5769c535ab96555eba28e1501f054cbacd34e1c43ddabaa28dd515ba203a1237

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5769c535ab96555eba28e1501f054cbacd34e1c43ddabaa28dd515ba203a1237N.exe
Size

125KB
MD5

dae61e31fa88aa03edd3bb8e7d2ef2c0
SHA1

bf136679cc9ae921f6e9a8912419f71b04ae8fd2
SHA256

5769c535ab96555eba28e1501f054cbacd34e1c43ddabaa28dd515ba203a1237
SHA512

373320a6188e77f20fb78162d0b83f03434bfbb7786053a8ee334bde1235c220a67d8bd7338fe435344dfb652275132269374231e3d7964d8a8cd54649176113
SSDEEP

3072:PaDj/yJs7ph0RwU7O8c51WdTCn93OGey/ZhJakrPF:MuJ46Rw2RcCTCndOGeKTaG

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5769c535ab96555eba28e1501f054cbacd34e1c43ddabaa28dd515ba203a1237N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe

Executes dropped EXE 64 IoCs

pid	Process
3216	Ampkof32.exe
4348	Acjclpcf.exe
4204	Anogiicl.exe
3172	Aqncedbp.exe
956	Aclpap32.exe
932	Afjlnk32.exe
2152	Anadoi32.exe
3684	Acnlgp32.exe
1452	Afmhck32.exe
1224	Andqdh32.exe
3744	Aeniabfd.exe
436	Aglemn32.exe
1840	Ajkaii32.exe
2368	Aminee32.exe
3764	Aepefb32.exe
4056	Agoabn32.exe
3592	Bjmnoi32.exe
3348	Bmkjkd32.exe
4708	Bebblb32.exe
4040	Bganhm32.exe
2960	Bnkgeg32.exe
4668	Bgcknmop.exe
4392	Bjagjhnc.exe
3788	Bmpcfdmg.exe
696	Bcjlcn32.exe
4176	Bfhhoi32.exe
2932	Bmbplc32.exe
1968	Beihma32.exe
5008	Bhhdil32.exe
3536	Bnbmefbg.exe
1444	Bmemac32.exe
4520	Belebq32.exe
3544	Cfmajipb.exe
1828	Cndikf32.exe
4560	Cmgjgcgo.exe
1188	Chmndlge.exe
5116	Cjkjpgfi.exe
3988	Cmiflbel.exe
1592	Ceqnmpfo.exe
784	Chokikeb.exe
1096	Cjmgfgdf.exe
4588	Cnicfe32.exe
2620	Ceckcp32.exe
3128	Chagok32.exe
1792	Cfdhkhjj.exe
1092	Cmnpgb32.exe
2824	Cajlhqjp.exe
2588	Chcddk32.exe
2144	Cffdpghg.exe
2688	Cmqmma32.exe
640	Cegdnopg.exe
1524	Ddjejl32.exe
1908	Dfiafg32.exe
1588	Dopigd32.exe
1904	Dejacond.exe
4084	Dhhnpjmh.exe
4232	Dfknkg32.exe
1436	Dobfld32.exe
1584	Daqbip32.exe
8	Dhkjej32.exe
2012	Dfnjafap.exe
4420	Dkifae32.exe
2160	Dmgbnq32.exe
2756	Daconoae.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bmpcfdmg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2168	3116	WerFault.exe	150

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5769c535ab96555eba28e1501f054cbacd34e1c43ddabaa28dd515ba203a1237N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	5769c535ab96555eba28e1501f054cbacd34e1c43ddabaa28dd515ba203a1237N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5769c535ab96555eba28e1501f054cbacd34e1c43ddabaa28dd515ba203a1237N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjkjpgfi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 3216	2284	5769c535ab96555eba28e1501f054cbacd34e1c43ddabaa28dd515ba203a1237N.exe	82
PID 2284 wrote to memory of 3216	2284	5769c535ab96555eba28e1501f054cbacd34e1c43ddabaa28dd515ba203a1237N.exe	82
PID 2284 wrote to memory of 3216	2284	5769c535ab96555eba28e1501f054cbacd34e1c43ddabaa28dd515ba203a1237N.exe	82
PID 3216 wrote to memory of 4348	3216	Ampkof32.exe	83
PID 3216 wrote to memory of 4348	3216	Ampkof32.exe	83
PID 3216 wrote to memory of 4348	3216	Ampkof32.exe	83
PID 4348 wrote to memory of 4204	4348	Acjclpcf.exe	84
PID 4348 wrote to memory of 4204	4348	Acjclpcf.exe	84
PID 4348 wrote to memory of 4204	4348	Acjclpcf.exe	84
PID 4204 wrote to memory of 3172	4204	Anogiicl.exe	85
PID 4204 wrote to memory of 3172	4204	Anogiicl.exe	85
PID 4204 wrote to memory of 3172	4204	Anogiicl.exe	85
PID 3172 wrote to memory of 956	3172	Aqncedbp.exe	86
PID 3172 wrote to memory of 956	3172	Aqncedbp.exe	86
PID 3172 wrote to memory of 956	3172	Aqncedbp.exe	86
PID 956 wrote to memory of 932	956	Aclpap32.exe	87
PID 956 wrote to memory of 932	956	Aclpap32.exe	87
PID 956 wrote to memory of 932	956	Aclpap32.exe	87
PID 932 wrote to memory of 2152	932	Afjlnk32.exe	88
PID 932 wrote to memory of 2152	932	Afjlnk32.exe	88
PID 932 wrote to memory of 2152	932	Afjlnk32.exe	88
PID 2152 wrote to memory of 3684	2152	Anadoi32.exe	89
PID 2152 wrote to memory of 3684	2152	Anadoi32.exe	89
PID 2152 wrote to memory of 3684	2152	Anadoi32.exe	89
PID 3684 wrote to memory of 1452	3684	Acnlgp32.exe	90
PID 3684 wrote to memory of 1452	3684	Acnlgp32.exe	90
PID 3684 wrote to memory of 1452	3684	Acnlgp32.exe	90
PID 1452 wrote to memory of 1224	1452	Afmhck32.exe	91
PID 1452 wrote to memory of 1224	1452	Afmhck32.exe	91
PID 1452 wrote to memory of 1224	1452	Afmhck32.exe	91
PID 1224 wrote to memory of 3744	1224	Andqdh32.exe	92
PID 1224 wrote to memory of 3744	1224	Andqdh32.exe	92
PID 1224 wrote to memory of 3744	1224	Andqdh32.exe	92
PID 3744 wrote to memory of 436	3744	Aeniabfd.exe	93
PID 3744 wrote to memory of 436	3744	Aeniabfd.exe	93
PID 3744 wrote to memory of 436	3744	Aeniabfd.exe	93
PID 436 wrote to memory of 1840	436	Aglemn32.exe	94
PID 436 wrote to memory of 1840	436	Aglemn32.exe	94
PID 436 wrote to memory of 1840	436	Aglemn32.exe	94
PID 1840 wrote to memory of 2368	1840	Ajkaii32.exe	95
PID 1840 wrote to memory of 2368	1840	Ajkaii32.exe	95
PID 1840 wrote to memory of 2368	1840	Ajkaii32.exe	95
PID 2368 wrote to memory of 3764	2368	Aminee32.exe	96
PID 2368 wrote to memory of 3764	2368	Aminee32.exe	96
PID 2368 wrote to memory of 3764	2368	Aminee32.exe	96
PID 3764 wrote to memory of 4056	3764	Aepefb32.exe	97
PID 3764 wrote to memory of 4056	3764	Aepefb32.exe	97
PID 3764 wrote to memory of 4056	3764	Aepefb32.exe	97
PID 4056 wrote to memory of 3592	4056	Agoabn32.exe	98
PID 4056 wrote to memory of 3592	4056	Agoabn32.exe	98
PID 4056 wrote to memory of 3592	4056	Agoabn32.exe	98
PID 3592 wrote to memory of 3348	3592	Bjmnoi32.exe	99
PID 3592 wrote to memory of 3348	3592	Bjmnoi32.exe	99
PID 3592 wrote to memory of 3348	3592	Bjmnoi32.exe	99
PID 3348 wrote to memory of 4708	3348	Bmkjkd32.exe	100
PID 3348 wrote to memory of 4708	3348	Bmkjkd32.exe	100
PID 3348 wrote to memory of 4708	3348	Bmkjkd32.exe	100
PID 4708 wrote to memory of 4040	4708	Bebblb32.exe	101
PID 4708 wrote to memory of 4040	4708	Bebblb32.exe	101
PID 4708 wrote to memory of 4040	4708	Bebblb32.exe	101
PID 4040 wrote to memory of 2960	4040	Bganhm32.exe	102
PID 4040 wrote to memory of 2960	4040	Bganhm32.exe	102
PID 4040 wrote to memory of 2960	4040	Bganhm32.exe	102
PID 2960 wrote to memory of 4668	2960	Bnkgeg32.exe	103

C:\Users\Admin\AppData\Local\Temp\5769c535ab96555eba28e1501f054cbacd34e1c43ddabaa28dd515ba203a1237N.exe
"C:\Users\Admin\AppData\Local\Temp\5769c535ab96555eba28e1501f054cbacd34e1c43ddabaa28dd515ba203a1237N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\Ampkof32.exe
  C:\Windows\system32\Ampkof32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Windows\SysWOW64\Acjclpcf.exe
    C:\Windows\system32\Acjclpcf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Windows\SysWOW64\Anogiicl.exe
      C:\Windows\system32\Anogiicl.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4204
    - - C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
      - C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 408
        71⤵
        Program crash
        
        PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3116 -ip 3116
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
125KB

MD5
603bb04fed02454d016e87b8c1d2f2c7

SHA1
44162ec158d757da359ee4cff4a9e79470676c47

SHA256
dbbfe4ae9c3ac893c13792b9a4c18106bbb8d735c5d6064eb1198c2d94f0e7fc

SHA512
e7eba3dd671ed9c03a3d4473753a24377a90b0193822587e73c040325f11bb26ff531dda00964334f994c0d31ffaf10d27802eb7bd6fd7aa09b2bd5fa48660a7

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
125KB

MD5
6379ed49c912eb9e28a42962b44739a5

SHA1
e05ea21dba5308aaae942a595588772570ee4a3c

SHA256
44c020387463d0def716f7f1781c7a1907eb1241272e7a39b43f18ff57c2d902

SHA512
35890d78da1f5b6fc5d901c175d7b4af625f53e11e5627c15565c0edd50655871cb8be091727e0169fe766cc64c356336ecbac88efdb51883e38c56407c81f53

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
125KB

MD5
863820c9f4c284ed15a53ca8a519765a

SHA1
f8732f6433d93661801e0f37f0b785da85254a6a

SHA256
caea34a0244e04171e287004276843e954c96d329ff9aa73bb80567f0dd07f00

SHA512
fb5abe27f5709e9032308a776818ff25d69a3a6d8c4feb5f330b5fa5793d8b0da3d869c0fac2cdcd59a04c16c3c5e5e4a560dab838f73ba175f6b0985314dc2d

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
125KB

MD5
85530448bf5a620184f18bf5f2d761b1

SHA1
1977d695900f5f3be9355515100c489aeb14c314

SHA256
49b0c14ed928d219b1ec980471935dad84eb6d6c5422a7e2f17486fb98a59610

SHA512
c0793f4cce378afd2d0adf7e8243adf539b5ed97a6e22c478a74e51cf9536c1406c03c7952f137a7e238799da63cad52333f8b4417151df37cb4029121968f0d

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
125KB

MD5
2268608f8c73af7aeec7d7fbdaa98c88

SHA1
6952101ba6f48a4329717988bea01494b4ed7c54

SHA256
892b47421bd5858aee40aec550dba3d66dbcf8a8938cbccc99d652d563bf88bc

SHA512
ce2bd18f95540981ff2bcce5dcfdcd5d9c020bf8b4ad174504fef0fe3c3e578fc758a231b2837e27923a33b898177d1a09cada03338f2b469370565295c41998

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
125KB

MD5
5908e0efc6ebef155616b40c7c085b7b

SHA1
57cc674df599f9fc79ea8ecf3f8b3c0581ed10e5

SHA256
1af63d976b2be185c1e1d9c59fe6fa1a07b9ada1c2ac929519feb88a2173cae2

SHA512
5dd68455489e05827bb44d99e1f74c609e107ab0795565779a78a5b44ca03554c930a269a20f15fce36f25f9668e86971f5ad43e3f77acdc91fe3c7348c0422b

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
125KB

MD5
38b41b4da196c661225528b123665d99

SHA1
de9731408c51fb484377de6a85e866f4727ca48f

SHA256
9ef4e5026af8a71d21d8e7aa0bdeaefe2ee41f88da4b4259c33c6802ba15a48f

SHA512
b574190537eea6c1707f22deae3fe7a0cb086207d18ca6415d3bf29ecd0a339f255d80cb3f1727658de697ae1ce4e77765428d105826a8b07ec01bbc3919794a

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
125KB

MD5
28023049f1e89573a7a6a0323db2a7ce

SHA1
0ad5df8dff75e11c136eb16982a501b60e76f659

SHA256
f13ecc38f2b2fd3eb662b17509703dbab8fdd6c199e7d86b21f6ffef9301eeb3

SHA512
1fbd32781153c77630b6f1ba06f9face7dfeaa5e3e100ba996b222600bd5ffd748c0f6b5836f0402ab223ca12d6edc7378b3179f3e9f7a410410ce721af34019

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
125KB

MD5
8131e31228a2bd076de3f477a132513f

SHA1
10b2bf475779dcfec04066305be478169fa3efaf

SHA256
5cd4f95dc2e563ce0bef6d1e3f4a4f19f5d03120fdbb03bb0ca29401047a7391

SHA512
c1c66b6ab4e8dfc916a0370dc2ed7c3c9de822b774ccd6082a0d95008af2bb2dc5bf6151e5ab092024e7c8400e0925b09f4b940afaf3e6693c7cf57d2052951a

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
125KB

MD5
bb8280b23fa6baf1ff415bc8f17552c0

SHA1
d7199685885861bba2a2b8cac7ca17bc1c24049c

SHA256
95140378f2df0636fa6710fe26253b198fa4942f82f7a0e4be8d14286620d981

SHA512
34124adc97fecc765c467f3e5d05134394c010eddb33539ab475138aa99b3c4a417a91b7d4efa5fca4576f4bfce452723bcd0569d547a05727e2de2d33708d6a

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
125KB

MD5
7eb04ca8f5b1eee3a104789897b8631e

SHA1
5d69036f4a738d32ea67714f6994d8e7989c17fd

SHA256
2943fc2044501fe14033285747bc3993f60786b45b08cf7a236009951ee8e079

SHA512
b177fa9724f1f0bc4f91f814852711428090de4ffc8d4f2a810baca7f4c2256ae4a1d3bff55842bdd8b6952af6d250ab2ae23636e7cdb11555bea11b27ce5cef

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
125KB

MD5
01c2699e43c76c3aadbeaee7e64b7753

SHA1
ffef823c8b85a50856bc26c6bf0b83b69e21b76c

SHA256
6b649c1e0cd3bd818b779f268aa152443053b7e9b5a58a05841a9368b0f2778b

SHA512
85128aac7b665b5395969c3f3392f1dd3671ef858fbb9a20a5ad9e0121452471fefb3b551c5e06227703a4bfb889f3ec2352faff360e36e604ef7cb89e81676b

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
125KB

MD5
8728c01309cb5f306fb840d75c827c89

SHA1
25cb21e911016d7df5acf4e8fbb0723e81b2ad93

SHA256
0ea8eced25a59d3456e1be094a06d44a724f7aefdcd9eaa7fd03ca98a7b9d3f4

SHA512
d922d73c5ec801a885964df2f7a28df4513834283c843dbeccb4067df4b7d50256a42c9ba855a2d998cfac41ea63754182076d76996d61efd8443e7d051ebeb7

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
125KB

MD5
ab67b9385a653c19ff92cd64c467b392

SHA1
8882ea63e9125e668a2d887a4817bca932f9fdd5

SHA256
947dd1b155692b9e74487c40064c7cbd7c2098799545366086d902355ba1d14c

SHA512
5c115f87b488fbe0b84d90af32ead6e01dbf491599fa969ecd3e27429a68b295c4a63ad7f90b674b07ba91098aed0b7af4c427888e3cebdfe4acb41b8c34592a

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
125KB

MD5
8f58d83a16351501b3acdb79c3328a81

SHA1
cb436e869789b2c0c40bc89690913f1f11491501

SHA256
c3566309b3d3cebd8adb3cb0e3e9f2bbe7368a63911f5c2ac1f49b56424980cd

SHA512
38568291881d05129428049125feb8f4b5da3e4b9b870841b61e5318f09172ac96d3ea36372190709ab3fcb37f25038592f94ea756e4159664494c3ad6e9a317

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
125KB

MD5
982fac61cfdafd1246d68c40f572eaad

SHA1
f181baac529cc3719766990dc7476c3881fb2b9c

SHA256
b634dbf86dc1bd666f006a4d7cb22247e691eb3263f073b1fd33369041b6405e

SHA512
c3584c58a4325b49cf4bfc622a8a03f0d3451c86ae2f28b18f7e13e4dc53467fcf4c3ddea56cde1cf7003f85af83d78b41300d02e4a784846bb52be8c176dcc8

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
125KB

MD5
028d088eebe0bff79bd00245c75ce894

SHA1
39e28a24411b9c1db79fd8b13017fc488a72c8c1

SHA256
0d3c52dbd50813cd5bf1e71e828a12992ea124f565ac3c2b250f55a726dca56c

SHA512
36039a1001ff914763e7aaeb9ecee212cf902f9fc53530b6af8bab351d9f2589c9695532658d9cc76f3b65f69f1cd4a4ce690c897d110dc7d1223ce7e4665524

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
125KB

MD5
b1fc8e299c4f04f1bb1fa9d515730a42

SHA1
263a42410cea66b5a8da2a54fd7a7e44ec990e83

SHA256
f58fbeaebe37ca13a84510c3473122ee7d6dc7156764f4be0b8e58dae88cad92

SHA512
5f23389ff70f173a1c45c62b9454d2dca93dc70b0a971a21fcab874388093e1d93a734f26d3b0fb1cbaf07949ffdd7508973b36c931cacaaa2af12ec43c140b9

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
125KB

MD5
18aa27c6a9ff7fbfc87a5a9a4f63e79f

SHA1
411b91e414603cdb67014647a5b7261ead9b21d9

SHA256
42666f4c25745df15e5ae0b000536ad609f76c8fe097551ee900c88d020dae89

SHA512
ab645033ea63f3469f7f73730caa781c0d5e3900f30c002281a7867a9e9b14b63cb237042f1728763556fd955205fb6a1b16957afe1bbf3e339ab696401e76ae

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
125KB

MD5
a7b55a215235d77a585734f12077f7a3

SHA1
6320538162f433a30ac22b46084b1c1f31c92997

SHA256
20fc68c12c04d3f0fcc4ab74ca8a2848fd0d4434b4ce2c5cf9f9613e9228c5d3

SHA512
ba38e40fb177698d7bcb809c580c4c18a1367ff99c5aeb35200278ae27bf5876c22f53e138cb8140cf352e580a9694737c9667f2a3fea0770f3e562368e45341

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
125KB

MD5
8ef3c23c63f52fcfcbc7e53595f40039

SHA1
2ea022062237e6abc5f595ba084cf9d1876777e1

SHA256
6a9d31b1eefec43f58c648c586ded5fb69c9fd87ebefd35651ebaaf3b33cd580

SHA512
07ad9a9be1da3f990c473bc84bcc4abd16a5b7d48004975e9b7aec1c5059af24706502b892f6c64a5789faf4f47afecb4cb7fcb07a1964820448af40ca5fe367

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
125KB

MD5
2a59a86c1920f4fa57b422d558018331

SHA1
9764717c471f12dab79c1120051519544f852349

SHA256
b78efdf35d95fd1112bf26fa85160a2725a7f9c453858be921e505bd6e0a9c1a

SHA512
29ffaba78c49d717d8d7cdbca5d07596b741e44e28cc732aca9d8f6669943481d589e06682f63c7590747897c0f5ec6eb6318ce70cb65c440e3f5445a313b2bc

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
125KB

MD5
4a20c4234da6c06e45af3ac39c15b31f

SHA1
debe45f8358ec5e6c4dafc4182a64076bab39e57

SHA256
b8df7dafe582ede985ffb4a1c5b812b86470672d9521ead089e2a4a7eab443d4

SHA512
96d202bfc7f849e40a0da7a37e8d662c7991d8579f9dfbe58f9896582760871c243633925933779b01b1c343f89f21606009a01fb4ec5c3f939739574c57440f

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
125KB

MD5
fdcf7175c3c28bc7e9c27d4800399682

SHA1
ddadef9231f8cd614d175ff2922314e8953aca2d

SHA256
4222cda17dc7cf00923c1ece65963f8a458fd95ba5fabd22bfe82f281ffc790c

SHA512
3314220db86f1e1a0b8663b1820f699500248c453a77c1ec0f457dda12f607137196f137031c707c2dc89ee3b411f5f21d16d4beac84ffac73721ba09e95a34a

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
125KB

MD5
f517524fd5077d1eb2d871a546754146

SHA1
63a7b24c643d030241eff4db858be1f658fb9acd

SHA256
fd4e50f987c5ddc319323b7b2738d2fd379c0660ad45eaf5bbabf718309eb8d0

SHA512
25709e1f56df4a235418b6b8c44ca6604b5537700f21403a5da8bc33408afa99f32271860fea09eb675a30d9d36e4e2e0b49e6b6a1b688183b5f0ae860de57a0

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
125KB

MD5
f03a4bcc91e528cde2ea2ea310e43680

SHA1
7872c4da3379e816e9fa1646341863d63c1a0ca1

SHA256
de14032d3d546cf64a9279d01418f9c8cd37cf2c13dbacc9fbcf78e858820997

SHA512
694562d17f06e43707ebefd89d6d7ae7eda38d824be22e474c73f5c4f9adb9e8b1559152287eff38bb6d53350d09ef71b2451dadf2aa089de1979abdcd82c28f

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
125KB

MD5
c52e32202023618e44b64289f12a8430

SHA1
1f1b5b2c4eae3d3078d42c34b907df86073c9db1

SHA256
a027eb05fa9650e035ac65790f5b392dcbbf79db73a13d47bafcd5c84d573f92

SHA512
cc76124fcb3e7e11f4089e6b7329f13d912603d7399eaa84fc93a63722a8846aa9c22376ea72d01f5eda7571ea72fd75a56f10de2d9ff82c0bae290243ce8ec2

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
125KB

MD5
91c70f1cc5437e07449727af344236d7

SHA1
7b24c3c3cc5f94877727fcdd2a479f6ebc64ab5d

SHA256
7c03beb797ed64e3854fadff79010c260e12eaf27348298494b79483133a243a

SHA512
021592e52b6ade59376b61f4d56351f3b46a0beee9e7faa20eade7a97331b983467403fbf30ce9a3e13c2fe218a24463f0628440a212bd67be368336b173a9a4

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
125KB

MD5
9772b8e84fe874c9a7769cc2fc454ba7

SHA1
829a0f4d30a40565c382c8179fc317979bdf4f4a

SHA256
a6b542d8aba4eb934dd37f3ce13224827f7ef6df2d148ec22c0284b2e7d04c22

SHA512
1beb7b35966c54a0d50f7c397c626a83fc81c865021d905eba3363d5316d8a7cae63c5f400da43b28e50a8b30f61f06c6fa6e017c3daf497ed84e96b3c31aa01

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
125KB

MD5
b7b9e2d08a00688d4ecc73a207a37077

SHA1
91de4edecede427b1777b6372d8e9c1ba34bb45b

SHA256
13dad7fa5ef1ff3489ee2b4fa240cd3d86565a034e06a560ea26f72a4ce802ed

SHA512
eb63bcf94fcb15869704d9f6fc5cf29a36bdee6b1cb83e153d2f20223ca8be2a15913b6a57c41b7a3cef7c903bb2bb8c06e70c525dd6ce125d680d9c387c2a48

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
125KB

MD5
df44f23978acc177c4e01797f7a69b39

SHA1
00202957ca668e6dca847199305fa47f87451ef0

SHA256
ce2aae9c964a0f5d13663003979605536b5a0ecc24d2694e160079d51ba5fb72

SHA512
1ac830ede77fd31b4d26b836633f82e0c81afb23f5f26b286ecc8fb993a5ecb46f22721ce3c15238849d35d58825fa228f50305172b2c3baafc0ba489beb3b7b

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
125KB

MD5
12f7d6ee848fbeadd17fb129527b7f80

SHA1
89db1edb2b6f47fe56365718346ce1eb1822f5a7

SHA256
5d8f0e6e815c931d85f53076553436a34d3cfc5bfbac575916c870876e2b8f68

SHA512
ef0cbf1391bfc423fa8e821cc58ba94ebb4e8ccc054531df3f8af875717522991fcc910aa0a1533dd7e7aea3e1f9f2ab1112b2dded9aeff4f4cd92aa5f4f9d05

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
125KB

MD5
aecd1a52675bea9ecf1f9e0bb3f73457

SHA1
4ea5729df8e697e9a0ac63921bd344653a589708

SHA256
6f45e8eafde8771b2fc46928daf4db20bef456599041869de6689a51919ff0e9

SHA512
d4bbbb4d1629248faebd54359f26427dcf575a2b4ad9e39831c7313635d67a1c39ae9750a8e404de50c421cf9571ce1d051a5fd151b885dfa772587d4b9dacb8

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
125KB

MD5
732aaa143cee7e0b3e4196861b96fe56

SHA1
1b441ba4d3a76533a39e4d681a31322515f8e567

SHA256
579f4d645ac60fc40334600ca5967e5e8ab1d2f52a5b69d335e6695ba94c6606

SHA512
8f44133892c120ac7c327d5eff439cb7933d378dbf21686ed4b2e1cc882540df63a642acbf5700225097af21bbbcd6a30914c07df8803b5eeca8d9769847f4f3

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
125KB

MD5
a0e2081af221f861c376eddfbeb3029c

SHA1
a5d7b5a2135edb9db2aa2a8e271a1c5f327d1b1d

SHA256
f0a51472bd9ffafdfbb9f3c7fe7e56fdeb3eb5c711f707e57e7a05dcf8793ad3

SHA512
5a23c46c821dddf7c7f0e87dd1e060f269d2d77fc858924e85a0cebf541b49b397fbad8ec7e310babb8b7c55c8002429d19a3947b3170fb02bbb649acf7df84f

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
125KB

MD5
e4017bbba8a45bc82aa5002635dcb4ae

SHA1
7aa08b8f326dfd4d5ff172331f80b3d8f2dc2438

SHA256
b07401c463dfe0a18f164bc804a7bb601ad422afeb37832f2ef3b2eb626d7835

SHA512
29969bb3646b85020b75ec7d4504a67a079f68762f57e821c23ee639ba486215944cc7ed206f695e84cc9791b693374bddcc6eff0dfe8f173c05dde9e12fa765

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
125KB

MD5
f8434cdb7c7dc58b978556a19889176a

SHA1
5753cd2075cfa31dd13a7ae5acfa5cb3e25001f7

SHA256
517320a7d7cf455ca0a58f4bbaecd6edf90504a8131295d959af7f5f549ca057

SHA512
a6117330df19ff81fca6b07dff755890e9140677d37d579f69e1c9ee0141f01414e12d04089be8f4adface49a615a7034b445f4899515fc1923edc9cc76af58b

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
125KB

MD5
cfbc77244e8ccb5eae86865e79d4edc0

SHA1
c17dbc1fc88ace31f996bd45af5374f24a44ad74

SHA256
39f54374b8e3a9cc4b448b1611df4d049e1fba3642c85045ba93cb23cd6c34bb

SHA512
f38ad4e53828e6dc9cfb0fa229340f8c1a6878f9420ca008e06ee61f2e79702c08aa259a270f058bc92e5519602024e19b81a91795f32880faba299761b43a1f

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
125KB

MD5
3ca8d544616e5ea2c04669bda8e0bd9c

SHA1
74e54b66ab3f2513af5d41e810e17671aba95afd

SHA256
b13db777bd9270459fac896b5f3001de9dd9eb58fcac2997dbb7038998de2ca9

SHA512
2abe584d7fe1f4b2c2e99cad1e743c6eca0f0a99cfb01ab797e6f8ce2f97d7aedcdea973007a198ed92f131ede86f18c7ceb15b22e1a271d2e7db4d154722bc7

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
125KB

MD5
bd7e5d65babff2c553bf7a45b391dbc5

SHA1
53da2b4d4ac04c744914c854894329aee84e0cda

SHA256
c0c6907890085ef8b848a787724600f522b48323abb66a1471cb4cb7f734de28

SHA512
8690b65ddbbc1643ada5a4dfee11b00b3b1bea84785aa99c5a6ea1983f548357b7c83b9f10f7b9f65a5c29f9ae24786be2bc938ae6dcf3e35c56f6e59da6dc63

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
125KB

MD5
93e77efbd2ca2150de2f546d5cf5cdcb

SHA1
3e829dbd6d9675bcc72ac5f7ead2fa7cdb75e7d7

SHA256
14a0a5ba6a93701caaac182c6dc0e107dbe2b6ea4d28f5303ef3f922ac4590dd

SHA512
e73394b73ee7a9eefa2491534b0ea5af08a3cd68636b8159ad35cf5118470b12fa55e936affbe76cc7c67472aa630752bb227997a6829dcf60a36b86e05ebf7b

Download Submit
C:\Windows\SysWOW64\Eiojlkkj.dll

Filesize
7KB

MD5
c45bdddf54ba244bdcb3db5f8b22b3e7

SHA1
69c257aed4a4147e71c502a93ab91c4afcc6a73f

SHA256
740e9f83e677af530409e71be59b7b0e7b3da1f9f603f40287505efb5bd76af7

SHA512
217f2400117768f2719ae683153982cb99fcdb0fbaad8f40c658ced656993e44c1df8b24a9b04834ca06d6f2b3d3a4bb8f3d4cc8a8e801e55ba5d80b96e6410b

Download Submit
memory/8-424-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/436-95-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/640-370-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/696-497-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/696-200-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/784-304-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/932-47-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/956-39-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1092-340-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1096-310-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1188-490-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1188-284-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1224-79-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1436-412-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1444-248-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1452-71-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1524-376-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1584-418-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1588-388-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1592-487-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1592-298-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1792-334-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1828-273-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1840-104-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1904-394-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1908-382-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1968-494-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1968-228-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2012-486-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2012-430-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2144-358-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2152-55-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2160-485-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2160-442-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2284-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2368-112-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2588-352-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2620-322-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2636-466-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2636-483-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2688-364-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2756-448-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2756-484-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2824-346-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2840-454-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2840-482-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2932-496-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2932-216-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2960-501-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2960-167-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3116-478-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3116-479-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3128-328-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3172-31-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3216-7-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3348-503-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3348-143-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3352-481-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3352-460-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3536-240-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3544-262-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3544-491-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3592-504-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3592-135-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3684-63-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3744-87-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3764-119-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3788-191-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3788-498-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3988-292-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3988-488-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4040-159-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4056-127-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4084-400-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4176-207-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4176-495-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4204-23-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4232-406-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4348-15-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4392-499-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4392-183-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4420-436-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4520-256-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4520-493-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4560-278-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4588-316-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4612-472-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4612-480-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4668-500-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4668-175-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4708-502-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4708-151-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5008-231-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5008-492-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5116-489-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5116-286-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads