b2aa75cdca7d21d96301ce2b76d674af7d484ffdb166b2f3d7ee42088ca22106

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 16:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b2aa75cdca7d21d96301ce2b76d674af7d484ffdb166b2f3d7ee42088ca22106N.exe
Size

93KB
MD5

95d586b5940ccf97d5b1ab53db130c60
SHA1

99e633d2cd14842d6ba8208793866c11990c7858
SHA256

b2aa75cdca7d21d96301ce2b76d674af7d484ffdb166b2f3d7ee42088ca22106
SHA512

b93637c0f80da72a5202a5c2b76560cb70c30ebb179081c366de8be5bdd87b31cf1fc12b1822f4db2b18ede16e64812e2ebe094b8e4f4196b513190224910401
SSDEEP

1536:bKB8UjXYByWrecDPcc+ncG+2K5U/JZQW1DUUUcVErjsRQORkRLJzeLD9N0iQGRN6:bKBNXYr9c1ncG+NU/JZXBWrIeOSJdEN2

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe

Executes dropped EXE 64 IoCs

pid	Process
3680	Nlmllkja.exe
3644	Ndcdmikd.exe
2988	Neeqea32.exe
516	Nloiakho.exe
3692	Ndfqbhia.exe
3124	Nfgmjqop.exe
4032	Nnneknob.exe
4592	Nckndeni.exe
4772	Njefqo32.exe
1260	Olcbmj32.exe
4584	Ogifjcdp.exe
4988	Opakbi32.exe
1232	Oneklm32.exe
368	Ocbddc32.exe
2712	Onhhamgg.exe
4836	Ocdqjceo.exe
2592	Onjegled.exe
4428	Ocgmpccl.exe
3032	Pnlaml32.exe
5076	Pcijeb32.exe
2768	Pnonbk32.exe
4692	Pclgkb32.exe
216	Pjeoglgc.exe
4784	Pdkcde32.exe
2484	Pflplnlg.exe
4840	Pqbdjfln.exe
3928	Pgllfp32.exe
3500	Pmidog32.exe
2052	Pgnilpah.exe
5096	Pjmehkqk.exe
3028	Qqfmde32.exe
980	Qgqeappe.exe
1572	Qddfkd32.exe
3216	Qgcbgo32.exe
4928	Anmjcieo.exe
2056	Aqkgpedc.exe
652	Ageolo32.exe
4424	Afhohlbj.exe
4168	Aqncedbp.exe
1652	Agglboim.exe
2844	Aqppkd32.exe
2920	Afmhck32.exe
4460	Andqdh32.exe
3384	Amgapeea.exe
3992	Acqimo32.exe
2556	Ajkaii32.exe
4512	Bfabnjjp.exe
2824	Bmkjkd32.exe
1608	Bganhm32.exe
1336	Bnkgeg32.exe
2100	Baicac32.exe
60	Bgcknmop.exe
1668	Bnmcjg32.exe
4464	Balpgb32.exe
848	Bcjlcn32.exe
1964	Bjddphlq.exe
3388	Bmbplc32.exe
1164	Banllbdn.exe
208	Bclhhnca.exe
3872	Bfkedibe.exe
4356	Bmemac32.exe
1212	Belebq32.exe
1216	Chjaol32.exe
2568	Cfmajipb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Hlfofiig.dll	Ndcdmikd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4036	4172	WerFault.exe	183

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2aa75cdca7d21d96301ce2b76d674af7d484ffdb166b2f3d7ee42088ca22106N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b2aa75cdca7d21d96301ce2b76d674af7d484ffdb166b2f3d7ee42088ca22106N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	b2aa75cdca7d21d96301ce2b76d674af7d484ffdb166b2f3d7ee42088ca22106N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 3680	1728	b2aa75cdca7d21d96301ce2b76d674af7d484ffdb166b2f3d7ee42088ca22106N.exe	82
PID 1728 wrote to memory of 3680	1728	b2aa75cdca7d21d96301ce2b76d674af7d484ffdb166b2f3d7ee42088ca22106N.exe	82
PID 1728 wrote to memory of 3680	1728	b2aa75cdca7d21d96301ce2b76d674af7d484ffdb166b2f3d7ee42088ca22106N.exe	82
PID 3680 wrote to memory of 3644	3680	Nlmllkja.exe	83
PID 3680 wrote to memory of 3644	3680	Nlmllkja.exe	83
PID 3680 wrote to memory of 3644	3680	Nlmllkja.exe	83
PID 3644 wrote to memory of 2988	3644	Ndcdmikd.exe	84
PID 3644 wrote to memory of 2988	3644	Ndcdmikd.exe	84
PID 3644 wrote to memory of 2988	3644	Ndcdmikd.exe	84
PID 2988 wrote to memory of 516	2988	Neeqea32.exe	85
PID 2988 wrote to memory of 516	2988	Neeqea32.exe	85
PID 2988 wrote to memory of 516	2988	Neeqea32.exe	85
PID 516 wrote to memory of 3692	516	Nloiakho.exe	86
PID 516 wrote to memory of 3692	516	Nloiakho.exe	86
PID 516 wrote to memory of 3692	516	Nloiakho.exe	86
PID 3692 wrote to memory of 3124	3692	Ndfqbhia.exe	87
PID 3692 wrote to memory of 3124	3692	Ndfqbhia.exe	87
PID 3692 wrote to memory of 3124	3692	Ndfqbhia.exe	87
PID 3124 wrote to memory of 4032	3124	Nfgmjqop.exe	88
PID 3124 wrote to memory of 4032	3124	Nfgmjqop.exe	88
PID 3124 wrote to memory of 4032	3124	Nfgmjqop.exe	88
PID 4032 wrote to memory of 4592	4032	Nnneknob.exe	89
PID 4032 wrote to memory of 4592	4032	Nnneknob.exe	89
PID 4032 wrote to memory of 4592	4032	Nnneknob.exe	89
PID 4592 wrote to memory of 4772	4592	Nckndeni.exe	90
PID 4592 wrote to memory of 4772	4592	Nckndeni.exe	90
PID 4592 wrote to memory of 4772	4592	Nckndeni.exe	90
PID 4772 wrote to memory of 1260	4772	Njefqo32.exe	91
PID 4772 wrote to memory of 1260	4772	Njefqo32.exe	91
PID 4772 wrote to memory of 1260	4772	Njefqo32.exe	91
PID 1260 wrote to memory of 4584	1260	Olcbmj32.exe	92
PID 1260 wrote to memory of 4584	1260	Olcbmj32.exe	92
PID 1260 wrote to memory of 4584	1260	Olcbmj32.exe	92
PID 4584 wrote to memory of 4988	4584	Ogifjcdp.exe	93
PID 4584 wrote to memory of 4988	4584	Ogifjcdp.exe	93
PID 4584 wrote to memory of 4988	4584	Ogifjcdp.exe	93
PID 4988 wrote to memory of 1232	4988	Opakbi32.exe	94
PID 4988 wrote to memory of 1232	4988	Opakbi32.exe	94
PID 4988 wrote to memory of 1232	4988	Opakbi32.exe	94
PID 1232 wrote to memory of 368	1232	Oneklm32.exe	95
PID 1232 wrote to memory of 368	1232	Oneklm32.exe	95
PID 1232 wrote to memory of 368	1232	Oneklm32.exe	95
PID 368 wrote to memory of 2712	368	Ocbddc32.exe	96
PID 368 wrote to memory of 2712	368	Ocbddc32.exe	96
PID 368 wrote to memory of 2712	368	Ocbddc32.exe	96
PID 2712 wrote to memory of 4836	2712	Onhhamgg.exe	97
PID 2712 wrote to memory of 4836	2712	Onhhamgg.exe	97
PID 2712 wrote to memory of 4836	2712	Onhhamgg.exe	97
PID 4836 wrote to memory of 2592	4836	Ocdqjceo.exe	98
PID 4836 wrote to memory of 2592	4836	Ocdqjceo.exe	98
PID 4836 wrote to memory of 2592	4836	Ocdqjceo.exe	98
PID 2592 wrote to memory of 4428	2592	Onjegled.exe	99
PID 2592 wrote to memory of 4428	2592	Onjegled.exe	99
PID 2592 wrote to memory of 4428	2592	Onjegled.exe	99
PID 4428 wrote to memory of 3032	4428	Ocgmpccl.exe	100
PID 4428 wrote to memory of 3032	4428	Ocgmpccl.exe	100
PID 4428 wrote to memory of 3032	4428	Ocgmpccl.exe	100
PID 3032 wrote to memory of 5076	3032	Pnlaml32.exe	101
PID 3032 wrote to memory of 5076	3032	Pnlaml32.exe	101
PID 3032 wrote to memory of 5076	3032	Pnlaml32.exe	101
PID 5076 wrote to memory of 2768	5076	Pcijeb32.exe	102
PID 5076 wrote to memory of 2768	5076	Pcijeb32.exe	102
PID 5076 wrote to memory of 2768	5076	Pcijeb32.exe	102
PID 2768 wrote to memory of 4692	2768	Pnonbk32.exe	103

C:\Users\Admin\AppData\Local\Temp\b2aa75cdca7d21d96301ce2b76d674af7d484ffdb166b2f3d7ee42088ca22106N.exe
"C:\Users\Admin\AppData\Local\Temp\b2aa75cdca7d21d96301ce2b76d674af7d484ffdb166b2f3d7ee42088ca22106N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\Nlmllkja.exe
  C:\Windows\system32\Nlmllkja.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\SysWOW64\Ndcdmikd.exe
    C:\Windows\system32\Ndcdmikd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\SysWOW64\Neeqea32.exe
      C:\Windows\system32\Neeqea32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:516
      - C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        31⤵
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:652
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        40⤵
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1240
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5036
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        74⤵
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        83⤵
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        88⤵
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        91⤵
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 216
        104⤵
        Program crash
        
        PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4172 -ip 4172
1⤵
PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agglboim.exe

Filesize
93KB

MD5
c45ee66f7eacf46e6c4d96240d3d60ca

SHA1
bb70a43021cb06d5d9d3bb31079981d5e4d243bd

SHA256
02a91682b63549c5d36674096a2b7a47017b1f3923f1d2d711f6838914aec592

SHA512
4464619048247925dac14f9ae5b9caf7cdf5521cfea22a5eff528129b2ac0809d1af9ef26c8563315c6465d2ea4f97222f76aada141298249305c6a1d8da1d9b

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
93KB

MD5
daccf4e4a913278715675e7b84a10155

SHA1
79378d56bd2d444b42bae5cdab183f1f94c33a89

SHA256
4c32c4b2ffe8b9d6207fc57ddd87c3c81f0f79cf63abdef77e07ed27c33de543

SHA512
e2adffc8114bfe1c5b527ba9ccdecf1ffa130820ab8e1a5d51d457aa2a3e9b2f895796f87f4d4db33593e3bc64da519ba78b34fd9427aacc1e8a1a4ec4f9f4a0

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
93KB

MD5
03bc8d1b3607abeb032771729a686024

SHA1
4d0e5890c4c59c4a2619d2713a4c6955ebedb1c9

SHA256
ebb49a353e839bb57c6e0992ede79cc60f9ad5f5f9a6a5d4e256f68e2875c292

SHA512
a9a8d55bb236d2fa49862a40eb7a73972ff3ce62c54b3f52fa63c1feef1659cb86213e14ecb3f3eefabed357ebd45ff1585929f303153a011d622016d6e9103c

Download Submit
C:\Windows\SysWOW64\Bhbopgfn.dll

Filesize
7KB

MD5
3081580a27535ad32c23a52772a17ec2

SHA1
6a4234efb715496b5eef84640bad53d652b54971

SHA256
6c830fa99a002a232c53287690f6276c05d5d256af13271693e6409718d80ae7

SHA512
9a6afd4f71bcc3ddaa82ec315bf1c226d0977f17dfce0d09b449da260d76c018d207cb5643241d05e62f850dcaf19024e19e566cc13ff0590e96de5b99deeb97

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
93KB

MD5
70f9554a3be707ca2f158e7f8a0534fe

SHA1
9a540535b387b7d567d318f20c11c486387b94a6

SHA256
3bb13c28803c3bcb30b16f0e907027d2cae036c9ee9a785b617e88abe9b955de

SHA512
cb1762b1bbb050a0cbff86b0efa8fc0d77844d6771f85169cf52421ca5d37894f5c4a84e3c5b8d125c3f7606d186a665566ee47a00c60fc881929eb0968aeca7

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
93KB

MD5
85be91dca88b35f56f46f54ea9757cdb

SHA1
3dcc8cc5d1dac2e039c4297f306e081169f8451e

SHA256
005a9207ebb5e5f5bdcbf8614c3c8d40507b28aec8abaece976e4b202d674080

SHA512
6c02d281c1dd435983a8d8a32182d1bbe5ffbb0f35ef63530f62c8e38695a029b6fcc7d4c968e6dc0ee6ec20a36daf98499251d9eadf6d10155a2c105accf143

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
93KB

MD5
0921f6ccdd843b6154fe3e12af00917d

SHA1
8c2955c7c8cff5a41c0da1115109d1d8c1f1f2dc

SHA256
cfbf565fd85126201015914f182948bde596c57e174968bb763ef2473bafa9b8

SHA512
529fd8ac2bfa5a8c83a8c30e97d3a44dac61ca2f5ce9a52587efaaccb6ad605d752c733ee76511a6a38cc29318438a40d5c35ecb101abd6380cc279757061613

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
93KB

MD5
41e3b35d12c0447d06e4d0376223dc1b

SHA1
58970c34987fde4fc26f7038978ce3f69ed71d6c

SHA256
0b48049b7003ec54b0fe96e8fd7d8c8d50156e0e668355dcdf8ce5590f43f2c8

SHA512
9d390ed22d58cecda1952a2e1d37123c9c7668dd907b17df86fb4bf821e41c2e4189b37ac6f5b9ca6f4502506147585da6d767b6a829bdae7ef6603b79bdb494

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
93KB

MD5
9c7d2e8ea44a35f927a54eaac29cc3bc

SHA1
dec5817deeff49ac9e6078ffd7e5c4d31b5efa6d

SHA256
83e4bc8c422b42bb7589e551b38df9a51fb12c728462c92ac6bdd95d8d42f025

SHA512
2e0bc29ddf14badff97bc1f88e1671c673448f4488f46f59280a3c0fd073abd39b13e4c8fa029f6aee0252f61eb2c554069387c39da6729f697817e9e6f63cd0

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
93KB

MD5
d3c2c6253aded1111fc4d6aa4aa6ed8d

SHA1
75e34f29a61d0a319fcafc761f2ee3b47507a7b5

SHA256
39b222b70bad486096a06d7a629dfb145f361bc17d635d858f4690418bc5bce1

SHA512
c3e6d9448daeea4784590eb2e706d7918f93ffb16db02433dee486792dd235a3c17b950e34dad6158cf557262b1d6b316a8e6b6cae5216b38f4981da2c1301a7

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
93KB

MD5
24900539b34741fdfe9b4d03dac0139a

SHA1
dbc23cfb3f36ec7bafc20b8f294ee21aeae57e16

SHA256
bafd71e382200465f24bd34cc1baa83b723d9dd92edc44a75c20cbd33cebe69a

SHA512
2e09ed0befe6ca8188cc5246da78fbe89c8d0a276ebc8d6b8b235be40789317974a5e9dfed97e74cfce1245a7b7d73e26534e68b2d791c248a9afc20b36f4458

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
93KB

MD5
85809aa3d99f02294cd362e69804086a

SHA1
a1a33b187995769ec90336a7bfcfac3fee57e796

SHA256
1d9c73f2415831a4e6fd1d409b3bfe2de629c7397c2eb6f88486b6cf53f13b69

SHA512
0577fd88f17a2327d408745c35008cdb753df9a8d5dcb1480f54878c7c09f587bd183630a0aeda892684f41604e66b27b0702b57f1901b93e18d54a4654daef8

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
64KB

MD5
c89756e7402c31bf18c46d8d462a3142

SHA1
0a907fa0096e11ff42bbbc4c7bd8f774f083f32d

SHA256
9f2aae9fd1ff2c27c084f940ba497de99992aeff0e55e706ca417d9a843cfebd

SHA512
04ea3e5c137471a9d73840eb80beef7d45ea8ee3950dff51a0430d2d8b5620f295ec84f6555823750db67298940d1d26537a6977aad0a8b8aeeb85de5598d8ce

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
93KB

MD5
944c23c983edfd813b71ecc6b413b4d7

SHA1
19f9b039c33e69fc22aff59feab2668883ad915b

SHA256
7a91668f5184c096ef3473c373afd391cd1e7c364a2a8be82c20aadb041e71c3

SHA512
8d3202ca75703b6fb1bdc222b682805b1ea6eb149a48bb1ce3cab5855a358ef9304c5e0a56428a4ff00e8e05dbefd5ec3b9500d782f2d1e70447963c935ab3c4

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
93KB

MD5
1d56347eddd05fb89d12f947a7a18b17

SHA1
8b0b3ea5252fb495126235b75da03f4bc2fbff3e

SHA256
c7c58272b47dc7e7d6734e43b39fa6d31fd98e6f7f759e1a13bbb0b7f4bc751c

SHA512
8862f6a9e4a2c13cf03053247816045aeff886a1d2b866ada9366fd1869ab7ec107e35652ca679174e96f2921a52cca5729aca143974ca12088b01a351a0d323

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
93KB

MD5
6fcc72b2c1205cb550f844312a4ba07c

SHA1
f8360c09af4d7116e47990334981aec1c524fe48

SHA256
0c8a8f662e4cd4fb8cbbc570cd9137074f2fa1937269247841961cfedb07965a

SHA512
156273daf986ed4b74ee8c11660a4c6da1ce81c00ad8ea263776849889e15c49bf3dd6bda6e5be1b62a2f96f884a0b9547aa5d4657d254a6704d84c5461ba951

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
93KB

MD5
6595ad101e8ba6f0867eb52cc5dcfdb9

SHA1
b17326524cdebd8d50adb9984ade3631ae786254

SHA256
0fdb08641024771fa263bcaaa01d8913309ee81353a12809581555bda414f7b9

SHA512
1fa066d57932dc039d2dc4eaca5d670a4e5dec7bc87e98ca7364096bdb9eadb78bef7ecb62ca7890899eef41d6ba859748b64683c8c99fbc6760ba8de83ca01e

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
93KB

MD5
21615d51cfeed24881d6b1899c8ec080

SHA1
a2ef58239f331882e958c940fc2cc9cfa46ec053

SHA256
ad325a9927aba8105a777ce3ecf5cc281cd2697c576cab91e98e3aa201f39e43

SHA512
b03117f3245745afe02040f8d3c032fb9f5f0a93efcc375d8bdac9c2fa3058a8a6d3abf8403deb9debdfb69b1530607a3c03d2d71d85d5bdc347dbb7979714d7

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
93KB

MD5
fb13c0b405de2e2408875ddd3f226661

SHA1
3a55ef879bebef634e402644d9d5e5f1ee61d1b1

SHA256
359818677d297659ff29450f9be346c4579ed18d274092e00606ef62e37b99b5

SHA512
f346fb48696ee94d3ef65570f3fd2eca836afc49365dde9ff5b263c19b3b1b6e70555fa0d1bfb991777748827ad07498c45fa7a7b775a130228ef3305f14b943

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
93KB

MD5
c851f8cb2f53ef03fc1ee4935993f136

SHA1
fecd5970ae20d3531cc2669949e12223eff68a66

SHA256
5f4567b4c50ba4cf63df734066dc581eb078545bcbf8bb6b4f8f37c08ffde139

SHA512
df6ee7fdb95ad0de93738d82f3bd9e42f5661dc26ae461c7b483131aab09bb1a383a6f84bf72ebcb3364050137a2b1fdb44cdb0e64fbc43cc527a5a1c5804bfc

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
93KB

MD5
6a90d43207e6593a213f3f48690f48cf

SHA1
370456a8aed4752bbcd924835ae432a699f46fd2

SHA256
f500c881341dab040f50f8e0438ce51239b333ed478669ddfac8fcc6470fc976

SHA512
8db9785e5a636920dfb688a82865eb2a7382c8550e8f8ea597e725bb7a19de750f66b6d8ef0b3c14ce6ec490a37905e669035ffc67667f76efd372dcb00e3988

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
93KB

MD5
a26cbdc0638e518d0236fac00823e319

SHA1
dcfcbd1f18411adcd88abdd895516b8b8e067053

SHA256
8368a4e11c45c2a5ca2f0056612d7cf394a7f3542e2b5e88526d7d88b2bdbf7f

SHA512
9dbe067aa0a8faa300654d8bee4b874e6bac2da2777da81244ae81fd69b83d0d011a15adb59b80a083c06566b915070d5fef2e74dd28e13c583cfef6ab39bffe

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
93KB

MD5
b6be3d94c8795a58fef5a0f68b799ddb

SHA1
6ed638cf8a54585326b52668f2c2c6578b24029e

SHA256
425a2a58ee1ad1c88b0dad301685de7539460e2092dd5aece0a1b98c7a2be589

SHA512
58a946b25cb63efc2e3309e628737d89d6a3058737cd51d35ab1d8c00a59c7aedc3a4589bf757af3ebb1699412b13d4d1ac301feab755353b38490263fecf8b3

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
93KB

MD5
6a26d8a2623a7336540a1b92cd04b704

SHA1
aef052158cfe05be45b9ef331badb746b10f0f6c

SHA256
8a54aa1a0f9f6bce1d3890e0240644b56efda7ee1dff4e957494bb7559e8f0a5

SHA512
c2214379ff7e36ca5054e5866cac75f8ffa5df9cc4196d9ff379d7c7f426a29f2f59e4f3332182fd1095d395a3d3a678988a85389235911a1b23807ae0a518f9

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
64KB

MD5
fb0d6a01fbba4086a27899bb263c6861

SHA1
e09882335bc031e01a45ab8a2092d838f48ba55c

SHA256
c78a9bfe199113fd39f9c727f7c84fe5b350145edecc21b190814983cdaed4a1

SHA512
bbd74a13413492322a14285af6d364f0e987e2ad9338fb9cde8b6561fdb9255894a178dbf6e96b34bcf40cf93bb7eb76e183218067333f1cb5868ffe9dfd573a

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
93KB

MD5
0e17d1236f884bb18267a99a2f9865fe

SHA1
7d53c6521dbc76f38faad819873e3a22555a8837

SHA256
fde93a5b3605f4228214315a8811621b0f5daf2a2dff55b79432f4d783309e7a

SHA512
009741845604eb9cffb5d57f4cf4ad13fc197d15039db6a110e1ea854761dbbfeec3d1ab1751f8e436e3be7b32eb6455104f1d392007f3daecc367c368b071d3

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
93KB

MD5
25e464de6eca658194137efbad0cb30c

SHA1
45e7bc04031d91da8fa5aa77e6883241258418bc

SHA256
0a21864db7b4775c9d36bf0192a2c966a3e521cb87651840a5eb12ba78995ae4

SHA512
36922abd45b8497b30dd5bc55768852b19ec0cc0354708e57c371baad677b32434a9594087950681c8a7089e7e78ae82514b9e564113df7852ab97fbe8638adc

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
93KB

MD5
fd3ddfdacddf9148c2628c5b7e88c30f

SHA1
386049236187082b918eb7a736dc7b34e998de99

SHA256
34008f155a287dbee0beb74e0eb9ab864215ea31aafa2a4af7a2611b93794bcd

SHA512
4322147fac7536645833785dcfa32c038dfcaff9d36700fa8cb6459659c6ba8a9d3562a0acaa85e6f439b48a41867959d431da25fb9b82750128dedfa44323a5

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
93KB

MD5
da1cbef399d9730ca9f04c44e50c3407

SHA1
cd96627ca9489b01299a1b280662c916a9423e7d

SHA256
fbdd02db29f97cea7ab333dceeae21b020620ce8adcf8ba5557fc5f1f0adc7aa

SHA512
65dbe32d96a8c8968db703876b8f94dfece4826eda0f7c73884d16ab2843f845895dcfd6e6151d8ca4a5c1776303c81ed148befdd7562ad0b92169182e223ec5

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
93KB

MD5
3357f858524449e7670acb385e955e38

SHA1
645cf8c62668134fe558c8d5938fbbd92122f07f

SHA256
a60df0042f81a191667bc43dca96b1e7912eaa13ed07697b71616424dc86c94f

SHA512
1b3e331ff193e1d67049415456a791889bacc1489b10e4f128e8d73db1abfe41c2fd068fafef85b04e467f0588ac45764ad57c16b2c50138cad974f7012056ef

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
93KB

MD5
fb26753986595b3329f1944de9ac1cc0

SHA1
2873d9299346d4fa7f8df70e120e66c0c45a33ef

SHA256
62ae2ca5027ccac873d7e0278f5e082464a8c06d54597e5aae0057d5e7aafaff

SHA512
7659c89613585859f3ddaf47609833570f8dc70a05f2b53381afa89a73210c9c3bbad4dc23535ec23bc14c72a65be4f8b363276a25bb6e9a2e6240b5b5a11bdc

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
93KB

MD5
3ddc7efd90c964cad3db11c88b98c3cf

SHA1
c1fc0b42f84b6c0bb8d78bc8c3f5e41e11ca2206

SHA256
f2896b3b76c20415884975761583cdbc5192bd687f7189a15e824afe9edd3055

SHA512
d3f09fb370d91b804f67a109fb9360466375ab56ef46c92b4b0868abe2d5628e83d5312ad55dcc939a58dcae9d23c4a2e143bffa3eaebe6075ea769353a00814

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
93KB

MD5
3981c982c4f77510b0f455e30b6af1d3

SHA1
38da33fdfddeffb920756762a495b1703d754e62

SHA256
77af702c3a3effeefb21fe1995ae047dd55fdc1442355108a2cb031bbf6abbaf

SHA512
07b08a90f0bb9a7d497c8cc5f5745d467f76a0f6969707f0a9812e32cf01666b8dea8ff0b8c2864d25c85eccd5606d0d9e0689a5baf54e23467a19bf2d9d133e

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
93KB

MD5
69ede98301b343d73aab150d3b0efb56

SHA1
a162a6108727de6011b91b00aed631968ecd2fe0

SHA256
8424d8a1e9c5766e4ff8517cefaf5f49983403c2b598dff25f76be25a11bef5d

SHA512
a0189ced744dbfb164a14479b712bd550f6e5c3fe0fe86f1154e44fda62fac60f79d4b5266028705f02356cd358faaa528d94db434f422b1e2d47d20da8c2e7d

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
93KB

MD5
96b1da531c0a34da964748eb89aeddd9

SHA1
4bfcd200416f54ecda100af309bd92f3d573ab4d

SHA256
bc2d6a6a3e340774e14e3f87a5bdaf3971b89810f5fb11fb84bf4a897e7312fd

SHA512
879a4be0c01c02ccbd47fa477846af11ff9fc7594e3659e1d1ca76d8cec6d80ce864c372193c007f53c59ed03f163f7f90503ef24cc9dcf168c2779adb30e4af

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
93KB

MD5
793440c0b0749c7e21c2493f8e18eec2

SHA1
2cb67662827dcfe11ffedfed9ee08218275fef0d

SHA256
04849f4a145bbc65d410c58506102d69b4a9d6053e5e7c6aa889b6f2c7c1208f

SHA512
3b649872e245566bd79be250c36d70706ff8ba3cd21ae24d30730597dc5f2da891890e96f8161479e74a7567497095b0f1311ba2f68081eb40af802bf80de5a4

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
93KB

MD5
f1519049ab538f895de736308d50e946

SHA1
ffdd296e0c41eb699e3b93620eb8e28c9d544924

SHA256
609cd5004bd5e2bc0227745956301d0fe1bc3656304598200ba69f869fbc1211

SHA512
b39eb23941a0bf7ac20d8aef42bbb0b5ffd124d0ff82b7e86ac53b9af69d669a6a9e7b11845f55478f59d651fa6552f5c60ba4319385285c0cd0963398d36f4c

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
93KB

MD5
f36e932ea3b2a241035195f88d511a37

SHA1
59511ebbd0c84f7ebcfb284f41449c2ba37c4a7a

SHA256
9fe3a70bc48f02df47fe29df3b8f108d7f20a7e3c04605e5701b19e43abf36b9

SHA512
5152a5e172ac8fae88fa1c1923a8c009f05dc093c6fccc8a8c0a0891fb8296b93d1162a7756f38ef9bef1187a95b217128c79de256fcca0516e99540874cd60c

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
93KB

MD5
33ca45a9c240da47edb1eb526b8b6079

SHA1
f52d2ae530d942d51551c223177bd8bd8fbe8f75

SHA256
57167b994b25930f03aa69044ff2f74bf899535d1f49a581cd3ebeecc5c242d2

SHA512
7d5bc9551d866f02f54273e837b4268ba4840260e13cf598a2717b40483affce51cba01a3ca7eb0f78dbbcc43eefe67dac291cb021b6be3f56bd6d8a883a3a63

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
93KB

MD5
afbfc9dccc8732b2198581895ef1c2bf

SHA1
8ea76f3e130f7bbc031ee07580553600560403de

SHA256
73e6cccd3206b77a50957c213b6363240e201bd210b6138fe6537a7ca91b34b6

SHA512
ba83d77b543400789fd2a0ac447a6d2853967f6d866164ac1be3559d5d3d7797c33bbceafb1a7423e5d62ebed10b95cc41df4b3cd423e2b8ff1bd7a204fe2bd9

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
93KB

MD5
767df3f3c56b454c5f52d4c879d97914

SHA1
c984f9f5f1a3e02c47713a23bd65d97628bd47bb

SHA256
f5315b6c796ab8fef17292a6a833d2c426ab214979d7213d50d44813380249e2

SHA512
ca498deab3f0ae0291bf3051aa7e84e0e15f9fd2c7dcec9e7263c160047e7b595fbd1faa35f1c6aad6ee03eb13ad4349ba08d58a4e184c4dc508db6e678faf25

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
93KB

MD5
32766b08927af3776e273dee6ee9541c

SHA1
7cdf7b4a655b87ff9d47b5e901d629a5ec7da69d

SHA256
23ffe11a5721ea3fff8411bdd1ef9524ae1d327644931addce201acea4a55212

SHA512
fdf0c5dc9c559cb66b726e435dcf9bc62fc091ad930f21456e6f51d3a7ac6394430c4e8abb3fb7980b4c910f16ca3deef58d4f7c0cf9c6faec1d564125771d4e

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
93KB

MD5
c150842d36e063d9851ef9e98da1263a

SHA1
db40dab5016813edd1b8fa639cc9421159d4ea60

SHA256
da6a845edd6fd115be7c32bafc1cb569484171bd5a42b8aa4d7da8bcda9886bb

SHA512
6e8a09704aa38917545ce39fa177da055089fa889cc6618ed0aee65e797ccd4b744fa8c672987c681e443fd70dbb29c5d979b56ee97b0cf5d72b382f31820c0d

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
93KB

MD5
dde8e66cbf3575cff9ae8d4c18929558

SHA1
7ca9697a4a0dd61a5d312013b79d8954945b5e74

SHA256
82b0e334a69feccf73bdc21a9fc493b0ef5f604b7135a37d88915f0060eb0737

SHA512
d6d4afbb8790bb418da0c194515a2a6e618544c2d06d44ca926f2e1d233dfd5b44946afdd32b022429043a5cd0c0214bbf4e9b4466844be526c6f4086f1f4d3d

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
93KB

MD5
1afe9ca5071a05fa1310dc076c6f46f8

SHA1
f4e55a237bac3f8a81fa8f9557e3bb61d1853480

SHA256
9df47fcdce0f507c91857f44d335fc678e3511e3a86df1dd0c55965911eae0b8

SHA512
f8b916e036adbc6913274177747f6c7c74d129a7f5c0e3a163e1e4f68566843d5dc9424335032d61f0a4b3c9b0d6f08b41447f3db0e8eef0ee1db8c5f361992f

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
93KB

MD5
a2263c7c6aa2d6fdeaf79c5c262c6f7e

SHA1
7628c2546130e39747d7bcf60385db9fe6bea929

SHA256
1df3dcea3b9305770a032983fdfe9c2b0ba06836d957ca978968e1afd1c48e2c

SHA512
46b859ab68d8fb983aab5cf9353ca7bb9499fef1148b411c608b9f9b8df2061a4f1f79ca0a574d6c7b853e0ec9950c564825e678e4d292f42e607341f878812a

Download Submit
memory/60-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/216-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/216-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/368-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/368-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/516-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/516-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/652-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/652-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/980-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/980-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1232-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1232-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1260-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1260-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1336-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1572-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1572-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-398-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1668-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1728-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1728-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2484-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2484-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2592-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2592-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-391-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2844-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2844-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3384-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3500-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3500-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3644-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3644-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3692-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3692-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3928-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3928-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4460-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4692-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4692-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4772-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4772-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5096-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5096-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads