5a5eae0cc1e12a5bee1961e13aee70af89d09927492bf981f872fa7eb2dd9102

Analysis

max time kernel
107s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce51e563f6a264004df05a4690720810N.exe
Size

669KB
MD5

ce51e563f6a264004df05a4690720810
SHA1

0283187b0f245c7e55b0939196ae3aaa5f5ac728
SHA256

5a5eae0cc1e12a5bee1961e13aee70af89d09927492bf981f872fa7eb2dd9102
SHA512

a0f61b719d824df85675b2735537f860232acf9ffe668845c5a4c9bef167f85770f4d756987e64ac47e37def098c25b762832acf08e003f8d7a9e345317bec44
SSDEEP

12288:gNiSpetrG9eVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:g08etrG8chMpQnqrdX72LbY6x46uR/qR

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ce51e563f6a264004df05a4690720810N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ce51e563f6a264004df05a4690720810N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andqdh32.exe

Executes dropped EXE 64 IoCs

pid	Process
3396	Olhlhjpd.exe
1588	Odocigqg.exe
1068	Ofcmfodb.exe
5068	Ofeilobp.exe
3800	Pdfjifjo.exe
1924	Pqmjog32.exe
5108	Pggbkagp.exe
1516	Pnakhkol.exe
4640	Qmmnjfnl.exe
1180	Qgcbgo32.exe
1504	Anmjcieo.exe
4016	Acjclpcf.exe
3528	Afhohlbj.exe
1048	Aqncedbp.exe
2484	Aclpap32.exe
3456	Agglboim.exe
2532	Ajfhnjhq.exe
892	Anadoi32.exe
4784	Amddjegd.exe
4436	Aeklkchg.exe
4084	Acnlgp32.exe
3896	Afmhck32.exe
3500	Andqdh32.exe
3312	Amgapeea.exe
3756	Aeniabfd.exe
4336	Aglemn32.exe
4356	Afoeiklb.exe
4340	Anfmjhmd.exe
4812	Aminee32.exe
4848	Aepefb32.exe
4608	Accfbokl.exe
2892	Agoabn32.exe
2772	Bjmnoi32.exe
3092	Bnhjohkb.exe
316	Bagflcje.exe
3148	Bebblb32.exe
540	Bganhm32.exe
3968	Bjokdipf.exe
4756	Bnkgeg32.exe
2448	Baicac32.exe
1332	Bchomn32.exe
4616	Bgcknmop.exe
4092	Bjagjhnc.exe
2564	Bmpcfdmg.exe
4376	Balpgb32.exe
1864	Bcjlcn32.exe
4204	Bfhhoi32.exe
4996	Bjddphlq.exe
2404	Bmbplc32.exe
2128	Beihma32.exe
4852	Bhhdil32.exe
4480	Bjfaeh32.exe
2628	Bmemac32.exe
1552	Belebq32.exe
4552	Chjaol32.exe
5156	Cjinkg32.exe
5196	Cmgjgcgo.exe
5232	Cenahpha.exe
5276	Chmndlge.exe
5320	Cfpnph32.exe
5360	Cnffqf32.exe
5400	Caebma32.exe
5432	Ceqnmpfo.exe
5472	Chokikeb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe

Program crash 1 IoCs

pid	pid_target	Process
5864	2464	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce51e563f6a264004df05a4690720810N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ce51e563f6a264004df05a4690720810N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofcmfodb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 3396	3316	ce51e563f6a264004df05a4690720810N.exe	84
PID 3316 wrote to memory of 3396	3316	ce51e563f6a264004df05a4690720810N.exe	84
PID 3316 wrote to memory of 3396	3316	ce51e563f6a264004df05a4690720810N.exe	84
PID 3396 wrote to memory of 1588	3396	Olhlhjpd.exe	85
PID 3396 wrote to memory of 1588	3396	Olhlhjpd.exe	85
PID 3396 wrote to memory of 1588	3396	Olhlhjpd.exe	85
PID 1588 wrote to memory of 1068	1588	Odocigqg.exe	86
PID 1588 wrote to memory of 1068	1588	Odocigqg.exe	86
PID 1588 wrote to memory of 1068	1588	Odocigqg.exe	86
PID 1068 wrote to memory of 5068	1068	Ofcmfodb.exe	87
PID 1068 wrote to memory of 5068	1068	Ofcmfodb.exe	87
PID 1068 wrote to memory of 5068	1068	Ofcmfodb.exe	87
PID 5068 wrote to memory of 3800	5068	Ofeilobp.exe	88
PID 5068 wrote to memory of 3800	5068	Ofeilobp.exe	88
PID 5068 wrote to memory of 3800	5068	Ofeilobp.exe	88
PID 3800 wrote to memory of 1924	3800	Pdfjifjo.exe	89
PID 3800 wrote to memory of 1924	3800	Pdfjifjo.exe	89
PID 3800 wrote to memory of 1924	3800	Pdfjifjo.exe	89
PID 1924 wrote to memory of 5108	1924	Pqmjog32.exe	90
PID 1924 wrote to memory of 5108	1924	Pqmjog32.exe	90
PID 1924 wrote to memory of 5108	1924	Pqmjog32.exe	90
PID 5108 wrote to memory of 1516	5108	Pggbkagp.exe	91
PID 5108 wrote to memory of 1516	5108	Pggbkagp.exe	91
PID 5108 wrote to memory of 1516	5108	Pggbkagp.exe	91
PID 1516 wrote to memory of 4640	1516	Pnakhkol.exe	93
PID 1516 wrote to memory of 4640	1516	Pnakhkol.exe	93
PID 1516 wrote to memory of 4640	1516	Pnakhkol.exe	93
PID 4640 wrote to memory of 1180	4640	Qmmnjfnl.exe	94
PID 4640 wrote to memory of 1180	4640	Qmmnjfnl.exe	94
PID 4640 wrote to memory of 1180	4640	Qmmnjfnl.exe	94
PID 1180 wrote to memory of 1504	1180	Qgcbgo32.exe	95
PID 1180 wrote to memory of 1504	1180	Qgcbgo32.exe	95
PID 1180 wrote to memory of 1504	1180	Qgcbgo32.exe	95
PID 1504 wrote to memory of 4016	1504	Anmjcieo.exe	96
PID 1504 wrote to memory of 4016	1504	Anmjcieo.exe	96
PID 1504 wrote to memory of 4016	1504	Anmjcieo.exe	96
PID 4016 wrote to memory of 3528	4016	Acjclpcf.exe	97
PID 4016 wrote to memory of 3528	4016	Acjclpcf.exe	97
PID 4016 wrote to memory of 3528	4016	Acjclpcf.exe	97
PID 3528 wrote to memory of 1048	3528	Afhohlbj.exe	98
PID 3528 wrote to memory of 1048	3528	Afhohlbj.exe	98
PID 3528 wrote to memory of 1048	3528	Afhohlbj.exe	98
PID 1048 wrote to memory of 2484	1048	Aqncedbp.exe	99
PID 1048 wrote to memory of 2484	1048	Aqncedbp.exe	99
PID 1048 wrote to memory of 2484	1048	Aqncedbp.exe	99
PID 2484 wrote to memory of 3456	2484	Aclpap32.exe	100
PID 2484 wrote to memory of 3456	2484	Aclpap32.exe	100
PID 2484 wrote to memory of 3456	2484	Aclpap32.exe	100
PID 3456 wrote to memory of 2532	3456	Agglboim.exe	101
PID 3456 wrote to memory of 2532	3456	Agglboim.exe	101
PID 3456 wrote to memory of 2532	3456	Agglboim.exe	101
PID 2532 wrote to memory of 892	2532	Ajfhnjhq.exe	102
PID 2532 wrote to memory of 892	2532	Ajfhnjhq.exe	102
PID 2532 wrote to memory of 892	2532	Ajfhnjhq.exe	102
PID 892 wrote to memory of 4784	892	Anadoi32.exe	103
PID 892 wrote to memory of 4784	892	Anadoi32.exe	103
PID 892 wrote to memory of 4784	892	Anadoi32.exe	103
PID 4784 wrote to memory of 4436	4784	Amddjegd.exe	105
PID 4784 wrote to memory of 4436	4784	Amddjegd.exe	105
PID 4784 wrote to memory of 4436	4784	Amddjegd.exe	105
PID 4436 wrote to memory of 4084	4436	Aeklkchg.exe	106
PID 4436 wrote to memory of 4084	4436	Aeklkchg.exe	106
PID 4436 wrote to memory of 4084	4436	Aeklkchg.exe	106
PID 4084 wrote to memory of 3896	4084	Acnlgp32.exe	107

C:\Users\Admin\AppData\Local\Temp\ce51e563f6a264004df05a4690720810N.exe
"C:\Users\Admin\AppData\Local\Temp\ce51e563f6a264004df05a4690720810N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Windows\SysWOW64\Olhlhjpd.exe
  C:\Windows\system32\Olhlhjpd.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\SysWOW64\Odocigqg.exe
    C:\Windows\system32\Odocigqg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\SysWOW64\Ofcmfodb.exe
      C:\Windows\system32\Ofcmfodb.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        48⤵
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        70⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5768
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        75⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        76⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 408
        96⤵
        Program crash
        
        PID:5864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2464 -ip 2464
1⤵
PID:5832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
669KB

MD5
8dd091b619aa857bd6fb64ac146fddb4

SHA1
2c6eb7a9e4c4cd4181be05c933cc80e21c060e4e

SHA256
c7087f7beab23882fbba32e5118ba7f23cd1e3c5e635dba4fc8bca8bd38dea17

SHA512
1ed26f30b4e8118c5e7cc9f99e26937973b98a8649f9bcce63a38618907d584d232365198d11809a8a6b688d4e8e30016242c36a459bc3d67b9e7640b71acee2

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
669KB

MD5
fdc50ce01b0296333de92276eded2ee9

SHA1
943e1c87728e76aded9a5495d94520fa3276aab6

SHA256
84ac1381e0723a1c68638424bb59e027307ce8d1c042dc4f4c6ec1e73d0039f2

SHA512
92b7f7fed05185cbeccca7f6eb10c18b0cd9fd648ea1a42aaedd0f105a88b8c40c93406bc2b73127e52448a0f966bf47d154f7c809ba26c27121272462d98db9

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
669KB

MD5
babb34425205bd746772243ea384fb85

SHA1
f55093226bc3ec0d74820a03594928e3e7494bb8

SHA256
7fe0918f831785a049a8e8411b0fc30e383f138e0a8cd2f373772a40e85c1f41

SHA512
479bcd95a334a163b7cdc2054bc4d0d5682a350b184a20431d18f7540cf76ae48b0d869937c7b58cd7c2ea0402b1f6bf74bcc65dbc1c817a51aba45e7382493a

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
669KB

MD5
5bf8d031d8636e79d3539869e629c287

SHA1
327aca94ec363c6a1342ab51e9879371c66fdabc

SHA256
5044e39f22166c72c0006906b5aa232edb362889382e27739a684e8c86bd1923

SHA512
5f0244db8aaa0af0c6d80a07a91da84a5037dc9df0f0e3a7cb98cd275c11a421be4e00e07597529590fe7c72b1ddaf1e3b0de0167b8725910d9c03b248ff7ad8

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
669KB

MD5
fda5f9332d4411b16a27c7c6cee9c9f9

SHA1
94c6a107eb147735c6a53fbe062a7ac34f7adc69

SHA256
4d8170e7f986ffe59a0aa3481bb163f9ba13a9cb362127868198ff9af908a2ff

SHA512
f34b93cae19253b0db6a3bb5d2c904ebb60fe555e745bf17986d195711fbcc71556ade5a0f48030a462dd1d6f51e0bf9918d6f681fc960900ecd5ea2a5ff7444

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
669KB

MD5
57e0c00608dbf285142644a7c28d9219

SHA1
94a2b8d5e22d65df3fb989ae5dbb35be6ff08b5d

SHA256
6ba319cef7457321b02a52eed2853b9f5b4995ff78e39fa8ca3af309d522109a

SHA512
1fa9e77426fb03dd68dd022507d027a51d8e9e2f97fe35a8829ebf0315f2f8535d922055f98f99d957e179b26a594e672c3f9991c8cfddbb853a0ae4afaa3f3a

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
669KB

MD5
77589cdda8f5d26a1f8bf7a1ae4a8f8b

SHA1
278fdc7bdf69c322ae57fa662103f37a32b655b0

SHA256
50706c69f0ddfdbaf056ea51860bc77a251752945f1a5b9b294bc9fc5c0f9b64

SHA512
aa4ebb1ba23c89a9748024ee911789748eb2446ee340de5d42248fbab46f1f49d002f83dab7f30c21d8b6edf3350a247a22f07be2cea9e6cd8657c85800e7258

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
669KB

MD5
3e3f9e933d8e0b6fd135f6758bb296b7

SHA1
432c07966ae0922d8e12b4200b3fd8077976df88

SHA256
72bbbeac98f7a048027b6e783edfc9a8d2e2098ed6f9508f71e0cede09788711

SHA512
389d7eafe8bf56bbc30dfb901f3fce6de36da6d87564b526008a6d53fbcf7ff6c888d04642c9dae8387898fc1b11383aafdc7f2838bac66dc7325ae36d006752

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
669KB

MD5
25d4a3739ccad90d226b52d0c5d1c434

SHA1
69346a55e930f7e74957c270bef72cabe3f6071e

SHA256
f362f5c4df0c495b3735fefe51ed4c05e6585abf68a53a8bf59ba4f25b877992

SHA512
330b26e19e7293c5673714e61d8855d20cd981108cb3632200274f299c7331b2df62207dc03605b8deb16c676563061f54c5ccf617b91b0aa78653d14f1239e4

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
669KB

MD5
5e14d9c492581ffc3ad5d8a6696436cd

SHA1
02b7b28aff40050650d16f345dcb4c1835153c9a

SHA256
77448771acd85fd830bacf6c65d6fc97b5ab82140addf5c4413bb4d0e75e5eab

SHA512
dc58034401a76c5f0ee0a19d08b192384b901796ef34f3759197b454930e6477c556ef6ad0e5a95d6ee25c52e9d6951c14478c018074e0e0b1d2798367a6919e

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
669KB

MD5
1fb645c5b60aba6b81378cd3c28be778

SHA1
2db976736d2327d71df310a4fa2cae2e8bbace00

SHA256
36b4e3118bc8e392c2551b7dfdfb76bb57ff158958b1a88266566d13d65f6066

SHA512
e05a282a2eddd5c01a5b4137f3a28b979bf8f77626f492b02c0cc5e53a8cbb206fd3109e4bf7780d6850c0549d7621ba87b78b2a4e1bfbab536dae7e62d39977

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
669KB

MD5
c9cec090fdff3f276bae0bc075a62afb

SHA1
583164cf305b7cb7d228b58b1fe1a5df34e77e03

SHA256
86996e0a5477668222a66ac83669ec63ac8ee8fb008db9f2663c2314991d9a29

SHA512
38ed10aadff55da35e40c3ff5ffe302e5417668cd9255b7a59ca294316e996986db6700d206f72644bfcf6b0d65a24cf8400792c190a1964085a18118a400cdd

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
669KB

MD5
f86732b125393da02fc8e43e7c5c24af

SHA1
268e45dc4047435f04e7c6fafb0d228499345ad8

SHA256
74455484377fe406b01780226432f570fbe31388e55ab60ce7852addc04d6fe0

SHA512
abf77f978987e983530cdd0b8941687f2f07c19b60e75af2ebc0cd86daee36ebd4b3d67440b9daf501bd008c8b1e962bac8d817c3732ea7f5f83f2390d5e83ae

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
669KB

MD5
e23f253774db0a17aee57370cf46dc3f

SHA1
0e8e4b57199e14da79fdb1b9c98a6c21f496ae58

SHA256
c812d1b92c9c8df4a9d539b29c9530f654566844c4dbe2c9cbbd8a4da09608a1

SHA512
0a44e3ba9ad8cee83fc476b41b22da0ee68307fbc8b1c219b7abac0091806027a18768f3d918d8aa853a46fa06437390bdeda87ecb1f6c3d5eaa5c282d14a618

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
669KB

MD5
9d4c54dc1dc696dc79794fcaa32ba9b1

SHA1
e23c6a19d667c95ed5adc266822e58ac232f40e7

SHA256
e0ba8a8e559b2f62c154966bc5c10651b3f43d3c2dfccd7c33aba110e0729aab

SHA512
a73f9abf5e0e6ecfa89d1742f14e96823199e24085801c049930c980ef1653b8e5524eb25c079d597f761ba3a079d52c72766d296cd470245e4178de1099eb6e

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
669KB

MD5
385bd858af5f6801c35264419fe425b8

SHA1
fd27962d3e44f6d841aeb7f9b25cefd618be37b9

SHA256
9f766dc73cd28f763ab31d67aeb53d46ad1c94ae0cb56c5360ebc787c34436d1

SHA512
f0689e074ac6f4b6659c97d76faeb7fab70c71d5ff14dad49940e9653634f039bba30bfb1c975d0a2a809cab63173770bca6798ac9bde3fdeb040d90ce46d458

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
669KB

MD5
14a84c9e29da6d77f3e3828ed8f9534a

SHA1
9b2418ba2986a80d228a1367e0ab78b587b5986c

SHA256
b3260a4bb8aa45c17b1e4f8ad573d6fdcaa6fb089842b366a335e808aaf8dc49

SHA512
33a9ce269add9147c5eb1e6dab0f285cd88fc2ade6a260fa15c4798269f11538bf5a04538c95bc78fafd264a04f8c9ac18a49353c41fd8ae69a43580d444ed37

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
669KB

MD5
6c21cefd8757b3087b18bac3e263be63

SHA1
ad5dc9d278a39dc2749d91410873fc86bbb51647

SHA256
446707ca2fc06a5a3dd7af346727d84c47ca0cceac2ef6a6e79736d4ba143d71

SHA512
9ff70c79f9ba3501eadda6dc2b8a007d71679ac2c671c756164e1bfffe6f23672b765e8593b5a918af9f13521431b8b6d51d038590b54379c966c906161b63c9

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
669KB

MD5
a23d1dd1231f07fc8d28292e9810c701

SHA1
fd1beac116affdb9958cc6a4756e2354c8ba0cb3

SHA256
1b31c21091b187d74b45d2eb097700c91ca9d3113e26cb33d08670cdac8fb085

SHA512
92b08f33875604aa7269d4ff4c59a7601bc2e7a873ebd3303480a8a04952628c38a710220e7ffc8ff96a71e31dce26680e9cee4e60957dc3357c7b92d6bd4a36

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
669KB

MD5
51750c124a820973a572646a64e1f484

SHA1
899aa3a9037149bb7636e734b916c5aeadc70d7e

SHA256
3313682073213b835c543e06908ffb98c6c5d23e7d031ade259fc2b88d135b97

SHA512
c216d15dea716c83ff5bab3d466060c716e0f699440e625b3ea82ade619fe36c96ce20649214e20b94a5ef47a4bcf86849b60c87461aa362dba11603d8732670

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
669KB

MD5
02e72ff128696abb9d5c89a143d65923

SHA1
076ef9f3db2deca3bce7581d9bd08775f04ec5a8

SHA256
9d02f42c9c6546a14084f90e8ce176bee90b25e867ae591db6f5be3f500d24b5

SHA512
61b566c7d3a9567a01ebc824abcc945eb5dcde58e81a5b2596d182efe5b605694f96522def0bdc92935a2332e7e742cd5cb2cf4c097e9115a72bb9671c29c9b0

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
669KB

MD5
9b19d6569d55fd98e9f034ac328c38a0

SHA1
424ff5560913d3ce36ab1002165be72b5634e7cf

SHA256
f501e4a41ec19d9987707767d9ef34d2fa637013630554e1604723da926b5a29

SHA512
cdd26afc2da14ed14c3f25f2804b4144e70680bde67f5dc264cd9580b1f3adacaf0cb03ca04a4faa6adc425bf32c1829ef093f0040666b0577a18bf496d41825

Download Submit
C:\Windows\SysWOW64\Bdjinlko.dll

Filesize
7KB

MD5
329135b43230c5ed3e4c06329e0d9100

SHA1
45d74e4c1da7ec5793df606ece801d571be8315f

SHA256
5d380235a485393c1da01878dfbce8b3e1cb1a909284b0a3791d499988057e95

SHA512
3527501c138108def7ef4fc1ade61a876a146cba280194108d2e03fe3b496022c4b5f3ce844d17aba77a92738bd1e0ee705178700c011f4eae5f598341d4f586

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
669KB

MD5
2d68baed920ce5b9a404486142c723d6

SHA1
89b950dbae979babf366a57a074046a2c3d29b6c

SHA256
9e4c82251f19512d3d48be66665d6719f4670f43fce4e22f9d3a4a56498ae0aa

SHA512
6155c54c6d577c4594898d24fb640cb244f84b5840adaf0ff5c0f6b6d79c82d2c61b812217cc8c9acc444570f896d1662cd6bdbe62a942eaf07e789ffc27bd95

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
669KB

MD5
c14e6cf1731c9db2c7d18d1c867c8ffd

SHA1
f112477696bc300a368eb44839442953a80ade8c

SHA256
9679255ba6132f4b6d7278884f9c9a6b2d52ecbf58406932535e88f1d2f4f494

SHA512
a64724a00e10148b825b411dc40ddd611d030ed4b5044b8f7003a38be71fea2ca298fb87403758156aa60e95f0999b845530d8ca1a72a41a7347be8bbb805ff6

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
669KB

MD5
4d911a1e4420e858cf2cf28b5cfc1f75

SHA1
22625be2d3abca88fbd2de5728218f3afb5454f9

SHA256
6f0a100a44176435d93db13c0e811a84f4ef78f5bfd75892afe79fe913e03073

SHA512
b290c21f4d2d9f0d3e2c2c5c84a56a0d1a2c995f4bfd5f8154c9a3256c169c8d8ef0e5fce10536ad245e3bd39e2ea6f3021989a7e78024831f33906a3b3aa0f5

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
669KB

MD5
702ee0b787c884e34d4676c156379f8e

SHA1
aafb79e83310a2c501d236f9566035e3e21f8473

SHA256
44c2431e400fda7edee247cf21662252fb29c8bad1f986424f75c75c39d28acb

SHA512
34174a44d4d9da36e93d85deaa1265eab6943320472a7bcb399f59d4c53376aebfe3ffdcb7522ec44763eb6b84d7dfba916fadf2478ed98808360eea7c372306

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
669KB

MD5
3d54a1220b1839762bf52204763ab6e5

SHA1
243e9a4420dedeaed78a240699a89ec722cc6943

SHA256
396dbdbffd922dda9e0c32ecee56902f38af6f18de79c22493a2f494c41edd3b

SHA512
fcece289a158a3f0a540ae5a79257638b7f10a05676dce07d625c1fab7c194dc829d9b80ff4b70bd91bc5e80510d3886b32c66a981a2a8ff65970d9c145e7eca

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
669KB

MD5
db491118d9a0b6aa51fac65fc607a994

SHA1
56637ba6dc9da8d497ec213a4cd27840a8a78a11

SHA256
5258678f6e663760d3d0a28ff3591edae85b9dda6afa6a5991bfae653c1202ea

SHA512
8f4c2452da37cd535bfc52b21fc9803d50e2dbc2938d4f69bf681fb50dcdeb7e88ff5b66d81375e69b622a2cb4353346d013e3f6a72d2fe45be2214fc49d51a6

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
669KB

MD5
af9e68bbd02fd7c185a725e27f473ead

SHA1
ae6df4a465ead2bff8f618aa18611b08e8e17cd7

SHA256
b8e1385139d6f32afd6ccc7c8346bd878da2d7a727402e1899088f9eedd056e5

SHA512
61974d1873984a45684ced354376f90904bf6e6901f242972075cedd222086dac754741d27cb698a4984e3b5ea6544e56452bae9aafe01fa9744ee7a3762cf62

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
669KB

MD5
65d1b1510b9ff7e610eb05512a098dd5

SHA1
51fe5001659ee9be51bc79a2d22f6059076862b3

SHA256
f14c3e5d195b4e38c7da871be192864fdddd9055fa9d455544a71f28e537f79f

SHA512
3dadd593553b5b5880e7ca7ddce4ea828a90c89685d52d1d0796b2dfaaf5464a377f57f5d1e004034e795db6625167d88967114150877763daa548499880eddb

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
669KB

MD5
4c83ed05b3d8687ea05a9d6d1587d9a9

SHA1
8fa9ee79d5001a1553824670c00cceda921a7bad

SHA256
5d2072e7400b59d94de3a61d6c9d79e3d8bc9d6120e08ae53a568583f8f85499

SHA512
61a240d14b17c90dbb2fa1e298c9f58bcc305c5fa09a1219ba5b64464cce5d48f49e43e727174249194463e899f665fab23e97608d81eb3f6f21a74256bb9d1e

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
669KB

MD5
003dab1eeb0b6008f5c608617b77a140

SHA1
3f5e8221840d3272a59761ef54e277a4495fc067

SHA256
8908169b4a0b4cbb71a198a886c30b4b4517172f7fb9cfe3dd343b2f4bafa60d

SHA512
369dc25bdcbeae4c9594689ef2370281a8c111f7d6e9a9309a2d861ee1229a0bdf776f24a6a0cdb67365d10d16d548609dccd4b7fdf5bae471c0df6f86f9ad05

Download Submit
memory/316-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/540-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/892-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1068-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1068-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-591-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3316-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3316-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3800-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3800-584-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4084-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4204-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4640-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-598-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5136-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5156-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5196-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5204-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5232-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5276-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5320-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5360-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5400-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5432-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5472-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5512-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5552-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5592-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5632-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5672-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5712-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5768-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5800-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5840-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5880-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5920-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5960-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6000-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6040-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6080-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6120-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads