9c00b5ea4be05a1e312169083c210134040778270e0674a86744ff628506d026

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c00b5ea4be05a1e312169083c210134040778270e0674a86744ff628506d026N.exe
Size

295KB
MD5

13c71d6bae2d63af2ec89dcdf3f7afd0
SHA1

c7fdd146620d686ddd7c25fce95ed882e254b2f0
SHA256

9c00b5ea4be05a1e312169083c210134040778270e0674a86744ff628506d026
SHA512

0a99105ae4d09bb61beef189f020fb386e1e90dd14f7d30474d7119daf5a343a95b7a302f92ef521eff77a7e721c7d9ceb800163ac43a48294fd2f3445559f24
SSDEEP

6144:+qvD44i4gWRR9b//R1PY1PRe19V+tbFOLM77OLY:g94gWD9b/56fe0tsNM

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9c00b5ea4be05a1e312169083c210134040778270e0674a86744ff628506d026N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	9c00b5ea4be05a1e312169083c210134040778270e0674a86744ff628506d026N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofcmfodb.exe

Executes dropped EXE 64 IoCs

pid	Process
4732	Lmbmibhb.exe
2912	Lfkaag32.exe
4960	Lpcfkm32.exe
1168	Lmgfda32.exe
4652	Lgokmgjm.exe
2636	Mdckfk32.exe
2688	Mlopkm32.exe
552	Mibpda32.exe
1772	Mlampmdo.exe
4928	Miemjaci.exe
4632	Mcmabg32.exe
3700	Mlefklpj.exe
4716	Miifeq32.exe
1508	Mlhbal32.exe
2428	Ncbknfed.exe
2168	Ndaggimg.exe
264	Ngpccdlj.exe
508	Njnpppkn.exe
3628	Ndcdmikd.exe
4604	Neeqea32.exe
2900	Npjebj32.exe
3280	Ncianepl.exe
4532	Nlaegk32.exe
4504	Ndhmhh32.exe
2036	Nckndeni.exe
4052	Nfjjppmm.exe
2856	Njefqo32.exe
2260	Oponmilc.exe
3836	Odkjng32.exe
2536	Ogifjcdp.exe
1272	Oflgep32.exe
2228	Oncofm32.exe
3944	Olfobjbg.exe
4412	Odmgcgbi.exe
1244	Ojjolnaq.exe
1916	Olhlhjpd.exe
1944	Odocigqg.exe
1164	Ognpebpj.exe
3304	Onhhamgg.exe
8	Oqfdnhfk.exe
1040	Ocdqjceo.exe
1348	Ofcmfodb.exe
2116	Ojoign32.exe
3392	Olmeci32.exe
3312	Oqhacgdh.exe
5000	Ogbipa32.exe
3960	Ofeilobp.exe
2520	Pnlaml32.exe
2896	Pmoahijl.exe
2232	Pdfjifjo.exe
4192	Pgefeajb.exe
4344	Pjcbbmif.exe
920	Pmannhhj.exe
4200	Pqmjog32.exe
3316	Pfjcgn32.exe
2772	Pjeoglgc.exe
732	Pmdkch32.exe
116	Pcncpbmd.exe
1236	Pqbdjfln.exe
3000	Pcppfaka.exe
4372	Pqdqof32.exe
4580	Pgnilpah.exe
3460	Pjmehkqk.exe
4296	Qceiaa32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Olcjhi32.dll	Mlefklpj.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Lfkaag32.exe	Lmbmibhb.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Qncbfk32.dll	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Ahioknai.dll	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Neeqea32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Mdckfk32.exe	Lgokmgjm.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Andqdh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5492	5296	WerFault.exe	189

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c00b5ea4be05a1e312169083c210134040778270e0674a86744ff628506d026N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miemjaci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqfdnhfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 4732	1744	9c00b5ea4be05a1e312169083c210134040778270e0674a86744ff628506d026N.exe	83
PID 1744 wrote to memory of 4732	1744	9c00b5ea4be05a1e312169083c210134040778270e0674a86744ff628506d026N.exe	83
PID 1744 wrote to memory of 4732	1744	9c00b5ea4be05a1e312169083c210134040778270e0674a86744ff628506d026N.exe	83
PID 4732 wrote to memory of 2912	4732	Lmbmibhb.exe	84
PID 4732 wrote to memory of 2912	4732	Lmbmibhb.exe	84
PID 4732 wrote to memory of 2912	4732	Lmbmibhb.exe	84
PID 2912 wrote to memory of 4960	2912	Lfkaag32.exe	85
PID 2912 wrote to memory of 4960	2912	Lfkaag32.exe	85
PID 2912 wrote to memory of 4960	2912	Lfkaag32.exe	85
PID 4960 wrote to memory of 1168	4960	Lpcfkm32.exe	86
PID 4960 wrote to memory of 1168	4960	Lpcfkm32.exe	86
PID 4960 wrote to memory of 1168	4960	Lpcfkm32.exe	86
PID 1168 wrote to memory of 4652	1168	Lmgfda32.exe	87
PID 1168 wrote to memory of 4652	1168	Lmgfda32.exe	87
PID 1168 wrote to memory of 4652	1168	Lmgfda32.exe	87
PID 4652 wrote to memory of 2636	4652	Lgokmgjm.exe	88
PID 4652 wrote to memory of 2636	4652	Lgokmgjm.exe	88
PID 4652 wrote to memory of 2636	4652	Lgokmgjm.exe	88
PID 2636 wrote to memory of 2688	2636	Mdckfk32.exe	89
PID 2636 wrote to memory of 2688	2636	Mdckfk32.exe	89
PID 2636 wrote to memory of 2688	2636	Mdckfk32.exe	89
PID 2688 wrote to memory of 552	2688	Mlopkm32.exe	90
PID 2688 wrote to memory of 552	2688	Mlopkm32.exe	90
PID 2688 wrote to memory of 552	2688	Mlopkm32.exe	90
PID 552 wrote to memory of 1772	552	Mibpda32.exe	91
PID 552 wrote to memory of 1772	552	Mibpda32.exe	91
PID 552 wrote to memory of 1772	552	Mibpda32.exe	91
PID 1772 wrote to memory of 4928	1772	Mlampmdo.exe	92
PID 1772 wrote to memory of 4928	1772	Mlampmdo.exe	92
PID 1772 wrote to memory of 4928	1772	Mlampmdo.exe	92
PID 4928 wrote to memory of 4632	4928	Miemjaci.exe	93
PID 4928 wrote to memory of 4632	4928	Miemjaci.exe	93
PID 4928 wrote to memory of 4632	4928	Miemjaci.exe	93
PID 4632 wrote to memory of 3700	4632	Mcmabg32.exe	94
PID 4632 wrote to memory of 3700	4632	Mcmabg32.exe	94
PID 4632 wrote to memory of 3700	4632	Mcmabg32.exe	94
PID 3700 wrote to memory of 4716	3700	Mlefklpj.exe	95
PID 3700 wrote to memory of 4716	3700	Mlefklpj.exe	95
PID 3700 wrote to memory of 4716	3700	Mlefklpj.exe	95
PID 4716 wrote to memory of 1508	4716	Miifeq32.exe	96
PID 4716 wrote to memory of 1508	4716	Miifeq32.exe	96
PID 4716 wrote to memory of 1508	4716	Miifeq32.exe	96
PID 1508 wrote to memory of 2428	1508	Mlhbal32.exe	97
PID 1508 wrote to memory of 2428	1508	Mlhbal32.exe	97
PID 1508 wrote to memory of 2428	1508	Mlhbal32.exe	97
PID 2428 wrote to memory of 2168	2428	Ncbknfed.exe	98
PID 2428 wrote to memory of 2168	2428	Ncbknfed.exe	98
PID 2428 wrote to memory of 2168	2428	Ncbknfed.exe	98
PID 2168 wrote to memory of 264	2168	Ndaggimg.exe	99
PID 2168 wrote to memory of 264	2168	Ndaggimg.exe	99
PID 2168 wrote to memory of 264	2168	Ndaggimg.exe	99
PID 264 wrote to memory of 508	264	Ngpccdlj.exe	100
PID 264 wrote to memory of 508	264	Ngpccdlj.exe	100
PID 264 wrote to memory of 508	264	Ngpccdlj.exe	100
PID 508 wrote to memory of 3628	508	Njnpppkn.exe	101
PID 508 wrote to memory of 3628	508	Njnpppkn.exe	101
PID 508 wrote to memory of 3628	508	Njnpppkn.exe	101
PID 3628 wrote to memory of 4604	3628	Ndcdmikd.exe	102
PID 3628 wrote to memory of 4604	3628	Ndcdmikd.exe	102
PID 3628 wrote to memory of 4604	3628	Ndcdmikd.exe	102
PID 4604 wrote to memory of 2900	4604	Neeqea32.exe	103
PID 4604 wrote to memory of 2900	4604	Neeqea32.exe	103
PID 4604 wrote to memory of 2900	4604	Neeqea32.exe	103
PID 2900 wrote to memory of 3280	2900	Npjebj32.exe	104

C:\Users\Admin\AppData\Local\Temp\9c00b5ea4be05a1e312169083c210134040778270e0674a86744ff628506d026N.exe
"C:\Users\Admin\AppData\Local\Temp\9c00b5ea4be05a1e312169083c210134040778270e0674a86744ff628506d026N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\Lmbmibhb.exe
  C:\Windows\system32\Lmbmibhb.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\SysWOW64\Lfkaag32.exe
    C:\Windows\system32\Lfkaag32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\Lpcfkm32.exe
      C:\Windows\system32\Lpcfkm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:508
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        31⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1272
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1244
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        52⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        66⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        72⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        74⤵
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        78⤵
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        79⤵
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        81⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        83⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        85⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        87⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        92⤵
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4668
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        106⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5296 -s 340
        107⤵
        Program crash
        
        PID:5492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5296 -ip 5296
1⤵
PID:5384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
295KB

MD5
d116adde9a2185541e33dc6c5b569373

SHA1
fa0c982e6a4735b45d761199b9633982b89c99ca

SHA256
f4416474f3deb5441d3c58bc3b4f826b728c9cf59cb5e1dd9adcdd57007d04f8

SHA512
9f27b65ea3969b02729b57b2f7adc8380019b428ade722328017b403745a6f75418a6ce03f87486c6995e67113d98d062dd37e18594f609073390a6e3252923e

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
295KB

MD5
d99d630776f5853a33ca50f8dca3e8d5

SHA1
b1e39d76bd412851a724fcb1acedec09d99129aa

SHA256
93e6243772a89d50c0d48ab8cff101d0240f33749f177bd987e3277bbb9f5b13

SHA512
06540ce276107e0aefcdc10b463a0be6d75727d59d8abf33fa10938739fd92fd57c582456fc979ac72b98a37eed028b4f0d16dfbf74963cd6416a2c74825b463

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
295KB

MD5
ce734e26f17aca97b5cfd1113235ea32

SHA1
1c245e465c4b840114deea30bc1b4d4ac59eb094

SHA256
806f2e401da87b4545e2660dcaff5cc800fdf9dd62aa96d1f7fec9a645c3b962

SHA512
d50be79f5453409e3e1fac1c06ae9528c1b5efd9c45ce6ae7048ef32f61de5f03fef6d1fcbf7d08eeb724c2e9dda0bd4e58aa79a991cdbecf385570eba02d2fc

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
295KB

MD5
214410cf7a3261284ee06b6efc1faf45

SHA1
1002dda966c30998eaa9b12e9ea59dba1e6855eb

SHA256
862c04c84f8e2abfd4ff77dc737b8eb6293dd7b64e5edac77242f2827b8adf52

SHA512
1745db9395302a31a67eaf626d1c3c849c1fa273a81cb96000894462ca221b014112494cdfcbf44bc5b13ef329aa11dd575919824a66ad2f0e24fcc6b4cddee7

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
295KB

MD5
d1a732653981f161d1fd24325f0940e1

SHA1
aa1c1399707882833dbad2bd7b27e7f413ede4f1

SHA256
8e241d8b267779443bcd99c69bce7cd5a552c74888960d5712eb8846ee790409

SHA512
809506e71ff6bcca36b677c945ae0d6bcb02d08ce97b4ad77f35ce2e82f466ca5f5695b5fc49248918c307de9e963fe63f167470ef0717fa5682f53087ad440a

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
295KB

MD5
94eb40142f10a1e8feda49a28caf4e6d

SHA1
6a2aad2305645196732909e6f51596160012f81a

SHA256
71afbd16d482ad4e3a860a31e4e6191b5421b7388c271612ffba5a3d6f8ab2df

SHA512
d7f3acd16c0511f09bbd480362e12b61b5805edc9b66b4e5de1c8501d3c8a5515626f5c7ca565647b4ba5b03edab7cdb0da5d40965d7e998d4ac9e53be7d158c

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
295KB

MD5
d7a88ebcbc73da146a500eb706579036

SHA1
6da5e3fc4584ac1a91b8099c34a5134b4bf15a28

SHA256
7d9a40bbabfdff399a2ad76511fd1edfbfc7d700bbe60a240f955502378d0233

SHA512
2ab70308c7282e7552b85f0a92ebd1544b05cc8c7d85cafa8ee20d532f0f0751dca1adaaf4bccc49a59a3b926bfb3948c3603756bc6ba9512de06f2c6ae7a171

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
295KB

MD5
d8eb6e9603a1b2c4804ad8d48c20c702

SHA1
5188a6bae2fb977c0cfcba4b0abedb3a5d222534

SHA256
1f4a63e5d7bda5f81f1b7af83fb874825a9f9a3ea4fab341ecec55a7e967710f

SHA512
21191fe0e1b780b54dc3d1458926598763e7234cfc95a009f36200790dda1cf9eafa1970c4771b82a16c66231cd0563472acd28f3cc5276dec84df09c9c32404

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
295KB

MD5
82d08c3971e3a77e96742798a81c49f1

SHA1
80ca4775fe6624c78f47ce7ccd87ca4a1bf292f0

SHA256
653e7889cfca69cc9e3a8bca15c4ca9cabeed24946b8a2caebd71d8eb88986a1

SHA512
235c3fa8e6e2645358d2ba1b4f254028f59ecebaa6ab65046c712f4334a7178c8eca853dfdd26781f7e5c14e023c633204045e700ddbde69ac419ce7bb6e4631

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
295KB

MD5
b69271b06a26ffbb69bc8a7628db5eb1

SHA1
ddf301e69538bd531bbf94a01437a374c39f4ac7

SHA256
a535cc1dc9d26325c332f890fc03b1962ac60be80e926fad3ffaba9b83da2e9e

SHA512
52d857127f011417d10bc80e53dc4fcc32d0563233f9e9bc5d294122b6e283b5ebe8aa3400cda4bf286522000a698486783ceeded90ed114051a1c2353be52ef

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
295KB

MD5
4147b398aecfa07e49b35ebcd3183b6a

SHA1
7ad6fb34ba4d55789fd2870d7749895ff1a9d580

SHA256
4dc7f69877ed8f22af4e299c2a8be81586a37326bad36b8f6a5cab73b698befa

SHA512
71a34af3d5a96356f85fd42c3ac2f9b7ec2ce202ddaee9914f3705ce40dbd8bbc7763fdc6cdad767d28aafcdacf94a599200f88ba80a06be5b5e2cef2f7c289f

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
295KB

MD5
c051a7e918d531c81167901a55c7e728

SHA1
3dbabff82598e91d53bde417e0361ea913be2f6c

SHA256
cfde2b449e31261fff952c73fe0a0d430e76a8fc25ac610e6536dff8f53e3d6f

SHA512
5678c76a5864ec3693c5dd70a9db9a8e1a23c195745465057a5f724e638c62d194e137319c90afc8888d60cfea8b99660cb344f046bc21abbb28c50a72bb505c

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
295KB

MD5
89db2ff9ec216b3b75f3d728503898b1

SHA1
fa5635cf9b8a30d981ed00b75b12a418edebdf53

SHA256
b749e726e4f42fdb30629c6fa941c8375a417de02f19f64d2423ee7590fb309e

SHA512
554e121e70035885684d902d0f684c47a9f578574edada4beb8030753ef9e85d65d277f1555224ea452e7e3380ac6a042b97269218076aea9bc3951d1db7eeeb

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
295KB

MD5
261692d197fb66caf26a0669d49eb9dd

SHA1
9967acc62e4bbac67ea3690982296d2c31a8b7fc

SHA256
3b1075fdae35fde20902da2df11fafd75e4eb1e848f823b6d3d1542dd79134b7

SHA512
cc201aebe4f100390eca3290ca4db6500521c59bcffe4c08065867389d4bb80b282965c0fddbfddb95aa3499f8cb358b01f0be884e30bea60d910d02c36e033d

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
295KB

MD5
57dfd6f9eee623ea39a046bdfa6a0e7d

SHA1
9eced4927d18d3dbab12ebfde19e00091af9b43f

SHA256
f0846ccbe9302ec38da3b354dad5bec847dc2bf5328e5b50289bea349e556d2a

SHA512
19b0163bc39340a006e590ef533d6485c79598b6d9206731c97e7821fca3f1eba1d7acb885b5ba9fb83b07a764b805d5caa9cb03f8a203cfb35f87a19fe89bd8

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
295KB

MD5
3c33671ca6c365ff3dd55fa420b6213f

SHA1
329e8750034e0140fe4ed89a4136dcb8c0bfdebf

SHA256
4c3f4b17a181a52c3f8294216149b21d06594434c843734e64c1b233d299d0c8

SHA512
e07b76ab627c5f770b3e0589829948cef2e197da3a23b8576044b676211c19b077ecc444e1d78378a6055de8201ad91660416239e4aa35d686c12bcd1df51587

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
295KB

MD5
1370582df5d576e82cf3a71f1f9f48d6

SHA1
2f5edc472bbffafe2091ccc878d504ff27603d58

SHA256
c39a72f7769d0223939a68cd2d0b92124ab47b99f8e3793906ac80aaa9eb220f

SHA512
c44bbe58f41ced1ec03fcda3455f90cc4063949cf1d2c6c11eeafb15fccb36b5bf8dd4d235403b41a754c185c0c2aa658a6dbb61cfaaf490dd18cdb8711a5881

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
295KB

MD5
1d17493622f8c46af415004a512c95ff

SHA1
c82a52aa88126c097572dba819868df22468bb66

SHA256
1857a2777252c45e643b57a251de1bcec68d717e57bcfc61ef64e0710ea55004

SHA512
e6f7c5b3659f3f7d6a09776d7cd7724193986dd41f63acde59f1f0bc1d246f88a24c9fe690093829ad29dc35d731c9643b928312f02701cf868515dc62fecc3e

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
295KB

MD5
16d6f414e68a47c1727f86e8c27e347a

SHA1
169a57548f1d744d40ab5ea4a30dc33369a91c70

SHA256
16e1684dcf97b88e32a45f9a4845f475dabebbc7d5c291a15e1d007475e6e1d4

SHA512
d622976a73b69ddf1c6247b64a9d5776158289124b3d83b5a906eb8d293f895c933e8055a52d4edd20b14c2c1c727b4abb4213bab221bb17e78e8f6faf116f69

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
295KB

MD5
a496f8e67f9bea6eaa7d945ec751f4c3

SHA1
52134511212045229738fbe8e9b682a2860535a8

SHA256
681f9100103845c67075517e5f48b78a3099fe831ce4492e25d0f25dc85c38a7

SHA512
f4a50ceeb81b454b3aee2ac21dba7a1ed7dd9a61ea3ebd457d3ce0fe789c74b62dadaf9ce6248515c7addcd070c80fd7f57e73e571e69c5ae50cec0484900281

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
295KB

MD5
3b807673c04821e68efd65340fcc48ff

SHA1
1a0473329eeca4e12581ff729a0a3b35fb73a11b

SHA256
ff5f78140c04bdb38b8701b194139917e07e6ce75fa49ef51cdbea8fa8de83e6

SHA512
37b4d130dbeceb74c5afe4bb82503fbe8a76a4e7e827939852d2d546211108343ae4cb56f528e38559a8bd71c8eb2a78214370dd53c949baf8326c25f9f6877d

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
295KB

MD5
75c3b99b60e33db711278570c55207bd

SHA1
fd38fd3990de08254f464198be743f7f04bef388

SHA256
14cffec81149652b44e4f71b15bb90fe2796722941769c4033a4a050aef3858a

SHA512
a3f0a171edad4906b5d4faa3471e6f06671e080f0e0cb5454892bd522ec0c75f06871f5ae5cfe9f8bb43dcb075c96ca6e95234130f4f5676c12cd3fc4339b99c

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
295KB

MD5
2cc2d5a9d0e7b10034ef71ca948e3724

SHA1
64aae214d71b2dc0fa3f35df8425bb04be749bbd

SHA256
e8ad4c5474dc793d94e337114a2cb7eac029f5bfcffd62d31900475de809ab85

SHA512
e65fff984b9e5ef057a8583aae05910de1cab7be0ca2021e7b4dfe1e8fe8b3eea3706839a0dd910b64c709eae27342d8dbdee6225b09e8e5ed96d6068ffc8827

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
295KB

MD5
f0c10b189f49067bbfd212cf77432a66

SHA1
e62179061af6cffea69ed5d49b2b9985aaa38cc2

SHA256
de077adcdb76f9db257b0afce8c2874038c2228c4accc8c72719afe6ed3a41da

SHA512
14c4988c15ed16e31b2655074769b53e1b2abdb0acae9611e4d256be059d92a24ffa21f17d3e05e5f173ec91439a74be15a3c271aab78a711a1e48cc33c73207

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
295KB

MD5
ba2b85261017b5b6dc43f4461530bdfd

SHA1
44a2f6f4f14fb480c318b44607fd402eba9a87ad

SHA256
ce8e337fc5ccf852b85f3a770b5e69435892e99cfcac28ed69459cb2818c8c8e

SHA512
ddfc6befcb99929d2926ca9cb00d124278ec1b6ba856679b2b25749e9028e91b900bacb325f58b63b661b208176c9dee6863b3c89b125d8350d7799a913478f9

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
295KB

MD5
ee556bc5eccbd0860483a9379649e5a7

SHA1
8e337e42759fa65206978923621250b0c25affbf

SHA256
be290514ec62e5532ed25445f982d1795ce5700747aca3cdf3c889bb382c3752

SHA512
59deec95860accc7d45d0d83d0fe21d40d61863c8250db6337501ac093c32a5d189bb11e2701653dc8391124371f4ff4e25017cce79da7acc4f2e942917454a1

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
295KB

MD5
d31c1ef5c86cc45854488d67486483a7

SHA1
395b591acf3ef299fd6fe5896e05e3225231f1aa

SHA256
504d72c7b5de8c6494e52b4cc0caef2b618780320871f16b25c5ed765cc8cfdc

SHA512
515750e664f6adc157933863356b1c9d102ea6c9ffedf3ddeecd21f377a36f0dbe36a3c76237a9c46190beda4c81e177246d8fcc91ed5b4024c6f5d8831ab2dd

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
295KB

MD5
e73a29df1560fdf6859e07fb76dccfc4

SHA1
5f01141efab6ce4b39662fd2e8a902696d4a27dc

SHA256
200fcdd8e86430c55557137023f1b89e9fc850b3e4a647e27221cacc23226acd

SHA512
63abc426f0fffbdd59ca64017ac9f7a4734748df08741dba6d99a4c91380a327898c65d0d16dfa949eeb84d4831c7857a76f24cba8e06ca14faa471a108bacd5

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
295KB

MD5
c31703df4f83dde43ffb8ef595d079f3

SHA1
68cecb9816fde96ebb6e1680cfebed5d78d45058

SHA256
9fc3b01f3e8d73cb59ab90e186c6588fbab2c9be1f0dc43af81edde96c788d83

SHA512
d8ded2ab5de5235220304314e865a84a39c34b1a0568b71d1919848d83fe0e13ddb585dca2bcbe9468b7aa1e1c81e5368f4ed6b7b92f2a758e80b9ca7917cd42

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
295KB

MD5
2b22f6fd7058a9af5c32641b12ba171d

SHA1
c32038ec355c3a825231ede0a511a6fd0422460b

SHA256
06960a8abe74d4525fabe859410e48486be5071e0d25656d71d103da996802a4

SHA512
1e483cb53c8d22195d1dc7a7623ec6ae698e200c819d009ceabea6002cc5cd76a8e4f57a642946d40d041c09f373d13e89c6a8179bad79332c0052b63b763f79

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
295KB

MD5
61c46b8d58a68b1789e5be0dec96799e

SHA1
1cd2b3b7b8b5b75a97194279173558312b538a4d

SHA256
eda36c93f81f53d33547701850d3c812df5c6e1fc580f24e3bde5b8c5c838ad0

SHA512
3087daa398c0dc8f6f0c678286e7660cc1f594ab0fbdcc234587559a3a8bd97581a34aad37f18e16722f2afd7720cf624e3b59c93f45b571da580f532afb823d

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
295KB

MD5
a2ef266d53205fd83046564646e572b4

SHA1
dd6ec84d7947d151101c77d9789f27402762749a

SHA256
a964e1371fc0f65bd77c3cb89e36628e98b448c1154a39c44be381c9099ac3fc

SHA512
ca064c44a99430693dffa47194575a5e085ba4f66a12f11a00897958cf7cb547f611ba829a6b595219bec823739d02c5786c573a8cae0679eb5d016e6eb0a589

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
295KB

MD5
eb89e4020a14d9c88177b8af21e2a123

SHA1
62a5a8248536da6fd8cdd0cb621cd08b64580a2c

SHA256
729180c3e82e060899170ca91836906009f69c3e2d3e745e926e2f723ae01b44

SHA512
0c67c0e5bf58927829bfdd34be0188f4df2e042f115ba16920b34c7d3625377a0384c4432709c14e1f4c742de5ae086599b07cc2144f6dd333b19ec84800ca8c

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
295KB

MD5
d226a963286f68b2af49295dc85bd30d

SHA1
10fbc53df75b801916d7fa819d357bde6674dcdd

SHA256
8ef4c9261dd0047a983ae48fca632bff1f8f6e7bfec36eaf9f16f31c077a4a66

SHA512
462dce3ef2285421c4f09f1967e4753b88178cda2035eb3cae1cb71ff5b1070af2c261c27af75743281fcd6eace8c2085eca6e794ad03cc732f3a36ab57e3f83

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
295KB

MD5
7a1a25454193c9ad4559786537a0f687

SHA1
c2c86ffdfa5373ff1025f5bcee284824021d73e2

SHA256
46ea4190396f8f32ad1a995c3b5ea3ea83f4d714bd24b8c05f7ffa2f2eeb0165

SHA512
b3c604018dcec65b7593e435ad09c207c7777d3ab411f1a5f72c8e22691894bbd82c3043287226a48b735c7fa7471e5faeb43fec64159c92b342e4b9a0267e45

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
295KB

MD5
03ec0f803c6496d6f5fbe11ea06ac1c2

SHA1
77b1038bbdfa666f89583c757e4b1609ba6f5cde

SHA256
d91bcb6936f9fd30792fad078b298ae528247add2694167663860e7b7926c1ec

SHA512
44ba8d7c69cd9aa7d7d006906bc86743be65b8d4d74399c7db66d56fb5c7ed9a0d2df347ff72147470f8fbf1e999774170a702486a82c324e7233eb42fb94bb3

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
295KB

MD5
b190620f5d60838db8c593fdb46f984e

SHA1
1c226ac4288ee5d4556f5393c6e85e4aaf80d34e

SHA256
989fbd12e5b1a3f30b71ac8502c4d33b596a60604028267c684bcf20772a2e63

SHA512
95c3389e1ca2877c7323d826544ad4cdf9a34fe21888cad47f1e4eff1c399b6175f37ccae7441e7ec4b870216079e40a5e4c1044a730fde462279b823f39dada

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
295KB

MD5
358daf41a899f23f6cf7cb13e4a135a8

SHA1
3a3e18b5406cfa5aa74ab1b5cf007be333b89fa4

SHA256
0f6cda516a2a7c77e04e86e41c36ea7b77ee0d9685edf55b44c0a1a60f61178c

SHA512
b0d9132554ca66c226361db3635d409e4f99c86523c017a1224fce91b3bf1fd72aa76c77282097a7e2c3d65a6f65ab88cfc3d42afa316c19b2aa833bfdeec010

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
295KB

MD5
ce6acab74eb75ca6ebece76da9ae666f

SHA1
8e0417cf4c5a76190ae875e9b4193cd202340a19

SHA256
ab2ce413ef29966510d216f04b3faaa85a602394eb941d10cbce6d7ccc6a353d

SHA512
26041c8f32ab62afb90c58e6ef3886296f6655b0b4123c21553cd325018e06e9ef242881d8ea9a9f9202206490d1aeb9571839282a0e498aa0e4223df8979187

Download Submit
C:\Windows\SysWOW64\Qncbfk32.dll

Filesize
7KB

MD5
db5227ff98179170b48e83b151a06295

SHA1
5d800c0838bfa989b6a841babdae2255bca18202

SHA256
d36af1b79a8c7519ce91d6c51b5ee4a3fe24be2508cc4a8bb6513307cf78a916

SHA512
aa1180b4b01479676cf9330e36de07f2b068e09249903aec46a0cfcaf9b02ada20b3746f961bf199e0b9411a340a358b6c97740edc6b4a5d7a97c2a76a1abb59

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
295KB

MD5
23e2fbed46780f0414dc7f6b0c14692a

SHA1
8a32caa63eff8be3f1278a2a075ef09ca24680e2

SHA256
78e230284b8f2e69eef40cadddc0096b5d5cc28ee23b2bc55ea9e14d6021bc9a

SHA512
ceada90bc3a2fb144585e0d3a254ce02144e6c1546b588ab773c0bc2622054ab6c3513dd866a5fb2ec4fa6c151b4ade822ff4422106c5babb6a66409d5eec64d

Download Submit
memory/8-305-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/116-400-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/264-136-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/508-149-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/552-585-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/552-64-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/552-895-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/732-394-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1040-311-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1076-453-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1164-835-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1164-294-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1168-904-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1168-562-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1168-32-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1244-276-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1244-842-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1272-250-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1348-316-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1472-513-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1508-626-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1508-112-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1544-593-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1596-495-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1744-531-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1744-0-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1772-592-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1772-71-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1788-755-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1788-519-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1844-613-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1896-447-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1916-282-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1944-288-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2036-202-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2116-323-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2168-634-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2168-135-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2228-258-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2232-361-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2428-120-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2428-633-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2432-553-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2448-471-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2536-241-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2636-47-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2636-572-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2688-583-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2688-56-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2772-391-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2844-539-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2856-218-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2892-483-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2896-355-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2900-172-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2912-545-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2912-15-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2996-605-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3000-411-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3100-507-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3268-546-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3280-176-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3280-868-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3312-334-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3384-441-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3404-586-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3460-429-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3600-459-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3628-157-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3640-477-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3700-888-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3700-95-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3700-612-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3836-234-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3884-525-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3944-263-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4052-210-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4176-573-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4192-810-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4296-435-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4344-372-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4372-422-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4392-465-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4400-501-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4412-270-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4580-423-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4604-165-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4632-606-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4632-87-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4652-39-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4652-565-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4668-620-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4716-619-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4716-104-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4732-538-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4732-7-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4736-532-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4880-489-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4900-627-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4928-80-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4928-599-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4948-566-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4960-23-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4960-552-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads