edb19d14fc9673fea98cc7f3c89c5584b8c8ca03c8d4c0ff4e586fa1a995539e

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 15:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e386bf62ad8d8eab0c5067dc3841a790N.exe
Size

72KB
MD5

e386bf62ad8d8eab0c5067dc3841a790
SHA1

cf1630c637cb1e3d772a923ea51b35d7066f21f9
SHA256

edb19d14fc9673fea98cc7f3c89c5584b8c8ca03c8d4c0ff4e586fa1a995539e
SHA512

fee27f6812c2d4ee1994318067c38c2d7d68f5626654d144d18b08f196027237924cfb0ebda82caf58fcad4c5efeb61d8413ec6d2c2d15e448b18f026ceb0d88
SSDEEP

1536:aOWnYIvZc5Zrm880xaO/jS8PgUN3QivEtA:hyYIm5dm8laGjPPgU5QJA

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e386bf62ad8d8eab0c5067dc3841a790N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe

Executes dropped EXE 64 IoCs

pid	Process
3740	Nggjdc32.exe
4036	Njefqo32.exe
4808	Oponmilc.exe
4024	Ocnjidkf.exe
756	Oflgep32.exe
2052	Oncofm32.exe
4244	Odmgcgbi.exe
1512	Ocpgod32.exe
1248	Ojjolnaq.exe
4944	Opdghh32.exe
1392	Ocbddc32.exe
672	Ojllan32.exe
212	Olkhmi32.exe
2268	Ocdqjceo.exe
960	Ogpmjb32.exe
1200	Ojoign32.exe
1264	Ocgmpccl.exe
2092	Ojaelm32.exe
3012	Pqknig32.exe
2448	Pjcbbmif.exe
1636	Pqmjog32.exe
3728	Pfjcgn32.exe
2916	Pmdkch32.exe
2364	Pqpgdfnp.exe
4844	Pgioqq32.exe
4404	Pjhlml32.exe
4516	Pdmpje32.exe
4840	Pjjhbl32.exe
2572	Pmidog32.exe
5092	Pgnilpah.exe
2820	Pjmehkqk.exe
3196	Qqfmde32.exe
956	Qgqeappe.exe
3460	Qmmnjfnl.exe
4072	Qddfkd32.exe
4320	Qgcbgo32.exe
3656	Qffbbldm.exe
3744	Aqkgpedc.exe
828	Adgbpc32.exe
3916	Ajckij32.exe
4192	Anogiicl.exe
1768	Aclpap32.exe
1612	Ajfhnjhq.exe
1452	Amddjegd.exe
1488	Acnlgp32.exe
3684	Afmhck32.exe
780	Amgapeea.exe
4908	Acqimo32.exe
5116	Afoeiklb.exe
1560	Aminee32.exe
2500	Agoabn32.exe
4664	Bjmnoi32.exe
2708	Bagflcje.exe
456	Bebblb32.exe
1860	Bcebhoii.exe
2648	Bnkgeg32.exe
656	Bchomn32.exe
1484	Bffkij32.exe
3228	Balpgb32.exe
5036	Bgehcmmm.exe
4860	Bjddphlq.exe
3908	Banllbdn.exe
1164	Beihma32.exe
2264	Bfkedibe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bjddphlq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5856	5632	WerFault.exe	194

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e386bf62ad8d8eab0c5067dc3841a790N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	e386bf62ad8d8eab0c5067dc3841a790N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 3740	5112	e386bf62ad8d8eab0c5067dc3841a790N.exe	84
PID 5112 wrote to memory of 3740	5112	e386bf62ad8d8eab0c5067dc3841a790N.exe	84
PID 5112 wrote to memory of 3740	5112	e386bf62ad8d8eab0c5067dc3841a790N.exe	84
PID 3740 wrote to memory of 4036	3740	Nggjdc32.exe	85
PID 3740 wrote to memory of 4036	3740	Nggjdc32.exe	85
PID 3740 wrote to memory of 4036	3740	Nggjdc32.exe	85
PID 4036 wrote to memory of 4808	4036	Njefqo32.exe	86
PID 4036 wrote to memory of 4808	4036	Njefqo32.exe	86
PID 4036 wrote to memory of 4808	4036	Njefqo32.exe	86
PID 4808 wrote to memory of 4024	4808	Oponmilc.exe	87
PID 4808 wrote to memory of 4024	4808	Oponmilc.exe	87
PID 4808 wrote to memory of 4024	4808	Oponmilc.exe	87
PID 4024 wrote to memory of 756	4024	Ocnjidkf.exe	88
PID 4024 wrote to memory of 756	4024	Ocnjidkf.exe	88
PID 4024 wrote to memory of 756	4024	Ocnjidkf.exe	88
PID 756 wrote to memory of 2052	756	Oflgep32.exe	89
PID 756 wrote to memory of 2052	756	Oflgep32.exe	89
PID 756 wrote to memory of 2052	756	Oflgep32.exe	89
PID 2052 wrote to memory of 4244	2052	Oncofm32.exe	90
PID 2052 wrote to memory of 4244	2052	Oncofm32.exe	90
PID 2052 wrote to memory of 4244	2052	Oncofm32.exe	90
PID 4244 wrote to memory of 1512	4244	Odmgcgbi.exe	91
PID 4244 wrote to memory of 1512	4244	Odmgcgbi.exe	91
PID 4244 wrote to memory of 1512	4244	Odmgcgbi.exe	91
PID 1512 wrote to memory of 1248	1512	Ocpgod32.exe	92
PID 1512 wrote to memory of 1248	1512	Ocpgod32.exe	92
PID 1512 wrote to memory of 1248	1512	Ocpgod32.exe	92
PID 1248 wrote to memory of 4944	1248	Ojjolnaq.exe	93
PID 1248 wrote to memory of 4944	1248	Ojjolnaq.exe	93
PID 1248 wrote to memory of 4944	1248	Ojjolnaq.exe	93
PID 4944 wrote to memory of 1392	4944	Opdghh32.exe	94
PID 4944 wrote to memory of 1392	4944	Opdghh32.exe	94
PID 4944 wrote to memory of 1392	4944	Opdghh32.exe	94
PID 1392 wrote to memory of 672	1392	Ocbddc32.exe	96
PID 1392 wrote to memory of 672	1392	Ocbddc32.exe	96
PID 1392 wrote to memory of 672	1392	Ocbddc32.exe	96
PID 672 wrote to memory of 212	672	Ojllan32.exe	97
PID 672 wrote to memory of 212	672	Ojllan32.exe	97
PID 672 wrote to memory of 212	672	Ojllan32.exe	97
PID 212 wrote to memory of 2268	212	Olkhmi32.exe	98
PID 212 wrote to memory of 2268	212	Olkhmi32.exe	98
PID 212 wrote to memory of 2268	212	Olkhmi32.exe	98
PID 2268 wrote to memory of 960	2268	Ocdqjceo.exe	99
PID 2268 wrote to memory of 960	2268	Ocdqjceo.exe	99
PID 2268 wrote to memory of 960	2268	Ocdqjceo.exe	99
PID 960 wrote to memory of 1200	960	Ogpmjb32.exe	101
PID 960 wrote to memory of 1200	960	Ogpmjb32.exe	101
PID 960 wrote to memory of 1200	960	Ogpmjb32.exe	101
PID 1200 wrote to memory of 1264	1200	Ojoign32.exe	102
PID 1200 wrote to memory of 1264	1200	Ojoign32.exe	102
PID 1200 wrote to memory of 1264	1200	Ojoign32.exe	102
PID 1264 wrote to memory of 2092	1264	Ocgmpccl.exe	103
PID 1264 wrote to memory of 2092	1264	Ocgmpccl.exe	103
PID 1264 wrote to memory of 2092	1264	Ocgmpccl.exe	103
PID 2092 wrote to memory of 3012	2092	Ojaelm32.exe	105
PID 2092 wrote to memory of 3012	2092	Ojaelm32.exe	105
PID 2092 wrote to memory of 3012	2092	Ojaelm32.exe	105
PID 3012 wrote to memory of 2448	3012	Pqknig32.exe	106
PID 3012 wrote to memory of 2448	3012	Pqknig32.exe	106
PID 3012 wrote to memory of 2448	3012	Pqknig32.exe	106
PID 2448 wrote to memory of 1636	2448	Pjcbbmif.exe	107
PID 2448 wrote to memory of 1636	2448	Pjcbbmif.exe	107
PID 2448 wrote to memory of 1636	2448	Pjcbbmif.exe	107
PID 1636 wrote to memory of 3728	1636	Pqmjog32.exe	108

C:\Users\Admin\AppData\Local\Temp\e386bf62ad8d8eab0c5067dc3841a790N.exe
"C:\Users\Admin\AppData\Local\Temp\e386bf62ad8d8eab0c5067dc3841a790N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\SysWOW64\Nggjdc32.exe
  C:\Windows\system32\Nggjdc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\SysWOW64\Njefqo32.exe
    C:\Windows\system32\Njefqo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Windows\SysWOW64\Oponmilc.exe
      C:\Windows\system32\Oponmilc.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4808
    - - C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
      - C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        27⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        30⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        40⤵
        Executes dropped EXE
        
        PID:828
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        44⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:656
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4420
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        71⤵
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        75⤵
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        80⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        86⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        97⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        100⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        102⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        103⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 404
        106⤵
        Program crash
        
        PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5632 -ip 5632
1⤵
PID:5764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amgapeea.exe

Filesize
72KB

MD5
f14b1594f6f2a7b23630f8258246c4e0

SHA1
5838baf099187757a8d4c55174b36844b2e18564

SHA256
19ca0e0383ab81dc47c1580b44ec3a7ad8bb012d70be97e6094fe29b95be9e43

SHA512
91fc3f3fae94596c103d8f05f64624fb784e7cee8594881a0a5eff1c10f605212cc33bc2051baa50fa315bb56df23f65258e388dc57820b9118fd0f4d778a8af

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
72KB

MD5
8749f4fc1a79fbcd726fb694767671f9

SHA1
f530626c77d03ae4db38e772de8445ca91b59a03

SHA256
4d10f9f4dd779293a0e45701dea71a4ac00eef2e83048393ff3e29b8d519173a

SHA512
bcaf04393decedb39cc525c6e7f8beee42a13c78685e7f58c25185d00bc0e89e3b0335b8baeb55ccbb7fa043e054ec7d3cdd2907e37895741f15997913fe9278

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
72KB

MD5
fe02158ddeeea9939446a44a256ca62b

SHA1
bd6da3c11c4ec676895ae03e3c3d0986b354bfe7

SHA256
69119cfcb34ebd1b48eafc6ccf53eda565462f53b7824879918f93ffed0525c0

SHA512
a15ee4abd86c05f88e4cb840e631de7bbbac7a3a8194948aa9c353f0a4e518c83a360b8c606c19a7e6bb194085a9bdbbfb02f7b67cc5b2196904df6d7c2bfc28

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
72KB

MD5
543eaa43e965288f60ffe1439b4c88e6

SHA1
2719fa449b50ee9b2976e4981081fc5b382d87d0

SHA256
ef1d95ee4647956513d204e2f48da6b39bc4ee7c82aa37648cd24aa5c088d0c7

SHA512
15a4641736d36b3488eeab5b0b0bfb89720b965ba0ed9c33881426fce73a793007071b2c7f37760f6296fea2cf49aec10ce26b568dfb2b95e27d19e2a56424d8

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
72KB

MD5
11d03844275ea8f5ae2b0fa8b8b8e3c0

SHA1
34519d7d7553181765dc0e9a0967acbe16a558fc

SHA256
43fa208f4a36cc963f6badcc58a2dc6bd263199cd59d02972a9134188c6856f7

SHA512
8c18e341964c175e057fb4b4fd074a9954ac5a4f933d60470049294ca57679b8f4a4953af15208d14e3a73638266ea7eb5caf5dcb6e8a39fcdaf2c702b09d4a0

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
72KB

MD5
f204634c59721cb11be2b77051fc42d6

SHA1
1c45b4058f1ce99f027837e2c67cc672f31eb536

SHA256
0455a9ef7b7b66c89a055f6c5e2eeca0c00a791fabec8ad600fc3aeb3a3f7b87

SHA512
2226b7e3ac151501ff649f99d4ae916f0f89cfdba456ce04b3d206eca871d9ba9ba6cda5c7b09ab5cc5074afff1469662a5da277f73c521a3f0bef3c0e872028

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
72KB

MD5
bb8e7da89a3dbd3f586d6ae1cf20cf75

SHA1
38408120f5cc4fa45dccf81a56c69993cfd34773

SHA256
e19e315b2c5f30b613004646568d7c46ad8229116e72e051f78384a572241807

SHA512
5db49ed8d9eddd1979c6dd74b5e1b1e551523bd369316af13ff4a349ae6f6f7525f52da6e2e1b543bca36acebf83d2b595c98cee3a053594efaac8a24ada70d8

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
72KB

MD5
d58baf9d7154eea74102d72cd95b0a8e

SHA1
da0d4a1d9f4fb3558f02cf5fb619ba955d7e9d60

SHA256
c04b0344abf1e878b56b7925b014d0dddf3f2e503990f11187d21bd93e8d323e

SHA512
f52a2d58c5fdea6e651bed338c59627d359bef9c1d817f5f4237338fa6542925a3e5216a7f44e93f659a7848076f92bb7939af7c47a48c1c09f870d9a49de007

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
72KB

MD5
51bffe7648cec7b31a4f15a5845f088e

SHA1
b83cfffc7a51f269b38202ef111dc70f26a13270

SHA256
723c863e2d50eeb292cf2f980616213dc5b797321b926fe6c1669e83573ba8d4

SHA512
2161bc1b20d9083275fb92ad56031f33527865946bc36165bdd5e27616398977d7d6b722abfbb88e324bcb40ce468bf8f58c1180bc934cd8541d4155a626783a

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
72KB

MD5
e17d80160fbece93cb313c6755574a2a

SHA1
6c36f82b9b72acc0734da07431ad84f1e6d495e9

SHA256
5830ed19c68e004f147e4945297d165a7591b55a89feda5cdc586920b59e59f5

SHA512
903ec052023a8cdedada9ecd23d9cbe7804acaacfc5852d06f50bab2d1e3f3413455db65e152bef9758f669d80a45bd122dedc59ed6c58719597ae31b5f48b6a

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
72KB

MD5
9d742a01b93ef4211794edcdbd908f29

SHA1
7e4025777c95010c73014dffc86b8267c61f4fb1

SHA256
6e0b1ebf37b12049384e418e207c299014f645c2e8fd91b05a1bdc7bf8ab78b1

SHA512
94d87fc37f9215d1776627a3b78dfad244a87e1db8278d0eecfb2613d7fb0db1acc0f27c2995d6e15b729ad3417928bec80dfc151ecdae87c30a654d4e3eddde

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
72KB

MD5
9f2cf32a58c72cdd3f718f169d400a2f

SHA1
d825a7ec4a4944de931d68167ce71c5ebf633dcd

SHA256
cae80d6580619e7b29cc6ec19a2f9a8de89e140c9d14950d48312b637861fa4a

SHA512
03c870138904155f7ab8c7d706433af04c28f3f7f3f4cf928952ebffcba97c455d4c24f1eefbe60f071e2ae00f61731b5020e8806c48a1050d5178c21d19ec36

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
72KB

MD5
ae6015c6dab4bf86601823373d00cdc5

SHA1
3f6ff554a53490d04a9ad63467cf460a8234f736

SHA256
79bceb98d13e7f5c726edb1a682072efaabe04c28b0bdb5c1b0c3f742d66528a

SHA512
8e109c907856c97686434696da9e1b18231eddf845e6a5d2af7cc4495c0569126e411025ca399cae561231af423521695ec2696e245a6f6f5b01cf715b3cc781

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
72KB

MD5
e1ea0bbd26726c191c9134404e63fe5c

SHA1
fa5d8ee3a335e13e71f88c3a616b2cfba62dc3ce

SHA256
e6dab0b09724ad183b3b31eee549f2a9e7164da0a61890a9053a60b651194161

SHA512
b13e7697fc6a30789c113cb6a67a5c95cad5b20949481f834ee3509ddff959c974f425e2e36b8cb62f5f7bb5495f7443f9f4a17e901b2ecaf8b7b99a2dbd830b

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
72KB

MD5
8e39446eb65c680a07370a7e1d4e008d

SHA1
fb7e628df872e9b92447d3baa9d8c08dea53a434

SHA256
efc9e4e2a09d5bc4bc457c106ae859374b355e305301c0ff4947dafceeb687cf

SHA512
2956be43b74c7f8b998b7278ff2993a7a3c5fb0e5aea0f9c19e2ce47e54c5721647673a1bd46e0fb9dc2d414c09d300a4c702abf153f19c069607c1c6085f679

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
72KB

MD5
489a0fd178d3c17a48d62fef1cbc6231

SHA1
7cfa72803918c28a64320a6eb13c74aaa336f129

SHA256
0d35fc5b407539bc4a891e379f7ab8b9e17dec0a0985870f8e359e1783483831

SHA512
3d2132193dab9201e976eadc2b476eff003a47f7723a0a75b6a9a5bb315477b1d4328db3d470986b153083f2fa53e640db4d4c92d67ac1b1a5b04e3c71326664

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
72KB

MD5
13cad3aa42cf2c59504c7cfe3564f53c

SHA1
338fe2885cc82c719631ce2a7ccd99ec4405ef6a

SHA256
2883084ed7f612b7efb19a1b2cde9611f56f78d4dfe6cc6634b7fd6a4b2fd5dc

SHA512
2377be4fcb44862e958e390d2531fa6229385b2c3b14f19e7ad1c5d13b1cf9c710c25281c919280a340a5f7452946a738d4eb77ef551c57ef40f11ec9f303a36

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
72KB

MD5
5ef0b3653075b446200caee3e9772d86

SHA1
4b7ac5b46be806f181bf9f1ec34c96026441d142

SHA256
9e524b7316ce930ad961231bef71579f564f7fde94dce9ce424bcb1dd74ac1a9

SHA512
90e37619ef086fe577dd52f2912613bd1e25798823e9392f0905056edd6673e1cb6699595962509ad2460ba86dc15e38c433dd9d84d459c8559339063f0317c4

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
72KB

MD5
726ec4b1d5996fd8b637f3c77b0e9b08

SHA1
496f1c0627618163f176d357054b65eadf359d62

SHA256
31dae84e1326caf6e1a0c834c7b23dd6c1945a367f47d56762ba8b58ef77f156

SHA512
9b9ae884e660664ef8d1ca2db85206f7cf4d597082365456150c7f164c65d4f06eec02eaf2313565bb7edebc1e7b46ea980bcecdf86a6c117b6989a99ca2adef

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
72KB

MD5
d6457fd2017fc41dbea12a58732da8ac

SHA1
51d3f9c83bc0999c26037825119b45639ae940ff

SHA256
2e3cf630a72cfd31d2bc17db63462080442a69cbff37655a5a6bec8f9f09f993

SHA512
5efe4b5417b4b0141eca0ef1a860cd9863a289825e51a1d1096b5e3acf7260ae4104a3942bd54df10cb4f8a5d1fe25d208096bbe2d7eda8cc44f2b0f6fbf34ba

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
72KB

MD5
c39f7e5b3a01c341fa80ecaa87d0704c

SHA1
0005a332309405261d41499cbc41538e9df7191d

SHA256
cd376a0d527bf77605ee15daa1b2827a4247a7cab7bf2032b44e9c449b99938f

SHA512
89060422afab69156b91b505c1afa542c3a9a20b22355031f2bb05a3b200959687df6f6c01f27b21538488f27e8ac59066a67c06a0ad6669e18eac4bff427332

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
72KB

MD5
3843669000da0adbab628a1c46ae6f1b

SHA1
9ff6bd17716657327f3a43a842310091dd4a94d7

SHA256
350665d45f886569995bb44cd9c7345dbcd754ed04ff698ffb30c7ef0474ec99

SHA512
2a55c50239f573366ce9be0d65dec327e8fe165ee15869813aaf1db3babc730b3d6f6e9c15d79025855eb87117a18461f058402b2ee489f747b98a1eca5846af

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
72KB

MD5
f56238a56fa721a91681762e2635c751

SHA1
aa2151df72b0c5db770d75a3b8bbcc63830dbcd0

SHA256
1afddef4f09cabee232b950215fed0b4db99789ecb71996ccdab802fdd77ec61

SHA512
64d074963aa0a9ac9f6483798eadd1de1c1a6ee0e3c8dcd576becf4195ade19a61680bb15f8c7fc9a703ee457564167d5d8492c00bc5253c09c52c8aaeb6cb42

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
72KB

MD5
2fd52a187152c12015f53eb119de4540

SHA1
4c631bdd8c03246487b165f05fbeeb6d46f282fe

SHA256
2af146a9dd6acd34d0eb74c0293a7f3f1f7ec6c862dbb764720384bb1bd2e98b

SHA512
21c5dc7f3024b1120d3d77d47da355cc8285322d687bd69fff651913db2cb76b7260f397cbeeb056c4c629663de0f0bd2b7527882bd26ea1959d4849c21f63af

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
72KB

MD5
1bb35fd646e4a342db2d630c409a0190

SHA1
76bd011a0ef845269c5d3e824b4e864392a97801

SHA256
d862404abf85b816dbad688e765fc7c5c982aa27cfade8a833a4439818cc1e92

SHA512
ddfb36750dcf45d1ae5ded1f2bee6f9f409a973d6530a421d0c4f6cd340f6dbc368caf7a8c343d57e0c874340a7826973b426e8d89c12eae502c838921a08e5c

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
72KB

MD5
29f22bd38b97e9a9e61a009dcc0242b5

SHA1
fbb400414a9fb6105f74da3ea43f30302198745f

SHA256
569af4831ed3c64ba02d1ecb09d400a222d6d53ef87fe26d3a24d6df64abfe4e

SHA512
7deb944b98200c85df4c825a46c38e0559ccff430acc41043d2a84b6bf6fef8246310b3435a93da5f74f3c51316739d5cfe872a836eedeecd0c16ef415c2ab04

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
72KB

MD5
8f3f26ff776d9f00a7fe0c1d8239a3cb

SHA1
cbfa44c120717cebc42e2f7c521ee271e9528e26

SHA256
d44120e184b9f5502e3f9773c27c0e4edfd7ca73e642ebbe2a3ab0922fd3a971

SHA512
9cb9d1dbb912159cdd96166e420711bc1e13db0a110221e7c56d41ddbb7d08238588fb172a98480b18050b593e8e74c23ad68daf351edf94dac89fd6824326ff

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
72KB

MD5
a74811629e325d8ac38d544c9f0c1b79

SHA1
dbffbcf3f014d2fd3b2b2a3203519c822932070e

SHA256
c0728ab74790d6d7f0ff5dd3b6f9a33a4f84aa38bc0b7c0c6240862b730b97dc

SHA512
de677560b8a90f204e3f36cc54b7ed408259db04e006dcc3bd29f4b65a29ab4eed1ca11beb4599270df06a2c2cea584548a3bb52ddb59c52385fa263dd2ab6ca

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
72KB

MD5
9085a49654bd2922a265117c402b0714

SHA1
ee3785a534587fddd6aaaacd58c9e1cfb59e0adc

SHA256
b400c67fe2d2f36b54f06933d62f975008e1e835b6f74809b51e0b2c7f8819e4

SHA512
2317b0f4a4205fc7aed0c818d3eab738134cb2f023f25c40d9f704e4374ef939ff5b35470e5cc25d3369274817ac523286402954815209d5795a188fda98489f

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
72KB

MD5
591ddeed169623d95e8a582a9ed3427e

SHA1
23107a1e42bae8b4abacb8644b3e618fd781d1b2

SHA256
0aa5cff4ff57b16e9adcf2843e44b9ae0e10414a356351b3ff352e9e94d529ff

SHA512
77393a5e261ee2b848183cdc0d0f5008e9d805e36c94fe7761335bde1ec6040f75f41c794ed2b211fbe70fdd042ebbfbcefefb3d5776c67f762322579ebdca94

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
72KB

MD5
0a9a6b6f0c7f74ae1709a161ac7cb9ba

SHA1
853cdf34e2842e3436f9e09cdbe00612dc991397

SHA256
7e26638146cb7a25707db1ee886a19d84eac005db3a161e8eb578f4b2c175c38

SHA512
4766480197ce27a5d635ec5f00aa7a0a98daef0b0e3b68cc3d238a0d5c7e0704068a2d192658499defa176a9dad505ac4a610c533e814c913c480a8e405d9442

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
72KB

MD5
3ef7e09dab5067a072030062e9501df2

SHA1
b8ea6b8ec733d6e25fbf2467ef3d61292ef1c7ab

SHA256
a67f6e0561fbd9d4f9f75b8d2fc481eb8af30efbbb5d87f1f2dfd2b54bce636f

SHA512
8b60c2c02f6c45b6ac55cee7feddec206bdebb95e47c0863ea879dfbfbe8e6d4617b9bf1a26e089057a56e244f7fac2035abc2ccc5a4a05a2935fb900284c4f6

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
72KB

MD5
f1a2636f983b357347d0617d57f5bd57

SHA1
18fb514b98fad8e9e27be1deffdff87164604b70

SHA256
ef474a85e7acd9eb979668d7a930e25af019f22ffd239f3bd4d7b68f4adcbf71

SHA512
aadf296ccd6d10b4de3b5ff4eba7ecaf1a04456bc4deeb1199259395cdc3d59bf67f0893c57421a5542327f6ed7cf5c9dc4d697cf4160cd20792aed92266dd44

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
72KB

MD5
3145ea3c9a3b21fa6e7d33a993563269

SHA1
e7994554e4f1bb2a637cc1ace6bf2be12620a5b6

SHA256
5c9967fc241401dfc14ae71ed1925688be7a0dbfcc41911ebb9dac888dc11ae2

SHA512
6578dc7f078fd798bf916e02edefd7425702c954be064ae68424705dee16ad9490b350ffa8544421f40c9f99492aa0e71bf032e6e13543891ad0120c0c8e55a1

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
72KB

MD5
4d2fbccf7477b614719cd99de8884e30

SHA1
f9d95a888effb6523cb45c2bf6fc46be30a3f67b

SHA256
f9f5517fe544c7bf2c0beef5856b2af39180ca1241a1cb73edf7a7979c2cbe13

SHA512
414221e2584737578400ff01cb2093f1ab57fc2c3259ef1973e81ba69458d89d2ef02969130c90bacb4038fd255d45689e87a3dc2309fec11a75732a424e4377

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
72KB

MD5
3e788a485e49860dbfc125fb0c53279d

SHA1
0eba2ee49564d30ff92ea545b5a3e67e8690fc1a

SHA256
2009349c35a9b6373563c049c124e52aed532afaddad5a27b6291d5df663c68d

SHA512
fbbdcf4edec10306114a13ec4ebd34e6d92ceb1844e94fa915ee339da017cce324b9d50f6c03b12e213e81754e1a053c48127c71a7fbd2fe1e5a063bce76877a

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
72KB

MD5
a9ea08dc51545d3e410424b38a5e712e

SHA1
2916ce3876e32aa8e799df1ce99b8efbe39975b8

SHA256
440e9bb67c2fa3aab78a275b46ba282d5834af5495a68874459666e1eb903f65

SHA512
9c4ae85c45bfef7cf25cb88bbb449f5916992d64a62921905089c0e513359ecf911fe3eb82ff2b07b107ded5bbccfb9ae34ab45d19319b8adef16f6dd8c69e86

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
72KB

MD5
0491606074a6147a3627fcb4c6071b93

SHA1
d62b3f7b134504d2fb96a8bbe3330f5ce4b9f542

SHA256
2ba7d90c534490aaf4c7039e39de77afcfc2dc2ee748adc36e02d1eea46a2b46

SHA512
4ab9cd5c4e8d1ec74091afce8a00f9db379e3af6e87323a7889804d304d83c6be7926629ce97d91b702c3a9755e1127a1f58760503fcc10fd82bb4925d39d6a1

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
72KB

MD5
48e41f1928e654fa3c5df8d4cc89add0

SHA1
4e0bf36e1e32323a838a873472e7c4970d5aeb50

SHA256
46e3c09ea39c87d57d1d27f3cc2f1e0eef5428c5ff8a9ed43019d025fabd2ccb

SHA512
c8d5da82122a467cf766fee85c14f0c5b3d35a11d67bad7fd0c6de5189989169ed7ffe3e5bd5a1337f0d480d6f071f5848c86f5ad62c16e2ba335c60d53ced0c

Download Submit
memory/212-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/212-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/672-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/672-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/756-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/756-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/780-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/828-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/828-396-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/956-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/956-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/960-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/960-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1200-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1200-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1248-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1248-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1264-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1264-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1392-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1392-178-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1452-362-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1488-369-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1512-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1512-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1560-404-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1612-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1612-428-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1636-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1636-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1768-417-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1768-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2052-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2052-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2092-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2092-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2268-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2268-211-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2364-212-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2448-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2448-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2500-411-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2572-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2572-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2820-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2820-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2916-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2916-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3012-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3012-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3196-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3196-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3460-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3460-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3656-313-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3656-382-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3684-376-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3728-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3728-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3740-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3740-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3744-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3744-389-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3916-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3916-403-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4024-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4024-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4036-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4036-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4072-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4072-368-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4192-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4192-410-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4244-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4244-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4320-309-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4320-375-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4404-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4404-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4516-312-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4516-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4664-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4808-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4808-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4840-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4840-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4844-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4844-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4908-390-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4944-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4944-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5092-333-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5092-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5112-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5112-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5116-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads