd88a771c8ce6ad1d2725567f73ec3a36a6ae171338669

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
63KB

MD5
a3297d1450fcde3b21b0646d51b9703c

SHA1
2e6d71b4e9ce3ac8e13fae62ea9a39d506e726d0

SHA256
744016a86a603dc8aae8363a982c87473eed358261b984f5d6dad721562fd015

SHA512
dd009cb0e8dc6686577375aeb37992bace620a469efbd663264c9fde0c5d0b3b077c46346e40184d544c41198a566492628865ab0cb1989ca3e02613adedbef4

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
63KB

MD5
8f5ad4ef5c18fd0f03f201207250b1a8

SHA1
200ad66c56acc67765efc2578afb411d3c98667a

SHA256
ff2db2751fbbe30a3cd86c4b05048d3db90ca8731406f527eb5a6c56f6765f9d

SHA512
179212aa87ebd510fc7ffb7cd92c3ad4809979cff163d56aa788dfeb5fb642ff946cead84bd987f6fc79ed42877615356ca34a63256d2b90cfe231d825e2ee01

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
63KB

MD5
800f689b71f607974216b7b1553224d4

SHA1
0c88bb6e1371ed998a650ea01b61af15bc5111be

SHA256
e0f794742874fa45c03539292a34ea1dd93eb4cde34d032d28493cc42bdda174

SHA512
14e812becdc385adf41e90603f030a68dd06d6458c909642fd65d8389a9d405ccacc19ad4ccb5734b5b7e0afd78747603274beb04ae639721f15a5b488030e0b

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
63KB

MD5
7920fad652ab1b8bc3b2fd07957d4124

SHA1
e23ca999010c48b6ba34286791c8a1cc5b2335ab

SHA256
74d5d0caeea46303d8dbe77814159abb1f8adaeb89dda5948f1e31d3a72da18d

SHA512
ebd438015a6430f7de6c66f9d38a27824ad6cf0ce97994975df73faf61ea7513306542f911d5ac26b2507531e4d76e3ba3d8a12ac8172243e9f246b5bdbf94d1

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
63KB

MD5
befe42be94f26a55968afb74f6683a5d

SHA1
7584f1a8d5eff8aa40cd32565dd16bd788300f1c

SHA256
c54715e8dc778851c549d1d84a1f55d572466472f0ba4591ef4c3df1154e57e4

SHA512
abf965a358f7712814d220feee9f3be0e69b88842e7baffb3fd5d993aa66150500505346dc5f28efb7ad0b5b9277f77017bd44e5e1b1f448988e7a94e5351c46

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
63KB

MD5
fdd21d532479756fdd8b3de0281ac8fa

SHA1
798a1a5c3908a229c73b8142ea3a7bac67cb5aba

SHA256
e7e74f5c89916599ff79650281f2a7068aa30c2971d93ad798c5b3e314fd8b4f

SHA512
6ebc7bb854ee1c8b5670de4e62f055b2d4b80059de8ed03da31d53c02ed4433bfb3576eb0e0b8eafb973c7bf2ecfe32996a2bac1f59f11ca92507e4e95fe167c

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
63KB

MD5
6c97a126303276105cc68f78f7ff06bf

SHA1
bb12b20b510e39b6c7cde24d72a903d59aacb0ec

SHA256
1d74fae1c74207e01bdf4c988e96821ed65eb1839da1bf9435998659de117832

SHA512
595b59d96e3fcf5a36d8c4a7c2c2ff7ef0fd602a9a6a5cf38c9599d8a7654adcb196203303d54dcd6055b3e2887f03edab07b31b4b56a880c8570950598ecd35

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
63KB

MD5
8b79db4226fd0b74a2ae4e3952d15a42

SHA1
e2f630d5331a7cb8e9259463083f3162ceae6c10

SHA256
1016e93ad87de6bd0e7dcef6312a6ea561c8c4a21d95e1ae660e44dc6b93d4d1

SHA512
1bec7b9af9e5e9a888abd3e0926f3cd63dd4bb45eca6a488e209d9e68ac33201dc8bb2044a9c3e2eeb0f9ed5c9d5ee8c2baf284db370079c3a5b0d2f67979c44

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
63KB

MD5
bb29cc938cfaf66134f2fc5f18fcf90a

SHA1
bbd1de5353e910b5030da153d74e52ee045a2dac

SHA256
cb01241fc64dce65eeb0ddaf29fd4c9ccc3cf3906c80ba92ac19c92dac43fbbd

SHA512
ba5b5cee2090044665be6bb30fe1e8ea18e1abef7c9acdf9ce0b7da4ce22bf929de86c16ff23c6110e19d02d234191b8fc04e4d55b519576e3b8be0e8f1bf558

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
63KB

MD5
bddfb55915eee7a1e7b63ccd34ad3859

SHA1
c577b467e561965cd540f3c974fc14aa213d87b1

SHA256
58bbb9218b3c06a60b5407b3a1df530ed1a8458cb3bb5c45cd07116ce72ccfa3

SHA512
a68ebc670eb5fc0c1af37f93aaef7824b0a95a1057969d58e9e6398fffa1e6d975e117faca8276d7842d8c7ff2b81d82d81b064c1c2d0dc297db9d288a118dc5

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
63KB

MD5
7d383a756950634cee1fd9f77fc5c289

SHA1
f73d43354883117d56f30f189912644945de22fd

SHA256
32f0557880aacc92cda2f24c98dcfcd1659c60fed032dd94c0e5cb12704dbd71

SHA512
ebffdaad15871296bd24d94a1155e6a360b0ba654022db826ebeab2651dd2254a1f950d28a929f32d1afb1ece03bcd884308cdf70dde3160614a0b8c24e9eb2c

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
63KB

MD5
bfc56edfe351d6a7d0f4f31ab7d8a869

SHA1
075ec5d0ce04d7510237da93e19ee016c46b86cd

SHA256
0c1505178e0f99f90dbba58d41cb86cbcf9b46d7807edd57dd1d5398e63eff5c

SHA512
8eb9959f5eacfd0328aab53295c29eae46ca2c6aae67cfcc28e8171269e962cde156ca2a34cf01e1ff1a5d42d80226c18d8f503b0ce46b0b3e5f72217b60ab47

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
63KB

MD5
59057362ec329db1a8a8ad1b4bf844c3

SHA1
8923c88a40306817342e4682d202d1e6fdeeb73b

SHA256
5d4466419ed8c9690c10ed3d6fe13a12406fdd43f3c7a2fc89186ac21e7e9ea1

SHA512
a7682065780c264258756dd4a6b26b91a52428c7c4478d8b5e9fca58362e824843a9c6bd760fc45f77c553d911eaf40a1dcf5d34676df3cf5b1862080dd61150

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
63KB

MD5
8411ad6ca7502ae4200e7ddd41af0fb4

SHA1
9c25aa59fa74b1acf859796b4998cef03fbc017d

SHA256
e582ee93ad9400c984c54bc310795be5bfb3c0f9fea1776b265de6babeb46e9c

SHA512
c2cfefe3a85ad72acb01116c644c43204f079b8a256e07c59754eeb4b2e2a93d773177b9f8b01452dcade9367dba6e05eb09c572bfbdab42ee5e496941fd75b2

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
63KB

MD5
299fb310f7a830e0afd6def0b620448f

SHA1
2da4c4208ee1fb9141fe0f6704e95b9f86d5d7fd

SHA256
2ac1d5b27f763d3c15dd8ca680d9d62460201498bda3b2908a0e09478bec1096

SHA512
ae7fd3a272631c50ad2ff71078239a184e845703d05004057fc105d32265dc0570235ee2489d1858407734815813d5612fb33548717cc03c2f03b730e842bcd5

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
63KB

MD5
b0541e24db5f1a6011cfc7770900de0a

SHA1
4e9dd7811e2824f88850e7de25e25086c4efff1d

SHA256
9d7b609370b5a0dcd066820d1ce7198e0703e36905f22784bca3c3cb79120e17

SHA512
05e663c82fe1d9f294424baf73e4964b758ac680c6296ddb1f80ef7225c81b7e52d1ca23fb84de5a9aa52169d717d475e6d22f72548fcd953682bd716d94e5ef

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
63KB

MD5
74015ad2cee2c31be0087e51261ece2a

SHA1
2541b240c2deb1304e57483e40cfe2d77acfad34

SHA256
b5241fcff8ddb55765161cdfbeae5417eeb2f1b99d7c637d53affc6e971e9eeb

SHA512
7bba17e5c63db5a769e6fff3a0662c020d68e8e44069affc07a7eda0449cf36aee0c4c2201edec27e79f4c08ef77ebfcca30b4c55865ad2cb09282a19a99978e

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
63KB

MD5
77cde3594981a212010fb6f80371b0c3

SHA1
a6648ae2a434ebdceb20f65b48b8819a86e6aaf4

SHA256
3cefe9997e02a251cfd83ea3ace4eddfcc59bd9fca869105b699a1b95aaf9fcb

SHA512
082dc319ad92e699546081ca271a1d4d5bd7b80fa1a1756d77f79e98856dc6d663bad16bfebe323b68490e4c45faf3097b6772e9437218f5cce5a73f6bc1395a

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
63KB

MD5
817307e0f818c8f1719d226d7f00ea8a

SHA1
7350c8482be082303196c9ccfb77b1522e3df11b

SHA256
226de02ba126260c7df62c06a190758ec1c078460abf57a368cc3ba22d7edec0

SHA512
b72682f27efedc5f478d8dfe7679baba17714199906e8d141f77a0f48e9e4a4876fad3aa9ce847c3a5384dcd6a56b13e62d0f816aa679eea154aeed356cce994

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
63KB

MD5
6c5c72cdfc26306436e5eb5b26c85d94

SHA1
fd7296761e03acadd3e3aaf8fa08c9e0533d1579

SHA256
b5e9f0e7a3a18cfa2c33f4546f6008fec717c6976bd58496542fd46a64a5934d

SHA512
33d7422ba178a5d2e5022351df6e5fc9a11697ff7853bc09f643f4d180949ba9e0e392d2a118c91ef64a469bddbff8fa55f69728335f9ab8898691767773409c

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
63KB

MD5
9a245f71bde956f4f634f6b9e798150c

SHA1
7bb5bd8d9fda96e6b00797dbe4fe4fc6f3e839c1

SHA256
99b8b38132da2395210112a0672402983dacbd91304b17c6a782c0dacc895071

SHA512
58a7e06f905d1f0295a997d1af8b77c9e0c9b9404176165331494eca587d6844576a855091632444e671a30bd2c97582e928fe8e2deca0b94522fa50a3b557b6

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
63KB

MD5
9dd9fb180493a950a4f3a840ae003871

SHA1
8cd9b6a7e072ae213acf9b28ae63fb5153f70b1f

SHA256
467a3a74040690ab8b84b52136a5bb33e75225a24db5ea836b05d52645ba2ca6

SHA512
f9459309c9e550613c4c9f4a9156777feecc4afb35374c7f17f1291723be933c900c0343476236432820aafd8f20e1f0bfd8c1f49513c9ce1649354fa44d84bc

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
63KB

MD5
1c4714b494591925ada9bd11538bf351

SHA1
a04574397080a41c03e74ba3b54e68d22baf930b

SHA256
91a4bac97fd155b1aeaf6f9265efcff023ee92fbfdeeaf29b7a1de4acfec9920

SHA512
e87e21eae1fcf0c01cba4e91ffa9ee7f6ff7a66630cf6a6a0658b561e72ce2237682b88a055a473a1de53e746ce02235d78da4cf7610befac2f2d458f85738d0

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
63KB

MD5
8c6c6f63746e575439105c9d3b458185

SHA1
915f751b261257f8a4d9047d9409cfaf7a1b3289

SHA256
d0eaa5ec9a29d77245c3b8ab03af1a6642142b07da05ace79f68450bd5ce3c77

SHA512
4ede227797c60c118d72ab527f2587cd6651749a0b25f5f4478c329513ed3b78ce85b08fc137e234bd9b5bd758de9750bd41239c0216ac8674cf196e56e95ad7

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
63KB

MD5
0c3d4bf2c03c424d9aa09cd60e2dde51

SHA1
e97acb6d60ca8f341306a55de9c144f5318de308

SHA256
44debd01db57c083a2600ca3d82154f6d542b6227a2d748d39073e76e46df5bb

SHA512
11f4237f10f6edc90d4e1a85c1666dc3c2ed39344ce6cc7c536e476c173d71e696151956fcd039f063680f4aff8359fd04f1750ec79905eeb8badd7a8cc1d30b

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
63KB

MD5
bae3eedd933d5891dcd919983283e11e

SHA1
a30d5dbdf7137f7a1a16b86dc062a29cf64eb770

SHA256
fadde11915f608e5319d3c99512f2eb7d44f07673d4624d9e03f2d2878f8d30f

SHA512
5cd3a443f882ceb2fe297b150881cdf88c5ebe444a3f59cbc8c84c1fb411c4991c368c15b5ff815f5d4754400078c4c0b480e27ae240eda221967e76f6ab6aa3

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
63KB

MD5
9ae94d3bb5ae2f398a226a20617aa5d3

SHA1
fef513009e182380dc341f0af89ccee7425eb337

SHA256
1b99c45ffd301d9e6e12210488a3be945f3eda8c7adf788e85d34435e0a35ac9

SHA512
893262f9a717b7540e6261c65d391bf2befeee13d4c4392346983030d588463f7ae59dd9cf89007fa17aa4fab12c347c130a1287e1d4277a2a7cf4d6dbea275c

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
63KB

MD5
9c4d3520965d11679b4ff1529e1f5e3e

SHA1
65cea79faa7b54c3c4f4699440c58ed3c28f83e5

SHA256
28e8d517c36b268b4c406face145d24fb96fc2c821706b0e162ac299bce069c3

SHA512
2e175362f47b3a54de0383c3488dc65c6d766e19af3ffcbd604bbfb698cdbf29017d833610ab05a89210b6c2945b7511004322eeab848df25bb537559008cc96

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
63KB

MD5
fe6010a0a879fef6a4f0d7d071c43b5b

SHA1
de881ea861fc7bcb0ad2a03edf6cbc3c45e2a3e6

SHA256
31145c027a72934dc05e035f886dd0b9f9ec9a1532174f4a70d497c36f32e1ea

SHA512
ff1f61bc24f18fd8e93186a56c2ca988a745ed065f35695475831ae71d76fea29c14f37b07bb28b10783dc1e439eca75cf86e93959876a28613ef26e10e224e2

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
63KB

MD5
ed4ade7961be6dadd7b6f9bbd32a7722

SHA1
225d1be0b1a4bbdad98a6094c3ef5b9e89631715

SHA256
7e842f807f5f54ae2aaadb73d5e87f74c24318dddb851018c96df5f4a11e727a

SHA512
f3d6c584b2b00490eb6ce5203d8e079a573bc4d0e6cadae91a5ee009019613f10a16f1a951809130bc7f69c0114aa1275d6f4f4a42dce9fa1bd284683d6b215d

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
63KB

MD5
1f954876217741f0c9ff53e0457603f1

SHA1
d92f2e61cc2d34beff76183f532beeded3ca922a

SHA256
9409282c1b930ca9e2e44ef598526602533b91be0af684f39326a42c200c010e

SHA512
fc0242d9309a54de590da0842f80ad7edc30fcc1c5b8688e4d3c174f546d27a25f26a267ffa1ad32efbc166b14b2f957a648be4c2d6f43955c07e10532dc69d7

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
63KB

MD5
aec111ac1c052c126ca10462a5685115

SHA1
000a0dc502e2bdfff662621acfe17f90a8831cd7

SHA256
9291ae5b2ed5f39891c118ea6052d9449513b1dd1ca32dfb05ca7c7c3e6d0625

SHA512
5572db04f8efb8af21913fadf84ce646211b78ee206e9e8be15e3cb6b84a0033859fcda7606b75aaacae095e9c3cceb6db2ed25631889c7e9f50faa5fb0d9e1f

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
63KB

MD5
7194e695d88c923367bfb5a66c8b8007

SHA1
5c6cba48edb8557d665b1729c8e8ac3c45dbaf47

SHA256
4be43ce1e1d653d26e750b44e8438a5ccb581618257c43f0a886553085e0570b

SHA512
ae8060b2f4e9dfc6732b551ccc4b0ccf2a1e3599fcf6ba19af8247a987f801b72705eae8a8c5e1d500303b2f03ea4a254901ba3d8a743c5e1f30b257928fd27a

Download Submit
memory/100-569-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/212-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/364-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/424-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-589-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/548-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/624-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/820-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/856-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/860-548-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/924-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1072-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1084-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1220-927-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1448-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1636-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1768-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-504-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1784-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1836-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1884-516-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-213-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1940-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2040-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2072-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2080-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2136-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2220-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2360-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2532-555-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2560-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2568-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-480-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-486-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2840-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2912-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-554-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2956-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2980-510-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-522-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3120-576-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3152-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3160-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3204-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3236-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3320-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3328-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3388-547-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3388-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3400-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3432-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3472-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3508-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3512-541-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3540-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3544-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3608-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3628-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3644-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3672-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3724-535-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3728-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3748-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3856-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3940-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4012-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-498-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4148-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4184-582-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4184-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4256-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4356-492-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4404-528-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4436-534-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4436-1-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/4436-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4472-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4532-245-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4624-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4624-575-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4808-568-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4808-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4852-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-561-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5008-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5032-583-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5036-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5128-1004-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5236-940-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5428-956-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads