f0e82ab8e75ed22eb1c99f317748c29b64a89c3b67e1191e8b133d8e79ed5206

Analysis

max time kernel
105s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a10e8eaee3be99f2c5c2fe81b133e20N.exe
Size

340KB
MD5

4a10e8eaee3be99f2c5c2fe81b133e20
SHA1

57e6ada65ddbe21fd458f5ef19539673b24a4a6d
SHA256

f0e82ab8e75ed22eb1c99f317748c29b64a89c3b67e1191e8b133d8e79ed5206
SHA512

fb01c5371f50ee816e40bb3e65ef996bb83947e39149b6c01aab1196e13f317758572e5487d51703d15016de90c68cb298b2c6660ce830d33f7f8b79f49b983a
SSDEEP

6144:HMRIyedZwlNPjLs+H8rtMsQBJyJyymeH:tyGZwlNPjLYRMsXJvmeH

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4a10e8eaee3be99f2c5c2fe81b133e20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe

Executes dropped EXE 64 IoCs

pid	Process
3288	Ncfdie32.exe
536	Neeqea32.exe
4784	Nloiakho.exe
3244	Npjebj32.exe
1996	Nfjjppmm.exe
2916	Olcbmj32.exe
1124	Odkjng32.exe
4516	Ogifjcdp.exe
772	Oncofm32.exe
3944	Odmgcgbi.exe
4280	Odocigqg.exe
960	Ognpebpj.exe
1272	Oqfdnhfk.exe
2928	Ocgmpccl.exe
3080	Ofeilobp.exe
3076	Pcijeb32.exe
384	Pjcbbmif.exe
4656	Pdifoehl.exe
3784	Pmdkch32.exe
1236	Pgioqq32.exe
632	Pdmpje32.exe
2912	Pjjhbl32.exe
4528	Pcbmka32.exe
4792	Pfaigm32.exe
224	Qmkadgpo.exe
4564	Qdbiedpa.exe
2728	Qcgffqei.exe
3704	Ajanck32.exe
2628	Aqkgpedc.exe
3548	Afhohlbj.exe
4000	Aqncedbp.exe
2176	Agglboim.exe
4996	Amddjegd.exe
628	Aeklkchg.exe
4780	Afmhck32.exe
3144	Andqdh32.exe
3168	Aabmqd32.exe
3664	Acqimo32.exe
3108	Afoeiklb.exe
2424	Aminee32.exe
3192	Aepefb32.exe
4572	Bfabnjjp.exe
1436	Bnhjohkb.exe
2308	Bebblb32.exe
2860	Bganhm32.exe
4512	Bnkgeg32.exe
4872	Beeoaapl.exe
4304	Bffkij32.exe
4756	Bjagjhnc.exe
4172	Bmpcfdmg.exe
644	Beglgani.exe
2664	Bgehcmmm.exe
3940	Banllbdn.exe
3132	Bclhhnca.exe
4604	Bfkedibe.exe
3668	Bnbmefbg.exe
3396	Belebq32.exe
1592	Bcoenmao.exe
3736	Cjinkg32.exe
1268	Cndikf32.exe
4080	Cenahpha.exe
3816	Cfpnph32.exe
1432	Cnffqf32.exe
2140	Ceqnmpfo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aepefb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5768	5664	WerFault.exe	171

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a10e8eaee3be99f2c5c2fe81b133e20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4a10e8eaee3be99f2c5c2fe81b133e20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 3288	3888	4a10e8eaee3be99f2c5c2fe81b133e20N.exe	84
PID 3888 wrote to memory of 3288	3888	4a10e8eaee3be99f2c5c2fe81b133e20N.exe	84
PID 3888 wrote to memory of 3288	3888	4a10e8eaee3be99f2c5c2fe81b133e20N.exe	84
PID 3288 wrote to memory of 536	3288	Ncfdie32.exe	85
PID 3288 wrote to memory of 536	3288	Ncfdie32.exe	85
PID 3288 wrote to memory of 536	3288	Ncfdie32.exe	85
PID 536 wrote to memory of 4784	536	Neeqea32.exe	86
PID 536 wrote to memory of 4784	536	Neeqea32.exe	86
PID 536 wrote to memory of 4784	536	Neeqea32.exe	86
PID 4784 wrote to memory of 3244	4784	Nloiakho.exe	87
PID 4784 wrote to memory of 3244	4784	Nloiakho.exe	87
PID 4784 wrote to memory of 3244	4784	Nloiakho.exe	87
PID 3244 wrote to memory of 1996	3244	Npjebj32.exe	88
PID 3244 wrote to memory of 1996	3244	Npjebj32.exe	88
PID 3244 wrote to memory of 1996	3244	Npjebj32.exe	88
PID 1996 wrote to memory of 2916	1996	Nfjjppmm.exe	89
PID 1996 wrote to memory of 2916	1996	Nfjjppmm.exe	89
PID 1996 wrote to memory of 2916	1996	Nfjjppmm.exe	89
PID 2916 wrote to memory of 1124	2916	Olcbmj32.exe	91
PID 2916 wrote to memory of 1124	2916	Olcbmj32.exe	91
PID 2916 wrote to memory of 1124	2916	Olcbmj32.exe	91
PID 1124 wrote to memory of 4516	1124	Odkjng32.exe	92
PID 1124 wrote to memory of 4516	1124	Odkjng32.exe	92
PID 1124 wrote to memory of 4516	1124	Odkjng32.exe	92
PID 4516 wrote to memory of 772	4516	Ogifjcdp.exe	93
PID 4516 wrote to memory of 772	4516	Ogifjcdp.exe	93
PID 4516 wrote to memory of 772	4516	Ogifjcdp.exe	93
PID 772 wrote to memory of 3944	772	Oncofm32.exe	94
PID 772 wrote to memory of 3944	772	Oncofm32.exe	94
PID 772 wrote to memory of 3944	772	Oncofm32.exe	94
PID 3944 wrote to memory of 4280	3944	Odmgcgbi.exe	95
PID 3944 wrote to memory of 4280	3944	Odmgcgbi.exe	95
PID 3944 wrote to memory of 4280	3944	Odmgcgbi.exe	95
PID 4280 wrote to memory of 960	4280	Odocigqg.exe	96
PID 4280 wrote to memory of 960	4280	Odocigqg.exe	96
PID 4280 wrote to memory of 960	4280	Odocigqg.exe	96
PID 960 wrote to memory of 1272	960	Ognpebpj.exe	97
PID 960 wrote to memory of 1272	960	Ognpebpj.exe	97
PID 960 wrote to memory of 1272	960	Ognpebpj.exe	97
PID 1272 wrote to memory of 2928	1272	Oqfdnhfk.exe	99
PID 1272 wrote to memory of 2928	1272	Oqfdnhfk.exe	99
PID 1272 wrote to memory of 2928	1272	Oqfdnhfk.exe	99
PID 2928 wrote to memory of 3080	2928	Ocgmpccl.exe	100
PID 2928 wrote to memory of 3080	2928	Ocgmpccl.exe	100
PID 2928 wrote to memory of 3080	2928	Ocgmpccl.exe	100
PID 3080 wrote to memory of 3076	3080	Ofeilobp.exe	101
PID 3080 wrote to memory of 3076	3080	Ofeilobp.exe	101
PID 3080 wrote to memory of 3076	3080	Ofeilobp.exe	101
PID 3076 wrote to memory of 384	3076	Pcijeb32.exe	102
PID 3076 wrote to memory of 384	3076	Pcijeb32.exe	102
PID 3076 wrote to memory of 384	3076	Pcijeb32.exe	102
PID 384 wrote to memory of 4656	384	Pjcbbmif.exe	104
PID 384 wrote to memory of 4656	384	Pjcbbmif.exe	104
PID 384 wrote to memory of 4656	384	Pjcbbmif.exe	104
PID 4656 wrote to memory of 3784	4656	Pdifoehl.exe	105
PID 4656 wrote to memory of 3784	4656	Pdifoehl.exe	105
PID 4656 wrote to memory of 3784	4656	Pdifoehl.exe	105
PID 3784 wrote to memory of 1236	3784	Pmdkch32.exe	106
PID 3784 wrote to memory of 1236	3784	Pmdkch32.exe	106
PID 3784 wrote to memory of 1236	3784	Pmdkch32.exe	106
PID 1236 wrote to memory of 632	1236	Pgioqq32.exe	107
PID 1236 wrote to memory of 632	1236	Pgioqq32.exe	107
PID 1236 wrote to memory of 632	1236	Pgioqq32.exe	107
PID 632 wrote to memory of 2912	632	Pdmpje32.exe	108

C:\Users\Admin\AppData\Local\Temp\4a10e8eaee3be99f2c5c2fe81b133e20N.exe
"C:\Users\Admin\AppData\Local\Temp\4a10e8eaee3be99f2c5c2fe81b133e20N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\SysWOW64\Ncfdie32.exe
  C:\Windows\system32\Ncfdie32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Windows\SysWOW64\Neeqea32.exe
    C:\Windows\system32\Neeqea32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\SysWOW64\Nloiakho.exe
      C:\Windows\system32\Nloiakho.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3244
      - C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        61⤵
        Executes dropped EXE
        
        PID:1268
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2172
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        70⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 404
        83⤵
        Program crash
        
        PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5664 -ip 5664
1⤵
PID:5740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
340KB

MD5
c3af4f0fd4f6f75d8f0d5a21e66e153d

SHA1
f4a68f3528182e2b427b247f864bcd7eb049fa14

SHA256
856b60ff94783b0855114e4c328a29a98e56f9ee5cb32dc9e9443476f03aad96

SHA512
efed2cfae860acfa911cbe22af2edb8e35d0a5cacb8c15e7e676867d58735ae75aeac619e46eca7f97dee090f71e13e055e7e52103cc30875594dbeaf5aab69b

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
340KB

MD5
cabe78c3435c44fbca8eaef996a8eac7

SHA1
9b718d0bdfc4410e2822e45346ba22839b40ed88

SHA256
9af345642418650089eefc1d2bdad8605495ba0250f90ff576f1533fb4f2122a

SHA512
eeb8f6713b5aafdae3a0df37b22726381037f185f59658c96b1bd265a99499ccd4fcd77c4327a6d843a6f5f228980df445fb4ec92aca86cc02569da22f85ad19

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
340KB

MD5
94c2403e3a8add07acdd54a2a6f341ff

SHA1
9107f2ed7a3df221b58e1462b1342d2420ef9df3

SHA256
605db44274bc0d427ed3d162fb600d347fc6b9341d4807f39c9bc9367faafb72

SHA512
0e9049f115eb9422c5388d43e18fa880773dea595661434dcb787aecfc40095ff27c71cb3e97533e83b23b7f290abde90d610e25f2a1c17fdf0b88087c079061

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
340KB

MD5
93b40f50b2848b48523d11d7ee781cd5

SHA1
99d3adcebd3df0240e76ff4580acb2714e6c3c17

SHA256
5a113112bf0fec57c3b810203d8292b858f11d9e8b52ce80b67a622feee285cc

SHA512
9536909ec28aa0ffad567c7491384533e11c81a8e5002fb3433fd8cc474e7fb28e5a0ce219760cb3b9c01a8a29d1afa212baa97d6d7ab0a0df86142f48c2f832

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
340KB

MD5
b2400d90eca8e4ca6818f402976539d6

SHA1
15dd73b8b2f67dfa703817ee8a8d4b0adf4b5e58

SHA256
05b23f2ed8938438431739648198583d0a720325526f912dee70eb873bc3a156

SHA512
9c1182cd1b28f8a5a0950746682ac50d3c6d8ef65a71ff0920c3093c46c45952493f15a17e533859b3113656e095e4e0949621785c21e7becf4af9c890dbf111

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
340KB

MD5
d56bc1058601a4d3b72770ba7550fe93

SHA1
27021b6fb533a6fd6553e9acf9cae68f4d1b7cee

SHA256
e0bca28207f30330a4f7e7b5e2274d6196dd6f198ba7bac1c3eb40202e279cbe

SHA512
6bd892bbe4446d2ed00ad6400d660f1a4746cbb3fdbdaf6b8bc68a4702eb170a6d0bc7d9ca477089ab0206232ed49d3f3cb01eca9b491e8f10bc349149764059

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
340KB

MD5
e3cfa361b5feebd7bd0ef8b22a75a870

SHA1
136f30886a433a3b30c279787402a0fbd8ca484f

SHA256
c18a403343a80eedf3f8aaf28b71909e3c8c579dd1901b0551a43a4450de7271

SHA512
42c16f5b83cf35827e05fd0a92d30f45a58bf4544d2524d788c6a3d84c35686aea9c7356fb362ab5026b84889662afa0ac93620a427cd23a0e248bcbc0344cc3

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
340KB

MD5
d3b8b45cabd1011184c4380ad3f5cc20

SHA1
5b6179e079dac745b9bee9980644764f9d5a78ca

SHA256
0d5da8f70dfb19b3cc89f7c6c0e3a2176c72ab4843fabdf863c6ac0cd75d14b8

SHA512
e7d9ca427d0a262ec4f3e794ce8b853acad62d60ba925257a81e47a6e2a33f8d5bb1636c7283c93d356c38b14dd4b41861be133703ffddbfee75cb96ce6ead0b

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
340KB

MD5
9961fd06628c25603b65bc2c118f8a8e

SHA1
fd4f5cbc034623a0a7af8c724b96a2370eb772a7

SHA256
357b9f780149d9bbc3190bbc42357fc129e09bd6796d030dce877a5e74e65ce7

SHA512
81822a2c74ed38e9711c3ea3c4ceaf27e85732a32dad66bc2797358312864985578891fc5057caa1a8293bacb8d45912211f5664ddb69f0dc3e0dd7c432435f0

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
340KB

MD5
dff244af9e6b0b35c900fe6d5bb22694

SHA1
f866f821336d3ae7d1343fa43b1dc67ba88e3103

SHA256
68ec29062fa0193f411fad5f4eba1f390364b7bf83027f16cdce920a2e9f8e6b

SHA512
ad8291ab5942e5f5d89d4de676838a051f965bab8aa612fa3b2d5bf7b2ae13e3f455e6c79a59b5088e7d1e61fcbb44988c8bd3784c4df37d3861c4c166389378

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
340KB

MD5
96f8facc1088b70049bb958a8d047c75

SHA1
da3ebb5ad3f1b788702298f0d434917709716700

SHA256
b291fbda853c0e6a02b5edbc2a4453d4aba94aabbcf0c6579655ff05b4e07524

SHA512
e3b4b470abc664ffddff72163d76741fca93be6194de665b72d7ecd33857e0c119a28c858f46a2ed1a1d34abbaa800ae3fbdcd33bcbcab02765f5567a545a1ab

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
340KB

MD5
e95d6e513131447b01c6ee110038ff63

SHA1
d231c718a064dab34529a63766bed71b31051119

SHA256
d8ac5f67eee96cc27409be4755ae096eae1893690c1889ede021112c98158b6c

SHA512
fa7ba81d49e9c3d3810ece9fe51951e1a474822accbe67408cddf58616efeba08e02c4bbf507bdb385a5b7867ac22dbe4d002170e4a5ca3ed5814eff910621c2

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
340KB

MD5
96c8792392402fc38588fa843e1caed9

SHA1
af17bb47d6cb73c9d6fbbfa5886467c0e277648c

SHA256
a0c3bc0aefe994eb25b5d3134ad2dbf64a063e6ea23501fcdbeab60669555111

SHA512
5db2f55479c75b751437dd2d7c55849898e91713277542f75d3d8dfa79dbdd857796308c7e1b08476446527529b5a528c6e91b9b51560e7a29ba8038a56e8263

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
340KB

MD5
6768136f9ef2bf422bbf5eb36458eac0

SHA1
7ce595c745afe3a4becd138a8c7fb683138a4b19

SHA256
a821a9b1deda4a48a712d1cf03dc2f5222676557d0d608db0e442ecc8ee07b00

SHA512
11fe0612347fa41b3e336d33eacfea1767e40b502885474c78a4ff6e36e975f18f0b7eaf90d8eb3a8820222575eb36d3ca536ae36e9b773d86fd226652b0d6a1

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
340KB

MD5
25abd17ff758061efdaccd472e0ed2fe

SHA1
4f41de5788dfecb2efdba1b0d618ad51fb24d2a7

SHA256
c811566d8ddffce4df296dfd5585c525471d6c7910c9b02176b45bf97bc139e8

SHA512
a0dbdd8d2c58c3fb5c5964f4781c19cb0631735c827defeb4430417a5e9c6f720ea266ef304bfb745b66de74e465233506ac97e63ad6f3dc177480881a9cc6cb

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
340KB

MD5
312bdf8f9155aaec781c0ba9e87c906e

SHA1
435f13335baa6b9ee24719a82433210ae74721fb

SHA256
ffceb7a51476e7d0225971abb6bbcfc8aa3fcf2319905e7ec69fb29ec002e11a

SHA512
f13f735e13003ae801b1378f1a634f48f14a4a453a6800ad849fea1da7f920ddc9e46c3d4dedd5081dbe516a9c101d51bb4ff17fc5865096a65a5257e89c2875

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
340KB

MD5
2f217032d8cef309b41a65cd6da7a868

SHA1
adf9a36b2d6943f293986a4dfe2be41049ddfcad

SHA256
0b5b14cadd92eaf90c038a4080870bffa84d4977e58835e9499c2a3b0210ad62

SHA512
da6085da31b3edd9f5a21332c6451696bd40439cc20ebbd617f70d7e09c82e79e24e22f0b126b60e286b1d3953d9cd8db52db1b28fa9c352d473ff493947cd64

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
340KB

MD5
1250ef306ecf8f2374a8fba2cdd9b814

SHA1
a86ffb556282dff6c35aff89a88aa9bde44aa3c5

SHA256
1712d1e1e5a85441fafdc794f73aa3150a847cc16f52bb1bbc85aef1a8a654ca

SHA512
7d0a7e474e12084ec4bfd2fc955f39722490946e37bd8bc937808b768b380e40f2f1722dcdd9206282c42de55289df89472fdd90eed7122bb4a7d8916d4bccef

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
340KB

MD5
32cfabb8b55269aa4d20859ba127e1f6

SHA1
6f7aad05f563beff0c68ba4e138176ad34276711

SHA256
66dcd86d74478dee330e2727baf5d924bfe0952ca34b7ab35a4f5640c569abcb

SHA512
162e5f9c623bede50957de2cc67a1ed081cc0e032fa494e683d419c1d948620b981b59a2b4b9634b69e79852311d33db37579df17caaa8fafd94f54d0f595c29

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
340KB

MD5
72a3eb9219f54b3980c6587818beace6

SHA1
f97f7a1f1c5c14163adc2bbc3a27aaef1f72d1ca

SHA256
ff1561db7844fb651f9b160adc085ecf5a18583cd3bf3dfa1787f6440621e26c

SHA512
fb991f5ebc7bd8c3e05830772b4caf87dfda24d7ad0a07c0ef0f420944d31f74c881a8791ae4318219746bad7cb1cac3e030f2b925a4d407db334d9de3828488

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
340KB

MD5
690a97742d34af254d3f0f1c7b775523

SHA1
6fa92ad25e7c53e93277d7730b22ee6cbf1b87e4

SHA256
93145a2411b39adb14dc425bc83c4f849e4be091c8c8c698af5d005657eebadd

SHA512
e4058ef0988ea695a322b69122b48a683cc1e3c012ea2480f938a80bae63821cc276a6ef60852336a1c0b2e8f7185b1c96798f71644dd68f9f17b7af5ab52570

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
340KB

MD5
d4ecfffdd58e2a6889c776b9200df17e

SHA1
880c9eeb664bfedbba9b9827a4b08d849e1d0b6b

SHA256
b4eae9c46a7cea7b8007a90520d083b935fae4ab7c39e8c13c4fcceff25737d4

SHA512
4361efdee17ddfefaf7cd7ddfc3757946061a67c78ff7e47fa88b82ca11df9c5a1e7e7a09649921b962272609a2237ab131843b633e6e9bd3c8ae2a7f64dd35b

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
340KB

MD5
70276f75f0211cd02958daeb11d6938a

SHA1
2ae353ad45ccffa1c982e23f0dbdbfbed64a22e3

SHA256
06e89cbbfca81f9f6b093aba069acc69f44cbeddae317ee4ff0ab26ecfe61e4c

SHA512
ece09051773d436d8c08bda0dc85f60c8b54ce52ca5f05c4e765edfc5090ec3e301a719f6ee5df5d3b14c40e75f46e6f7521d09cbbcc0bf707a0af50f3ce744d

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
340KB

MD5
a6bca9a48e5cb3bda93add7cff32d1b0

SHA1
39dbd47e129d47aab79b069ea7a77f6b118a1c96

SHA256
9941bc6eeb2de99c67df42672353d63490e87c14d4647006dd704872ae17936d

SHA512
767996a647b1b7c30fa74a58cf5061fac68cd4a2a9b253ec5273852720832dc18a76e3ba8cda4fc52e411037c24e9514dd3212da16fa061ddf54f2e9d2be8c45

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
340KB

MD5
9a1afa0eaf40b69c9dbc0d82350c37ee

SHA1
ed4349db37deada8935c7c558dde923517056111

SHA256
5985503c6ed29a4d06588e75da466941b17c034a4a7d3356e38b42353b2fa390

SHA512
c56d0b728a72194b3cc00ebc0e29905e81e5341db50d0d9ef5c92d6ea19ce643036767b52b13f72ef43dc520afa5c74493bed428e319bf9132b3df77113f7d01

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
340KB

MD5
07bad3ddf4f8bd4c12b6ad654d01ed2b

SHA1
807121aa2fd520a4b787326e00ca9b64062460c5

SHA256
44125fe5848cab4361f9b499d1999a5324c25d5dba1d3c678139a3bfd30f38fe

SHA512
c1e0535310f7a6d170790c5a08eaebf8e1ecedcbe851232ebc3d3b4e54b524da98a95be67ee3ccf34110cc4fd2b16da4cbb3db5203d5a5622e6c3270951a000e

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
340KB

MD5
c709688b1cda976a381fe80e854164ad

SHA1
394709200b7ccc3c43a466fafacb8a231cf266cb

SHA256
682db8d897398203b0746cd3d76b037ebfd14ff07e84e157854f79721f7006b1

SHA512
c095a8ddd306c8a6944e6324dc7c24b3f4ad6d6569d65e2a1a77f3386bc0b85ce7f875ae3196c3df4d1bf1d385e9e40d0ccfa8cb56031a5e6aab8456974fcf21

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
340KB

MD5
8eb385cbf051f2c5423f0d59fa5e0ef7

SHA1
bdbb0c25d1e3e959695995f1c9b70dd9d30e247d

SHA256
c97f10bb725d07b54d401c59abbf07461cad2dac98d3bea1e5ec4e3ebd608b38

SHA512
c7c7cae2ad8cf33c1aee7170b002d80349cc301b70dcabff9b5fae046b35f76f0023217cdc63d4819b40f39860f35a68195b110cb2974bacdf44526823a534ad

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
340KB

MD5
c26538619d12cbf8cab9ee0f2d35730f

SHA1
920a47820564a2a2581e4c681df7325e192ac551

SHA256
553b9efff6307608d7594019b4b746a884e33e5eabd22c4736b63b61be24a113

SHA512
5faee351f3c878dc56af5232d2d5669228b253c825e719b064a99bebfd3be8302fd3b5f09678a4f4a97bf437fd316ef1818eaec57d61b2c3f21d8ba1317fe77f

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
340KB

MD5
964022ac61bb58570ad7e3afe1bdd07d

SHA1
e18d89af51b36917228ca3594b7acc9541888cea

SHA256
40316ab2d824a4e4b00645f664a5ba4419cf330b1f7605957b3ab473dcfb0dac

SHA512
6b967fff2ea19ec7d819b194f2e1d00690ad5014bb091d02b6ca4a11bca3b744bb207616890c607e8c9031da664bed3fe2f4b858aa4977c70e2167ce9e06c717

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
340KB

MD5
a1d061c4207b86ab77e1c0735ec8452a

SHA1
61024db9a462cd0c48446caaed9aee16a663c1b5

SHA256
34af8533c8db6da7c16339b5c954acfa4b767c2c026ebf33f1b365e99a6bdd1d

SHA512
b6fdb2097aeb43fff77727fd5addaab5984a70422a040147258e8e51a0d497b4925d3131907676456df3ad036273b6416d6995ccf129e3647278e8fcc4691735

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
340KB

MD5
8fd86b6245166ebdb96f98f292350557

SHA1
c87de67dc8d2d73066db9c16a83e9488807b73c5

SHA256
3ebbdc3d03126c9a20a9d24626895b6e2039882830d6d2d2962a9d628993d84b

SHA512
1bf8afbd8792657706892c24777e32c294ebdbecfadda70c88e9b0c9a55fc51017e51d22a06421dd79b12985c871cbae269a549d706ae671c690e70c9d23f9c1

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
340KB

MD5
3eb7c3f8387c391be527b5b1240a4c06

SHA1
ee81b412756a8804c0cd8516962fab68d70e5204

SHA256
9ed149fb407153b9959c8c6ac66b3d4fe64a10f0b6e8f0503df47f91433d2625

SHA512
be130643d349fb96f523878f7d15306d4f43463b2a2f2d3f3a87362e05bdb908b14d85a7ed82aab2f6c5f99b48d2e944c8c9c5462d14b21a0ff6de0c36c000e0

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
340KB

MD5
8d1b33a2d00318b11de6e74f675c0bc4

SHA1
607ddf108eb3821233feb85aa796ae09e0af4b0b

SHA256
1e0ca96216de042392ae8feefe301625f363ffc8149cade37576189df66d1efc

SHA512
57edc8158447529d47f6298e43532f256dd6ea8381c2f4b8d1f57eca496a014d28246aa500b370921c0ae2e9b0f8d593e50b734bacf8bb96bb2c1d107be10409

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
340KB

MD5
db29dab4015e7c8df5fa7544a19e812f

SHA1
3509fa8572402b47c2718415b586e1f5e66df83e

SHA256
4815583fa5919ede551daa701879d3986d7bae07ed065b444eaa9a9adf9696a4

SHA512
7debf1aa2fd81fe1dfb2a26def57344eb34876413096d6e8b9e59a68a17a9ff0a8b9d0a83f6b8ceffc73fdd2c4ac87618e70f30243d496052402ec2751654f1e

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
340KB

MD5
793710386aac36ed04c99dfb98af8eee

SHA1
98a2da259cc51b589a05fce03af4f613db4e0558

SHA256
0818cb2bfe6f62cb99081dfc2228fc2d502358db90e6cb6c4eb961ed9796c832

SHA512
bf1dfc0917e824901d34d23dbeb9353232d296e80dc2156c369ac122e3493caad74c945c21b41caede9f23c398e7cbd9ba73a0b92032772d45b8a97dd0f25b41

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
340KB

MD5
c66ece428fa9bba1bc92852f326f90a8

SHA1
762fdea320e14854dee895b3d695bc441a72ef4d

SHA256
520c18aea07d308c56bd28c1cd6ee337f32bebb19c23e8ca1a5005832ca60c92

SHA512
034e7882796156eff709c7d7604732c4184bf894bdeabd29fe0c893c3b9f1a486f7f9c6b63c7ae40444e5245a2a113088236e438bf99f45cc3678c69b9515999

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
340KB

MD5
12719d4ba782844fa24e4073776f79bb

SHA1
b8957b1506b3aa5a261699d0c8ba0554390f6e37

SHA256
bd016e0f842a90a468011f9b81c8a07bc1ad4f46503c9adc540611f4fe742e78

SHA512
cb060cf8cc80e20b02f44f18b54359e309d3c0b22bacf14ab2420e17e5c2dc837d602011dd785aacd26888861303af8820370536280c63c60fd5519a2343b44f

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
340KB

MD5
427ff6cf35439b5770ac9cbcf5ab3736

SHA1
4eeb807cc0dc37ad63a5df5b018868d060c18d24

SHA256
1db84274975060667048885438a81ad7e11a075859432c2a9e69fb8069c6207c

SHA512
ec9c4bbef8409809ebeda2f0ad78f42101fa4b499a3889e8b1539834f60c081420e3e82e41fc94b6edaf698aa29a65a33a564a94565e88de342bf18505e00ec0

Download Submit
memory/224-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/384-137-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/536-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/536-554-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/548-455-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/628-269-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/632-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/644-372-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/772-77-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/960-101-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1124-62-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1236-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1268-425-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1272-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1432-443-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1436-323-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1592-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1996-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2140-449-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2172-461-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2176-257-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-329-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2424-309-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2628-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2664-377-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2728-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2744-471-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2860-335-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2912-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2916-49-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2928-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3076-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3080-121-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3108-299-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3132-389-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3144-281-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3168-287-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3192-311-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3244-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3288-552-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3288-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3396-411-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3548-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3664-293-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3668-401-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3704-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3736-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3784-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3816-437-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3888-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3888-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3888-539-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3940-383-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3944-86-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4000-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4080-431-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4172-365-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4280-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4304-357-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4512-341-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4516-70-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4528-184-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4564-209-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4572-317-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4604-395-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4656-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4756-359-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4780-275-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4784-29-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4792-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4872-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4996-263-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5124-477-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5168-479-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5168-564-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5208-563-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5208-485-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5248-562-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5248-491-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5288-561-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5288-497-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5332-507-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5372-514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5404-515-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5404-559-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5456-521-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5456-560-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5496-527-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5496-558-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5536-557-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5536-533-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5576-540-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5576-556-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5620-546-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5620-555-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5664-553-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads