280f73a31a927a58e2aca1dfd9de9cb746f7851a81f3d8d1c00afab3eb38ee9f

Analysis

max time kernel
105s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1938d56978aecda6eba4b5d3152e360N.exe
Size

94KB
MD5

c1938d56978aecda6eba4b5d3152e360
SHA1

0431113299e11452d58abbfd09b78e1ccf6827ba
SHA256

280f73a31a927a58e2aca1dfd9de9cb746f7851a81f3d8d1c00afab3eb38ee9f
SHA512

5fd2c8f9a917ceee50ec733a686f5186763ca0396a4bec114a550cf7de419d48b6333158d0f82deee7ec8042eb4be003949ad9d9e4c2e6247aeb2da8a3f09db9
SSDEEP

1536:BV98tRC2gjTC4xelUfkESvCn2LnS5DUHRbPa9b6i+sImo71+jqx:/9GeBdUJnS5DSCopsIm81+jqx

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c1938d56978aecda6eba4b5d3152e360N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c1938d56978aecda6eba4b5d3152e360N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe

Executes dropped EXE 64 IoCs

pid	Process
1972	Odocigqg.exe
640	Ofqpqo32.exe
1812	Olkhmi32.exe
4536	Odapnf32.exe
516	Ogpmjb32.exe
2716	Onjegled.exe
4984	Olmeci32.exe
1484	Oddmdf32.exe
4636	Ogbipa32.exe
2528	Ofeilobp.exe
2376	Pnlaml32.exe
4076	Pmoahijl.exe
2792	Pdfjifjo.exe
3552	Pjcbbmif.exe
3692	Pmannhhj.exe
1612	Pclgkb32.exe
4948	Pjeoglgc.exe
2372	Pmdkch32.exe
540	Pdkcde32.exe
2264	Pflplnlg.exe
2584	Pjhlml32.exe
3776	Pqbdjfln.exe
4696	Pcppfaka.exe
3768	Pjjhbl32.exe
3440	Pnfdcjkg.exe
432	Pmidog32.exe
2692	Pdpmpdbd.exe
2572	Pjmehkqk.exe
688	Qmkadgpo.exe
4092	Qdbiedpa.exe
2196	Qgqeappe.exe
3012	Qnjnnj32.exe
1828	Qqijje32.exe
5060	Qcgffqei.exe
1380	Qgcbgo32.exe
2044	Qffbbldm.exe
3432	Anmjcieo.exe
2728	Aqkgpedc.exe
764	Acjclpcf.exe
4036	Afhohlbj.exe
4704	Aeiofcji.exe
3276	Agglboim.exe
2760	Afjlnk32.exe
468	Anadoi32.exe
1136	Aqppkd32.exe
348	Agjhgngj.exe
3400	Afmhck32.exe
1784	Amgapeea.exe
4324	Aabmqd32.exe
892	Acqimo32.exe
244	Afoeiklb.exe
1108	Ajkaii32.exe
2968	Aepefb32.exe
4544	Agoabn32.exe
3024	Bnhjohkb.exe
3088	Bmkjkd32.exe
4148	Bcebhoii.exe
4256	Bganhm32.exe
216	Bnkgeg32.exe
4100	Bmngqdpj.exe
1488	Bchomn32.exe
4972	Bjagjhnc.exe
3764	Bnmcjg32.exe
4920	Beglgani.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Olmeci32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5464	5292	WerFault.exe	191

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1938d56978aecda6eba4b5d3152e360N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c1938d56978aecda6eba4b5d3152e360N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 1972	512	c1938d56978aecda6eba4b5d3152e360N.exe	84
PID 512 wrote to memory of 1972	512	c1938d56978aecda6eba4b5d3152e360N.exe	84
PID 512 wrote to memory of 1972	512	c1938d56978aecda6eba4b5d3152e360N.exe	84
PID 1972 wrote to memory of 640	1972	Odocigqg.exe	85
PID 1972 wrote to memory of 640	1972	Odocigqg.exe	85
PID 1972 wrote to memory of 640	1972	Odocigqg.exe	85
PID 640 wrote to memory of 1812	640	Ofqpqo32.exe	86
PID 640 wrote to memory of 1812	640	Ofqpqo32.exe	86
PID 640 wrote to memory of 1812	640	Ofqpqo32.exe	86
PID 1812 wrote to memory of 4536	1812	Olkhmi32.exe	87
PID 1812 wrote to memory of 4536	1812	Olkhmi32.exe	87
PID 1812 wrote to memory of 4536	1812	Olkhmi32.exe	87
PID 4536 wrote to memory of 516	4536	Odapnf32.exe	88
PID 4536 wrote to memory of 516	4536	Odapnf32.exe	88
PID 4536 wrote to memory of 516	4536	Odapnf32.exe	88
PID 516 wrote to memory of 2716	516	Ogpmjb32.exe	89
PID 516 wrote to memory of 2716	516	Ogpmjb32.exe	89
PID 516 wrote to memory of 2716	516	Ogpmjb32.exe	89
PID 2716 wrote to memory of 4984	2716	Onjegled.exe	90
PID 2716 wrote to memory of 4984	2716	Onjegled.exe	90
PID 2716 wrote to memory of 4984	2716	Onjegled.exe	90
PID 4984 wrote to memory of 1484	4984	Olmeci32.exe	91
PID 4984 wrote to memory of 1484	4984	Olmeci32.exe	91
PID 4984 wrote to memory of 1484	4984	Olmeci32.exe	91
PID 1484 wrote to memory of 4636	1484	Oddmdf32.exe	92
PID 1484 wrote to memory of 4636	1484	Oddmdf32.exe	92
PID 1484 wrote to memory of 4636	1484	Oddmdf32.exe	92
PID 4636 wrote to memory of 2528	4636	Ogbipa32.exe	93
PID 4636 wrote to memory of 2528	4636	Ogbipa32.exe	93
PID 4636 wrote to memory of 2528	4636	Ogbipa32.exe	93
PID 2528 wrote to memory of 2376	2528	Ofeilobp.exe	94
PID 2528 wrote to memory of 2376	2528	Ofeilobp.exe	94
PID 2528 wrote to memory of 2376	2528	Ofeilobp.exe	94
PID 2376 wrote to memory of 4076	2376	Pnlaml32.exe	95
PID 2376 wrote to memory of 4076	2376	Pnlaml32.exe	95
PID 2376 wrote to memory of 4076	2376	Pnlaml32.exe	95
PID 4076 wrote to memory of 2792	4076	Pmoahijl.exe	96
PID 4076 wrote to memory of 2792	4076	Pmoahijl.exe	96
PID 4076 wrote to memory of 2792	4076	Pmoahijl.exe	96
PID 2792 wrote to memory of 3552	2792	Pdfjifjo.exe	98
PID 2792 wrote to memory of 3552	2792	Pdfjifjo.exe	98
PID 2792 wrote to memory of 3552	2792	Pdfjifjo.exe	98
PID 3552 wrote to memory of 3692	3552	Pjcbbmif.exe	99
PID 3552 wrote to memory of 3692	3552	Pjcbbmif.exe	99
PID 3552 wrote to memory of 3692	3552	Pjcbbmif.exe	99
PID 3692 wrote to memory of 1612	3692	Pmannhhj.exe	100
PID 3692 wrote to memory of 1612	3692	Pmannhhj.exe	100
PID 3692 wrote to memory of 1612	3692	Pmannhhj.exe	100
PID 1612 wrote to memory of 4948	1612	Pclgkb32.exe	102
PID 1612 wrote to memory of 4948	1612	Pclgkb32.exe	102
PID 1612 wrote to memory of 4948	1612	Pclgkb32.exe	102
PID 4948 wrote to memory of 2372	4948	Pjeoglgc.exe	103
PID 4948 wrote to memory of 2372	4948	Pjeoglgc.exe	103
PID 4948 wrote to memory of 2372	4948	Pjeoglgc.exe	103
PID 2372 wrote to memory of 540	2372	Pmdkch32.exe	104
PID 2372 wrote to memory of 540	2372	Pmdkch32.exe	104
PID 2372 wrote to memory of 540	2372	Pmdkch32.exe	104
PID 540 wrote to memory of 2264	540	Pdkcde32.exe	105
PID 540 wrote to memory of 2264	540	Pdkcde32.exe	105
PID 540 wrote to memory of 2264	540	Pdkcde32.exe	105
PID 2264 wrote to memory of 2584	2264	Pflplnlg.exe	106
PID 2264 wrote to memory of 2584	2264	Pflplnlg.exe	106
PID 2264 wrote to memory of 2584	2264	Pflplnlg.exe	106
PID 2584 wrote to memory of 3776	2584	Pjhlml32.exe	107

C:\Users\Admin\AppData\Local\Temp\c1938d56978aecda6eba4b5d3152e360N.exe
"C:\Users\Admin\AppData\Local\Temp\c1938d56978aecda6eba4b5d3152e360N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:512
- C:\Windows\SysWOW64\Odocigqg.exe
  C:\Windows\system32\Odocigqg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\Ofqpqo32.exe
    C:\Windows\system32\Ofqpqo32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\SysWOW64\Olkhmi32.exe
      C:\Windows\system32\Olkhmi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
      - C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:244
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3764
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        71⤵
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        77⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        78⤵
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        81⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6036
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        100⤵
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 396
        105⤵
        Program crash
        
        PID:5464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5292 -ip 5292
1⤵
PID:5412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
94KB

MD5
504d7406e0a2ec66a664c5046b64ecee

SHA1
cd8b1b00510f2e9a4cb52a9f2ce1a664fcac984b

SHA256
36bec35673e4e8fc57e83bf2feb6d8d641aea3aa1f893cada30a810d660209f0

SHA512
843a7e89ce6e1e7f2040fdaa7c8900e8680d03e4f72347c8122fbad4d0e744b4404cd090bd34a08d5859ecde4d6cf8d218fb9eeaa2aa8a29af598f9ac644f61b

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
94KB

MD5
c4b5f35862991cc3b9d3f18b6ec77d25

SHA1
aa18977dae8969e386de8e1264cc042b907a56d8

SHA256
925794c28c90df66cc610c80bc5b645123c5920e32a612a26158ab4b9bd32842

SHA512
cb1cbf1a3197776ab1185dbabc5bd09c7ede528dae668990cd9144577bc614021c705b563a9eb21b61f2b6a75777a2ec51f2f1db3309f44fd8976bab7572d13e

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
94KB

MD5
7990c685a58469b9d1cc58cef74cd14e

SHA1
c82ca65d03eb8c7f9fb829877b87f752c42864de

SHA256
e865705b5cc8183e058292ac9f01b75f265a0df5203fdc816ae658cc30306ada

SHA512
ed4331887aaa52c66eb76c8610e143309095f483e039f9e43917428b5e21ac85023950191198564dbce88c17b133e1d657cce76a8a23c5f69d15a9896f6c5014

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
94KB

MD5
573b076406b2022312db1325c807dda8

SHA1
2b4faacb763a356336ea13663c2fcef87d091169

SHA256
6d0d126a569810586a6ff1d44b8b981bc4bdc422795d12c4cc8d594ffd9cbb24

SHA512
97494175342b5cb2fa759aa9190e9b38a7c038a0c0063fe0d2df0eb544ffa755e8e95d7f0c61c22258c7c1acd6092406c2f847744d34e794ea7aeb805e2299ec

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
94KB

MD5
015ab3c79815c8bb5dee2df16222b1e2

SHA1
e131b150aaa8ba16796d3463b575244d3a7036bf

SHA256
097499c733ec76bf811bf5d3fc89da4dcf1c06a722b6e971c23ecad2febc1fcf

SHA512
5f4032c85b6f223dc0b16e205be404e3a7724fc8f96e7c3e397309cf1c5861800473e4ebb72be5b66eb73a5d8ab576dfe0ad41011f9fb95ef2dce7c4a89ba295

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
94KB

MD5
3b493ebff5d059387aecbc19b181a2b9

SHA1
9e9bc15b8949e58ab5ee85cddb2622094a74257c

SHA256
d2931f0f83ca14a752c7be84913798e78621e23d8253a82297fa2c3b42d692e3

SHA512
37789d72414b471f8a6c5ba492b0c54db64be5e1ab3f4a1686a3ec175924775b0e1a01be58087df2e4356c050de0222e68252d31e720eff996183eb747f3f86e

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
94KB

MD5
b1e6492eff3a0a327fe085454106a029

SHA1
3ef9d309bfe1bdb6e896ec01f36553d63ea2d963

SHA256
38878392cd68d393219d81d66ad60ee61070a5a9af848737f038cee01a2d8f71

SHA512
2b7991b8ce9974312239c76ce631a73d6d9ea6554d4eea296a28424e810effec7f5c8fb8d270e31271e4a4fe97b11968935fbe1e0553956a72ce294bafe9289a

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
94KB

MD5
ee00d67aaf7a0ddb43164f1678470212

SHA1
14249219310cddd2e3583c578eddb374bab57855

SHA256
95c2c894445cfa249fbdd2d49b14a6d6ace15385d6e9b78f7684991ceccc311d

SHA512
7909b556a8af22370efba65d48a4282c79edebbf1dc96538aa96e1697ec593cbc1bcb3eab494ddf5e080735c0b125c329b6611ca2be5520f187623974bc153c4

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
94KB

MD5
be4a73a47e3558fccea36b22a518011d

SHA1
dab277197899fd38d309ed6cb293e95a08524da7

SHA256
a451b691998524bfe26a58625af9f7e366aa42ef4fda930b60aaf40ff4183d23

SHA512
8261619f1becbf27fab87e6bae224f9322ddf701baeef45516fa841773b7acda31dd379551b8934d84ae1d800277cf55fa5d042744b7727bf1970448ea6f3bd1

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
94KB

MD5
ac995c836b8a54c771a63e457b6c4294

SHA1
79940b930a421f26592deb87b3d1cbea7fc73f6a

SHA256
6af2e59a9178b025018711136d1eaeb8f7efe59ce3747b822945153970bfa113

SHA512
0f1ab617644894be5bd50be8d44fc306886f28eb070c94472b59e63ded79af4055ef878f446897ac2e977bb9a57d90ccfb7443ebbbc9fd520894e4b4fe43097b

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
94KB

MD5
7dc57a5385babebb73b4b3fe27748d41

SHA1
40da4c34bc10fcf6bc6781af1d896db8c5ad8d5c

SHA256
920e58bfc2718e556f69e37eb0a2b6cbcbaabe6d52a2e9a8a16848b9f8ba4604

SHA512
ba67ff9a95a83d28dc4975803e953c517b73e21886cf6318b57cc7c4b6764b0ca29bc62a0d8de2ddbbdff59eedba403da5fe2bf8b416bf68855aa374f53b42b6

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
94KB

MD5
e8aa581621f0bb3c6b13f18d760173e4

SHA1
4dafaf469a61f681c186553009dca2c22888427f

SHA256
5a6cdd1c3e2485751ec1779ddbbd114987a89cbb9d980427c088b9a2a66d8201

SHA512
77bbdaf5fcd1209477520a3d0d6b420854fa8b4724aa817341632746ef811fb71f7170b53ba888c53769dc77208d6a65e63a4bf3abcf953868feb6b2b6a1cde9

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
94KB

MD5
f086f849e86e9034ff7234ef38d3b734

SHA1
e258c2013c101c7f15fcbaaddd01752a777b698f

SHA256
d612160a3186a0cd853e8ec5a08356aeb5dc9ef6a8c4b3fb3e65ba883e983dac

SHA512
2fb17db7bbead5b275805e22e621da9ca27a8acaac923ebad68178a2fb7542f7be27a68915280be06e6eae82883a59c35825f7e7364bf7dd07cb39441e4a8a5b

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
94KB

MD5
851772f23d1eb80aa46720b47542a146

SHA1
c7196bb1bb0aa9f36e3c58bbd354504af0548bfb

SHA256
a8b80aaf6b1e54dfd7e24ddf5b450f9e9f08f2c81dfeabf21c79015ff1e65d24

SHA512
149e5d32938839678ae59e8af9791e1d343ce6c7f50c9524ef66ef15af0f249fd13386aa905cf7497ed6c9f328c4c521c9f9d28a3178f320af58eff266a10e8c

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
94KB

MD5
8afe855015b72f3bc60c13745d2d995d

SHA1
8c2e161d37434b7f0bffabfc4e6b9c27b07da48a

SHA256
dc9d4717a34277363d409c7892e82e3938d5236876f893cd4a3a3be857d20792

SHA512
e3daccc5627042b31420af48c71d525eed5736b0ef517348d7930fccd9b1af33187d3bb7067b96cdd069a2ad1553ef6df8ac26f434a7ee7acb5b1279b43d6776

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
94KB

MD5
c573295291ecd8b9edb19f94c9df88ef

SHA1
dbfd9235f36b555c654df25e967f3141fa47099b

SHA256
0969db6f824f2b592fa2a42baa462c1c6f871a773dc1be31eb6d027b8a71ae28

SHA512
73c4fd1646304152cb36a7dad129f5ec7b7c12661831dfa92306e3c51e84926df8df57994e6f4465e7a1f289df1cb3a2f0a941a9e5d22d588bb745ace30d8fa7

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
94KB

MD5
465754a6c8d20600c71fe44f166886d6

SHA1
1a35bbc44463afb85307d0a2d19fc3c66f0dea51

SHA256
f287e21e2f592149be75b294d43d476140839b76e7d76a9940115e158d9600c9

SHA512
ba534c57f556435bd187b0fe3e09499a3baa20599a26069f5137b28258c1b5852cf1ccc05fe58b26a4951217adf7267b9284182357a89d0513b7eb4b73736fb4

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
94KB

MD5
a431b844bc5ea6c624b6a9c3ebcbdfac

SHA1
396fe2aa29d1614a4ea38d12dbeccc47d6f8fef0

SHA256
99d46ab5bf4b4a3c49196f16511cb7c0b48eb686f1cafe0ef0e3fd584afc4158

SHA512
fa6c04f14b9d0221cdc9827aa1d21d39247e93ff70552fa1dac7751753aac0ec15ad6477b3604c5c9bcbdc601d93fafe7b11130666b3b7fb4f3ff5a533ed7d59

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
94KB

MD5
75341613aae656269b02592dd0bb3f6c

SHA1
4478d30d705b22082740f41d53f1f1edf3e91f3d

SHA256
fcf3a37307b070a4f6be7eb513045b7b0fb9676820545b110ff0c97283a8dbd6

SHA512
188bed24b6bc05ad2dce91e821636031d384364af72555f023dbc654e1cc8d41a79aa515843580926e452a5914597eed1bc28905530641ce3d517084e778655b

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
94KB

MD5
33106345bfe1daac75a41a185c230dcb

SHA1
d750de9431ccaa9e9da4f96bccc5f1f9de88ab49

SHA256
4d0be4e4604d634043f931f7bc13757c08c8c6d5f7bccab69491f539e1210720

SHA512
8030f6127c04b90b130a5ae12a564c2aca476fed4e30e96df22d47c0cf0c11e66607ef1101f7bde6e61c2e3b668162c1af9bfb9d1c2362de4163ccceaf1d41cf

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
94KB

MD5
803e25535e36b48cc09097fa7c4bb9d0

SHA1
e54828390a180c3d6b22a0655c66a7096fd35ef2

SHA256
0125bc534de3e0e35bbb6d34472da45e68188cc2bdf91ddf5cded5fa0fc09418

SHA512
ee405dfcadac9b0c9bd56cc4156bbac20f8edb90ba69f90e6027142288d772193c910ebaeb27c97b608342281bc61ec9c0e6f2167a1adafedb40c8a2c65db488

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
94KB

MD5
f6f2f041bada1ece21ba4a901dd3ef5d

SHA1
9b58ed585f233459678e69796bf99e8423de688b

SHA256
4e66a01a357fb0d1420b9ff0dd16acb9aa4405e6eb78ae7dab9954b2b2c5c369

SHA512
fd2d8708646051397df3b1cfd9f7d4ab498cd2540453a8ed3afb3bdadee50f8fd75d345436ba206a33de81dfc91e1bd390cb20ee1df266f044211db77f2b455c

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
94KB

MD5
614f80e0ddc524afd08aee6186e09f16

SHA1
07a3e9078d859e1d803990696a37aafb0fd555c0

SHA256
ff87f7370b5f09a4aaf02d26bd84a86ff8daade5979082fcf317de6a62d265fc

SHA512
ac5720c672dd40341a7f14ce42812a7e6f07b56f9d962a6c91e3f7fed818128a499a72b7e9f12abf95eddc6ac464f851d3dc707048912b56966f711ff4ba753b

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
94KB

MD5
e55bb7a8baec69c359543c513cd77e4c

SHA1
82af65492170cdad331c34659fa4348b1f450229

SHA256
df0ac0b4c84108afd56768f29eec0c9f66f82b51291e5518d2cbd77319475d8b

SHA512
bba0732b13b01fd8578900074dbb3b88e54a103da5ad05626dced04bddb531810284e1f78388e65056c0803946de9885e5599d6b2ef18edbebaca3fcbcb7f475

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
94KB

MD5
0c531d1751c35a764085ee3b4d2fb181

SHA1
dfe428f49acaad8137849ca4dd545c41bf135419

SHA256
580eda80081aa41d12fa2dbfc6483da2a0dc9b4aa5e06129b40c3356ee3b6edc

SHA512
5fea8cd251d16fa9ac1c9af3d6537c569a2e8807fd8ef29e587c8fccd8fc7e0fad1bdadfcec22b588b256d363e3ad9addd538ce894c76e86c972b1a2cb70b171

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
94KB

MD5
012a4f8792affff531b1027e14bbf448

SHA1
3b8d528f88a1c10c79434e37869dd0b86a6b6c15

SHA256
469e8cf33cae7c4e4faf55228b8c7ef625d0e7339072993257262cf7fdce92fa

SHA512
342fd4c840b0e08560bbf1f104ee72d0a9615cf533f90a2be31d89ad46d9cf2fd8806064baabcb209bd4bcd6974120cc685dc462932ddf3ce75be36b6e9716d5

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
94KB

MD5
58e406db76fccbc120e7d4a641a7f8ee

SHA1
9a4a000813c7f5da4e80dc8993abcedaffb9e384

SHA256
4e80a1e09d71e3fdaee4b976661ff12916958af4984ac22fe95eef64e1439ca9

SHA512
30d5f7d8ace8df89ee5a7d7d5aadd5488a3764450cb157d73fdc07d71ac785306ec448c142c389dd65465b623da5cfeebfed8359f3b96d19472344c0a604c2e4

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
94KB

MD5
a30ad1690c16c9ed4ab75f01932d6d7f

SHA1
c37a2254db1a34fcb3d47883c0ea67c4e6319b44

SHA256
98f145b573bc3ba415dcbedb6ba8ca552e3384dd6291980bb3836e9dbac1a8d0

SHA512
e0924856e0dcbfb1d231bff881cd8881b4da22c0a6881b4dd0293257f2beb0b30c2e41c9787a9dcae1262d0caa2e498cf0d905a183638e9226fe20dce1f3e41e

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
94KB

MD5
985fe2ac592c0cceeb962f83ab312d50

SHA1
aff794215ff3ff25cc7d29672533b54c7f813c7a

SHA256
c69aef29ae107f327c1d5ff71ff3b6b60f013ece6bdcdedbd66c2c480365e989

SHA512
7d7d4bb2c933382310eac3231a151adebf1e5dbc5c0448cd9bad8bd9c8c5f1d8b24f2fadfdc083c86742a102fb6eedf4afcf4c8593ca95e47c57bbfafd44f65d

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
94KB

MD5
08bb9da93a60bb385ae1b8bc00974b7b

SHA1
fcd999e7ba49b52120db4e68d11b3c0fda012226

SHA256
aa504eedbbe0911a0d0f66916ce3f535de716a7234f86fb11f1abfc25d039f97

SHA512
c3df325cb37217f51228a308c588b4545ad0b24fdf3a34e8bfe4ecf423b9c0cebfed15ba34f15b5efd5b4d27f35c59ec5ca4b24e0a5e5411172ab5277e8a450b

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
94KB

MD5
40d9f77c5498607eb05ef940cdf86979

SHA1
975b82233c746f78bf74d82ba2303e5a47364b49

SHA256
bccbee7c0d33aab47407677bf4ca0fe9f747449648da1faf4a5991cf489c9867

SHA512
8e52078b0e21d227b2f791e3f4667f8f87023f537967599561260eff55a43d90353fb4bcc6217c9f20f25fceda365c25fe22d96a0da14cc03659500af58dc10e

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
94KB

MD5
be21563de716f65fe87a7d099968d3ed

SHA1
bec190ed42463485f185bfd69f1518dc2a7c1580

SHA256
0ae14c60b90872076f9f311a225d5271a51764e2a477e51e2b0ed5598ff8528b

SHA512
906bb4dc1e073a614175057f444b5dabd030d1cfd7d1ef4ff7744b4d49222ad610a941d11f9cbec2c7b032207e5aba7588707124d17a1e789e651b958e556b04

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
94KB

MD5
95b10d4248768f95cc9214f89c0c33ff

SHA1
d77bfaa8077476d66b33c957c60ddcc8b7f4b05d

SHA256
5fa6c48274939b57f5d1cee29a746003a3e1b39772ced105bd12b0bef00cf9ff

SHA512
cc7c559950cfd07b6c8027ee40cae1d691ecca724f5173a3203fd24a3d8d62bc0403d2b2567030e13a568f80930c78a38e4f12c62386889b4d610140b83d43c8

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
94KB

MD5
3bde6e11dbb396c6108ef506f9f8c29a

SHA1
b02469019c38eb96e414d379e170b11c88cfa5fa

SHA256
b9e3705b94da7568d4e9111c6682ccd7835d9814d0023c2f122e4484a190a969

SHA512
2aa293c7d744d8053f4377c4eaa26c992245f4556a20e7b6090b849729c58ea9abb8c59713d6c13c7b92263f0f641665b4f37d029c0042e48e828e8475b4d2e0

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
94KB

MD5
55208bcb83ab8b1602bb18d7bc42dd84

SHA1
f0f5e8eeca75f21c2f010b985e2fe28e19b2b605

SHA256
dbf591a85023e2eab8934f9900e0770554334a99428388be472eec3440f874e4

SHA512
0fa4f282a0fde7733666993e652304924f279f9af8152a2aaca36d01af7826b501ff19f83faa8484a93c16ee29ea7eb5b24868607c5b5a1fc27d7880d95d1e15

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
94KB

MD5
306a518a96b7ea3e0d7eb8cc3c62a94c

SHA1
3b0a7bbd221e8467335e50d47034e63aeded9224

SHA256
b82761e175c83f8223fe9128dcf544779d02240d4f759e25e49ff4f02463b80a

SHA512
19e8eacbafc40fca364d3969acd44d76856388e37aecfb479972d5160474674732f10123da92dc7fd63cb86cfb6f756f52af6d31279457e07b76d262749aaa7a

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
94KB

MD5
f6e8f4d3ce902bc5952272fc8c60f34d

SHA1
71efcd9ec34e42026d4e67928de861924a244617

SHA256
56ee619e9b4e8087cc4132b0b6073798d73f8001239201c147237176fe67b893

SHA512
e5b236d98f645930c170b96b489241c7c8ae9b4473dd42b66b455f4dff8f4eb1509af727d30825db7288af55e3fdd06f76387c8e563739a3d7321900109746a9

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
94KB

MD5
172fc8a5ef2d1c83e3b37cd41eaa2d0d

SHA1
215bbf3d2b340b1c9a58038494aa9f0953cc6076

SHA256
7ef55111d77346a64110ce87328e2e93496d962443c4cd982df2ac8cac8a400f

SHA512
9ec9aeb567f7a9e345ad0f405e95b446d8b0163a54e4bc33af187c27e82f72965ee46e9d99b1db8cf1480d24a828e19a11701237ff390f662a329253e7fc4998

Download Submit
memory/216-420-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/244-372-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/348-342-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/432-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/456-522-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/468-330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/512-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/512-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/512-534-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/516-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/516-575-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/540-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-554-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/688-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/716-504-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/764-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/892-366-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1108-378-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1136-336-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1256-528-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1380-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1484-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-432-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1552-486-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1612-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-354-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1812-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1812-561-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1828-264-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1972-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1972-547-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-282-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2196-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2264-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2376-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2380-498-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2528-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2692-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-582-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2728-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2760-324-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2792-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2968-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3012-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3024-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3088-402-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3276-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3400-348-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3432-288-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3440-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3552-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3568-456-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3692-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3764-444-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3768-197-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3776-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3784-462-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3928-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3932-516-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4036-306-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4076-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4092-245-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4100-426-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4148-408-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4192-468-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4256-414-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4324-360-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4444-474-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-568-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-390-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4576-510-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4636-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4696-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4704-312-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4724-480-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4920-450-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4944-492-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4948-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-438-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4984-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4984-589-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5060-270-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5136-535-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5180-541-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5220-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5264-555-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5308-562-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5352-569-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5396-576-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5448-583-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads