046f8885218462efdc43747615d4f985ec84d2862ffd5a0fd370174e2541179e

Analysis

max time kernel
32s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09b2fda6aa74d9d820dd0e30ca254270N.exe
Size

100KB
MD5

09b2fda6aa74d9d820dd0e30ca254270
SHA1

bf2687743330d7a8de2ec01626ea9085cecbde01
SHA256

046f8885218462efdc43747615d4f985ec84d2862ffd5a0fd370174e2541179e
SHA512

f79361445844058207f901ac8f7ae0a27a6e22c01c9450f44a694bb537e93825472ab2e4fcfc09ab3f0515bd0f81e947c82dcacf1e8d6d919713df88edaf0595
SSDEEP

3072:fBU3wNltn7aGQIn28hXXXqmEgb3a3+X13XRzT:fBdP7Dvn2SXXXqmB7aOl3BzT

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcmabnhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfdkehc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjeihl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aoihaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejiehfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaondi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgogla32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjppmlhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmahog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajibckpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmahog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjeihl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogddhmdl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpchl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agdlfd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abgdnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	09b2fda6aa74d9d820dd0e30ca254270N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	09b2fda6aa74d9d820dd0e30ca254270N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcmabnhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjppmlhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcmnaaji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomlfpdi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plcied32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcmabnhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmcedg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjblcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajibckpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afpchl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgogla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aijfihip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abiqcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaondi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pabncj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phocfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmcedg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijfihip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oophlpag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdlfd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plffkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Plffkc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pabncj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pniohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfdkehc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abgdnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abiqcm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoihaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aicipgqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aicipgqe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogddhmdl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pniohk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phocfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjblcl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcmnaaji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bejiehfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oomlfpdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Plcied32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcmabnhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aodnfbpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aodnfbpm.exe

Executes dropped EXE 31 IoCs

pid	Process
1760	Oomlfpdi.exe
2192	Ogddhmdl.exe
2964	Oophlpag.exe
2988	Plcied32.exe
2676	Pcmabnhm.exe
2904	Pcmabnhm.exe
2724	Plffkc32.exe
1088	Pabncj32.exe
2416	Pgogla32.exe
1824	Pniohk32.exe
280	Phocfd32.exe
2876	Pjppmlhm.exe
2828	Pdfdkehc.exe
808	Pjblcl32.exe
1508	Qmahog32.exe
2136	Qjeihl32.exe
864	Qmcedg32.exe
388	Qcmnaaji.exe
812	Aijfihip.exe
892	Aodnfbpm.exe
2268	Ajibckpc.exe
2064	Acbglq32.exe
1080	Afpchl32.exe
1972	Aoihaa32.exe
2256	Abgdnm32.exe
2980	Agdlfd32.exe
2804	Abiqcm32.exe
2784	Aicipgqe.exe
2972	Aaondi32.exe
1836	Bejiehfi.exe
2684	Bmenijcd.exe

Loads dropped DLL 64 IoCs

pid	Process
2300	09b2fda6aa74d9d820dd0e30ca254270N.exe
2300	09b2fda6aa74d9d820dd0e30ca254270N.exe
1760	Oomlfpdi.exe
1760	Oomlfpdi.exe
2192	Ogddhmdl.exe
2192	Ogddhmdl.exe
2964	Oophlpag.exe
2964	Oophlpag.exe
2988	Plcied32.exe
2988	Plcied32.exe
2676	Pcmabnhm.exe
2676	Pcmabnhm.exe
2904	Pcmabnhm.exe
2904	Pcmabnhm.exe
2724	Plffkc32.exe
2724	Plffkc32.exe
1088	Pabncj32.exe
1088	Pabncj32.exe
2416	Pgogla32.exe
2416	Pgogla32.exe
1824	Pniohk32.exe
1824	Pniohk32.exe
280	Phocfd32.exe
280	Phocfd32.exe
2876	Pjppmlhm.exe
2876	Pjppmlhm.exe
2828	Pdfdkehc.exe
2828	Pdfdkehc.exe
808	Pjblcl32.exe
808	Pjblcl32.exe
1508	Qmahog32.exe
1508	Qmahog32.exe
2136	Qjeihl32.exe
2136	Qjeihl32.exe
864	Qmcedg32.exe
864	Qmcedg32.exe
388	Qcmnaaji.exe
388	Qcmnaaji.exe
812	Aijfihip.exe
812	Aijfihip.exe
892	Aodnfbpm.exe
892	Aodnfbpm.exe
2268	Ajibckpc.exe
2268	Ajibckpc.exe
2064	Acbglq32.exe
2064	Acbglq32.exe
1080	Afpchl32.exe
1080	Afpchl32.exe
1972	Aoihaa32.exe
1972	Aoihaa32.exe
2256	Abgdnm32.exe
2256	Abgdnm32.exe
2980	Agdlfd32.exe
2980	Agdlfd32.exe
2804	Abiqcm32.exe
2804	Abiqcm32.exe
2784	Aicipgqe.exe
2784	Aicipgqe.exe
2972	Aaondi32.exe
2972	Aaondi32.exe
1836	Bejiehfi.exe
1836	Bejiehfi.exe
2648	WerFault.exe
2648	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ebakdbbk.dll	Oomlfpdi.exe
File created	C:\Windows\SysWOW64\Kcfbimjl.dll	Pgogla32.exe
File created	C:\Windows\SysWOW64\Pjblcl32.exe	Pdfdkehc.exe
File opened for modification	C:\Windows\SysWOW64\Pjblcl32.exe	Pdfdkehc.exe
File opened for modification	C:\Windows\SysWOW64\Agdlfd32.exe	Abgdnm32.exe
File opened for modification	C:\Windows\SysWOW64\Aicipgqe.exe	Abiqcm32.exe
File created	C:\Windows\SysWOW64\Diflambo.dll	Bejiehfi.exe
File created	C:\Windows\SysWOW64\Mfdfng32.dll	09b2fda6aa74d9d820dd0e30ca254270N.exe
File created	C:\Windows\SysWOW64\Kepajbam.dll	Pabncj32.exe
File opened for modification	C:\Windows\SysWOW64\Qjeihl32.exe	Qmahog32.exe
File opened for modification	C:\Windows\SysWOW64\Aijfihip.exe	Qcmnaaji.exe
File created	C:\Windows\SysWOW64\Bejiehfi.exe	Aaondi32.exe
File created	C:\Windows\SysWOW64\Lnofaf32.dll	Aaondi32.exe
File created	C:\Windows\SysWOW64\Bmenijcd.exe	Bejiehfi.exe
File created	C:\Windows\SysWOW64\Plcied32.exe	Oophlpag.exe
File opened for modification	C:\Windows\SysWOW64\Pcmabnhm.exe	Plcied32.exe
File created	C:\Windows\SysWOW64\Phocfd32.exe	Pniohk32.exe
File opened for modification	C:\Windows\SysWOW64\Qcmnaaji.exe	Qmcedg32.exe
File created	C:\Windows\SysWOW64\Aijfihip.exe	Qcmnaaji.exe
File opened for modification	C:\Windows\SysWOW64\Oomlfpdi.exe	09b2fda6aa74d9d820dd0e30ca254270N.exe
File created	C:\Windows\SysWOW64\Qqbhmi32.dll	Oophlpag.exe
File created	C:\Windows\SysWOW64\Aicipgqe.exe	Abiqcm32.exe
File created	C:\Windows\SysWOW64\Aaondi32.exe	Aicipgqe.exe
File created	C:\Windows\SysWOW64\Pcmabnhm.exe	Plcied32.exe
File created	C:\Windows\SysWOW64\Pniohk32.exe	Pgogla32.exe
File created	C:\Windows\SysWOW64\Ppfgdd32.dll	Phocfd32.exe
File created	C:\Windows\SysWOW64\Hncklnkp.dll	Qmahog32.exe
File opened for modification	C:\Windows\SysWOW64\Acbglq32.exe	Ajibckpc.exe
File opened for modification	C:\Windows\SysWOW64\Bejiehfi.exe	Aaondi32.exe
File opened for modification	C:\Windows\SysWOW64\Pabncj32.exe	Plffkc32.exe
File created	C:\Windows\SysWOW64\Qmahog32.exe	Pjblcl32.exe
File created	C:\Windows\SysWOW64\Mlfibh32.dll	Aijfihip.exe
File opened for modification	C:\Windows\SysWOW64\Plcied32.exe	Oophlpag.exe
File created	C:\Windows\SysWOW64\Qmcedg32.exe	Qjeihl32.exe
File opened for modification	C:\Windows\SysWOW64\Aodnfbpm.exe	Aijfihip.exe
File opened for modification	C:\Windows\SysWOW64\Aoihaa32.exe	Afpchl32.exe
File created	C:\Windows\SysWOW64\Jichkb32.dll	Abgdnm32.exe
File created	C:\Windows\SysWOW64\Ogddhmdl.exe	Oomlfpdi.exe
File opened for modification	C:\Windows\SysWOW64\Pjppmlhm.exe	Phocfd32.exe
File opened for modification	C:\Windows\SysWOW64\Qmahog32.exe	Pjblcl32.exe
File created	C:\Windows\SysWOW64\Qcmnaaji.exe	Qmcedg32.exe
File created	C:\Windows\SysWOW64\Pjmgop32.dll	Ajibckpc.exe
File created	C:\Windows\SysWOW64\Oedqakci.dll	Aicipgqe.exe
File created	C:\Windows\SysWOW64\Denlga32.dll	Aoihaa32.exe
File opened for modification	C:\Windows\SysWOW64\Pgogla32.exe	Pabncj32.exe
File created	C:\Windows\SysWOW64\Pdfdkehc.exe	Pjppmlhm.exe
File opened for modification	C:\Windows\SysWOW64\Pdfdkehc.exe	Pjppmlhm.exe
File created	C:\Windows\SysWOW64\Mcgcfi32.dll	Pjppmlhm.exe
File created	C:\Windows\SysWOW64\Hcnhpd32.dll	Qmcedg32.exe
File created	C:\Windows\SysWOW64\Acbglq32.exe	Ajibckpc.exe
File opened for modification	C:\Windows\SysWOW64\Abgdnm32.exe	Aoihaa32.exe
File created	C:\Windows\SysWOW64\Abiqcm32.exe	Agdlfd32.exe
File created	C:\Windows\SysWOW64\Inceepmo.dll	Abiqcm32.exe
File opened for modification	C:\Windows\SysWOW64\Aaondi32.exe	Aicipgqe.exe
File opened for modification	C:\Windows\SysWOW64\Mmkcpmmb.dll	Pcmabnhm.exe
File opened for modification	C:\Windows\SysWOW64\Ajibckpc.exe	Aodnfbpm.exe
File created	C:\Windows\SysWOW64\Jcoimalh.dll	Aodnfbpm.exe
File created	C:\Windows\SysWOW64\Inmfkm32.dll	Acbglq32.exe
File created	C:\Windows\SysWOW64\Ejbmjalg.dll	Afpchl32.exe
File opened for modification	C:\Windows\SysWOW64\Abiqcm32.exe	Agdlfd32.exe
File created	C:\Windows\SysWOW64\Jfgdqipf.dll	Pcmabnhm.exe
File created	C:\Windows\SysWOW64\Foefccmp.dll	Plffkc32.exe
File created	C:\Windows\SysWOW64\Qjeihl32.exe	Qmahog32.exe
File created	C:\Windows\SysWOW64\Ajibckpc.exe	Aodnfbpm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2648	2684	WerFault.exe	60

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomlfpdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcmabnhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjblcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjeihl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajibckpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejiehfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pabncj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmahog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmcedg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpchl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abgdnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdlfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfdkehc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijfihip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pniohk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phocfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aodnfbpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoihaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcmabnhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjppmlhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plffkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oophlpag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgogla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acbglq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aicipgqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaondi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09b2fda6aa74d9d820dd0e30ca254270N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogddhmdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plcied32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcmnaaji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abiqcm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogddhmdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfbimjl.dll"	Pgogla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgogla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmahog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aodnfbpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	09b2fda6aa74d9d820dd0e30ca254270N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	09b2fda6aa74d9d820dd0e30ca254270N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	09b2fda6aa74d9d820dd0e30ca254270N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcmabnhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pniohk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmcedg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aoihaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abgdnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oomlfpdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oophlpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Plcied32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfgdqipf.dll"	Pcmabnhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agdlfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedqakci.dll"	Aicipgqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bejiehfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqbhmi32.dll"	Oophlpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmkcpmmb.dll"	Pcmabnhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelhjebf.dll"	Pjblcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcmnaaji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmgop32.dll"	Ajibckpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbmjalg.dll"	Afpchl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnofaf32.dll"	Aaondi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmkcpmmb.dll"	Plcied32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcmabnhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Plffkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgcfi32.dll"	Pjppmlhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfdkehc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbkingcj.dll"	Pdfdkehc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjjhnge.dll"	Qcmnaaji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diflambo.dll"	Bejiehfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcmabnhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agefobee.dll"	Pniohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phocfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmcedg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aijfihip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajibckpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jichkb32.dll"	Abgdnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polhjf32.dll"	Agdlfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	09b2fda6aa74d9d820dd0e30ca254270N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foefccmp.dll"	Plffkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kepajbam.dll"	Pabncj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaondi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oomlfpdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogddhmdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pniohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hegfajbc.dll"	Qjeihl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aijfihip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	09b2fda6aa74d9d820dd0e30ca254270N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebakdbbk.dll"	Oomlfpdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjblcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmahog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjeihl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcnhpd32.dll"	Qmcedg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlfibh32.dll"	Aijfihip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoimalh.dll"	Aodnfbpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abiqcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abiqcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bejiehfi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1760	2300	09b2fda6aa74d9d820dd0e30ca254270N.exe	30
PID 2300 wrote to memory of 1760	2300	09b2fda6aa74d9d820dd0e30ca254270N.exe	30
PID 2300 wrote to memory of 1760	2300	09b2fda6aa74d9d820dd0e30ca254270N.exe	30
PID 2300 wrote to memory of 1760	2300	09b2fda6aa74d9d820dd0e30ca254270N.exe	30
PID 1760 wrote to memory of 2192	1760	Oomlfpdi.exe	31
PID 1760 wrote to memory of 2192	1760	Oomlfpdi.exe	31
PID 1760 wrote to memory of 2192	1760	Oomlfpdi.exe	31
PID 1760 wrote to memory of 2192	1760	Oomlfpdi.exe	31
PID 2192 wrote to memory of 2964	2192	Ogddhmdl.exe	32
PID 2192 wrote to memory of 2964	2192	Ogddhmdl.exe	32
PID 2192 wrote to memory of 2964	2192	Ogddhmdl.exe	32
PID 2192 wrote to memory of 2964	2192	Ogddhmdl.exe	32
PID 2964 wrote to memory of 2988	2964	Oophlpag.exe	33
PID 2964 wrote to memory of 2988	2964	Oophlpag.exe	33
PID 2964 wrote to memory of 2988	2964	Oophlpag.exe	33
PID 2964 wrote to memory of 2988	2964	Oophlpag.exe	33
PID 2988 wrote to memory of 2676	2988	Plcied32.exe	34
PID 2988 wrote to memory of 2676	2988	Plcied32.exe	34
PID 2988 wrote to memory of 2676	2988	Plcied32.exe	34
PID 2988 wrote to memory of 2676	2988	Plcied32.exe	34
PID 2676 wrote to memory of 2904	2676	Pcmabnhm.exe	35
PID 2676 wrote to memory of 2904	2676	Pcmabnhm.exe	35
PID 2676 wrote to memory of 2904	2676	Pcmabnhm.exe	35
PID 2676 wrote to memory of 2904	2676	Pcmabnhm.exe	35
PID 2904 wrote to memory of 2724	2904	Pcmabnhm.exe	36
PID 2904 wrote to memory of 2724	2904	Pcmabnhm.exe	36
PID 2904 wrote to memory of 2724	2904	Pcmabnhm.exe	36
PID 2904 wrote to memory of 2724	2904	Pcmabnhm.exe	36
PID 2724 wrote to memory of 1088	2724	Plffkc32.exe	37
PID 2724 wrote to memory of 1088	2724	Plffkc32.exe	37
PID 2724 wrote to memory of 1088	2724	Plffkc32.exe	37
PID 2724 wrote to memory of 1088	2724	Plffkc32.exe	37
PID 1088 wrote to memory of 2416	1088	Pabncj32.exe	38
PID 1088 wrote to memory of 2416	1088	Pabncj32.exe	38
PID 1088 wrote to memory of 2416	1088	Pabncj32.exe	38
PID 1088 wrote to memory of 2416	1088	Pabncj32.exe	38
PID 2416 wrote to memory of 1824	2416	Pgogla32.exe	39
PID 2416 wrote to memory of 1824	2416	Pgogla32.exe	39
PID 2416 wrote to memory of 1824	2416	Pgogla32.exe	39
PID 2416 wrote to memory of 1824	2416	Pgogla32.exe	39
PID 1824 wrote to memory of 280	1824	Pniohk32.exe	40
PID 1824 wrote to memory of 280	1824	Pniohk32.exe	40
PID 1824 wrote to memory of 280	1824	Pniohk32.exe	40
PID 1824 wrote to memory of 280	1824	Pniohk32.exe	40
PID 280 wrote to memory of 2876	280	Phocfd32.exe	41
PID 280 wrote to memory of 2876	280	Phocfd32.exe	41
PID 280 wrote to memory of 2876	280	Phocfd32.exe	41
PID 280 wrote to memory of 2876	280	Phocfd32.exe	41
PID 2876 wrote to memory of 2828	2876	Pjppmlhm.exe	42
PID 2876 wrote to memory of 2828	2876	Pjppmlhm.exe	42
PID 2876 wrote to memory of 2828	2876	Pjppmlhm.exe	42
PID 2876 wrote to memory of 2828	2876	Pjppmlhm.exe	42
PID 2828 wrote to memory of 808	2828	Pdfdkehc.exe	43
PID 2828 wrote to memory of 808	2828	Pdfdkehc.exe	43
PID 2828 wrote to memory of 808	2828	Pdfdkehc.exe	43
PID 2828 wrote to memory of 808	2828	Pdfdkehc.exe	43
PID 808 wrote to memory of 1508	808	Pjblcl32.exe	44
PID 808 wrote to memory of 1508	808	Pjblcl32.exe	44
PID 808 wrote to memory of 1508	808	Pjblcl32.exe	44
PID 808 wrote to memory of 1508	808	Pjblcl32.exe	44
PID 1508 wrote to memory of 2136	1508	Qmahog32.exe	45
PID 1508 wrote to memory of 2136	1508	Qmahog32.exe	45
PID 1508 wrote to memory of 2136	1508	Qmahog32.exe	45
PID 1508 wrote to memory of 2136	1508	Qmahog32.exe	45

C:\Users\Admin\AppData\Local\Temp\09b2fda6aa74d9d820dd0e30ca254270N.exe
"C:\Users\Admin\AppData\Local\Temp\09b2fda6aa74d9d820dd0e30ca254270N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\Oomlfpdi.exe
  C:\Windows\system32\Oomlfpdi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\Ogddhmdl.exe
    C:\Windows\system32\Ogddhmdl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\Oophlpag.exe
      C:\Windows\system32\Oophlpag.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SysWOW64\Plcied32.exe
        
        C:\Windows\system32\Plcied32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Windows\SysWOW64\Pcmabnhm.exe
        
        C:\Windows\system32\Pcmabnhm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Pcmabnhm.exe
        
        C:\Windows\system32\Pcmabnhm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Plffkc32.exe
        
        C:\Windows\system32\Plffkc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Pabncj32.exe
        
        C:\Windows\system32\Pabncj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Pgogla32.exe
        
        C:\Windows\system32\Pgogla32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Pniohk32.exe
        
        C:\Windows\system32\Pniohk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Phocfd32.exe
        
        C:\Windows\system32\Phocfd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\SysWOW64\Pjppmlhm.exe
        
        C:\Windows\system32\Pjppmlhm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Pdfdkehc.exe
        
        C:\Windows\system32\Pdfdkehc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Pjblcl32.exe
        
        C:\Windows\system32\Pjblcl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Qmahog32.exe
        
        C:\Windows\system32\Qmahog32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Qjeihl32.exe
        
        C:\Windows\system32\Qjeihl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Qmcedg32.exe
        
        C:\Windows\system32\Qmcedg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Qcmnaaji.exe
        
        C:\Windows\system32\Qcmnaaji.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Aijfihip.exe
        
        C:\Windows\system32\Aijfihip.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Aodnfbpm.exe
        
        C:\Windows\system32\Aodnfbpm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Ajibckpc.exe
        
        C:\Windows\system32\Ajibckpc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Acbglq32.exe
        
        C:\Windows\system32\Acbglq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Afpchl32.exe
        
        C:\Windows\system32\Afpchl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Aoihaa32.exe
        
        C:\Windows\system32\Aoihaa32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Abgdnm32.exe
        
        C:\Windows\system32\Abgdnm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Agdlfd32.exe
        
        C:\Windows\system32\Agdlfd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Abiqcm32.exe
        
        C:\Windows\system32\Abiqcm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Aicipgqe.exe
        
        C:\Windows\system32\Aicipgqe.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Aaondi32.exe
        
        C:\Windows\system32\Aaondi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Bejiehfi.exe
        
        C:\Windows\system32\Bejiehfi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 140
        33⤵
        Loads dropped DLL
        Program crash
        
        PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaondi32.exe

Filesize
100KB

MD5
e647ffc734a8547435494fdba425e18c

SHA1
3b4e5baa6b23355f17b31b9c5af974bbf4d4aea5

SHA256
1c1fa591dd8f01e8fd1b4a03496623e1ea74d7d21d1b03fb46fa731c1514d112

SHA512
a49ba54dc672a4be4149a1678f5311945f8ac7ea37e6986e44d79fa0e7c850f8c06606992d67c365b26f288999305a0d3fc2086c1bde486f9f50e02e67e40dff

Download Submit
C:\Windows\SysWOW64\Abgdnm32.exe

Filesize
100KB

MD5
4607e024a06bb7131db9516403bc3c0b

SHA1
d5e6bb79d6d2de9203058a04f6cea582ea4b3988

SHA256
db0f36e12709151b0fd094f0f8f6966d685f337aae7a6cb05cf5313a90e53d0e

SHA512
2cbe5083c106113440c69808ea2c7523f98fe181e52ae669c8143479f8313fc1ac6b858805ec6ed8b3816e96ad843ade72aa25ef2c37a9739b251a478b3609f8

Download Submit
C:\Windows\SysWOW64\Abiqcm32.exe

Filesize
100KB

MD5
ba0a434d9b27eee7be94c7c63023b867

SHA1
60685d5d83e5db057f95cd9849520da937a9aef6

SHA256
ef869149edc1028c290caaa917dab535a63ec63dffd6f54011403a030523bef2

SHA512
03bfc0af5d2f879ce0d346bc8e35ab00b7ad451f817a3bd921a2fcf5b342ac95f0d0fdb9ae7ec3abf31cc2a7be2c4aa03e1b0e3ad24ae5fc3d43e9f1350ae6e8

Download Submit
C:\Windows\SysWOW64\Acbglq32.exe

Filesize
100KB

MD5
e965c56e1dd7a741cb7acb88c41e03c4

SHA1
1f5e3ab1e30f9615c79a7a3cbe147405105e50c4

SHA256
9fd9fc286f63b18d82522199fa329db708085c14f09bf1485096abb4f9179b85

SHA512
596caf1ecc8049f77c70f90fa281cd7f8b95f4419dfc9f8601cfa86ba502859b52a638613e4276ac4ecad843a3c9b20c70cddc9d5da63040fc635693d60ed425

Download Submit
C:\Windows\SysWOW64\Afpchl32.exe

Filesize
100KB

MD5
6c73784e5c8635e05c3f17a5268b485a

SHA1
9e04191afd2d1466c41c02ae04b9262e397a14fe

SHA256
dc9fce39eb666565beaf0a509e19c4d2e2254354723cb326d445e50620cfdd90

SHA512
8f4f820647ceed70658f6d2a84c7c01e2d28d478bb8a618abca65c891620e53fe57afe5ef5ca83d476869fcb402251a04a1f7bafc0a6be5a1582989b0af8cc20

Download Submit
C:\Windows\SysWOW64\Agdlfd32.exe

Filesize
100KB

MD5
fa4a3690bcd5f433c5f301770e0d71d7

SHA1
5d78e7434c2c0fa3cf38cdde1ff885b7fe0861b2

SHA256
2e9e695aed146742c735560c8c71ff36d6d4c4feaf079a61219c72d627515dff

SHA512
a87de9de2c8a0ea80b777ae52fe56a7659ef942e59cdcd16d40cec5436f62b8d01cebc9523d9e5a9bf6b137791ed83c9057debb3eb979bf883c4d722f86a6e17

Download Submit
C:\Windows\SysWOW64\Aicipgqe.exe

Filesize
100KB

MD5
35d8597db4a8b5cb039c62229e4fe01f

SHA1
19eb40255b474368dcd1b84cc4763509614c9952

SHA256
468e996d70aa6e4b1a2aae1009b9c4154ac8fefeaf4a1d71fefd7f1bcbdc5632

SHA512
6910ab9500cb4f188cb0a552874b95b91987b8b464033a0bfcdd5cc31d15449b512ed9fcd9a5b8d47abdcfa46b2c41575331472363646e41be2f1f91d866fdfc

Download Submit
C:\Windows\SysWOW64\Aijfihip.exe

Filesize
100KB

MD5
9c074021ca1e8c973ee064d7dfa5aa6c

SHA1
6e12770e064de2e39f3f7e60c7760b129d9e80ac

SHA256
7df2f3337014340d4f9b4273a1fb537cbfb5a4292226cc5f7fc3d32c3bc93fae

SHA512
1cebbceb3149e3e007116b20bd6a3f8722bf6ec0ebee085150226e389811bd7ffe96cfc69fa736708cf0a66c2e628bf183d86827389830e891f2ef65bc20825c

Download Submit
C:\Windows\SysWOW64\Ajibckpc.exe

Filesize
100KB

MD5
231aeedab7fe67697911b3e4038d1329

SHA1
eedf56b49102f9059b65ffd23b4c0bcff931e994

SHA256
7e70866c7a2bd2be494336521adfc0b617cb0a8be091220748ae3efb2c4bc4a7

SHA512
758eff6b1d96db3e4738ad3124489a92753731b6bf28b33bbb292619fd4ac2fe4c550f8cd1a67e68fa16a712376a6fcf6abf53fbe09da6c588e61db6fc131190

Download Submit
C:\Windows\SysWOW64\Aodnfbpm.exe

Filesize
100KB

MD5
b623b0955f3497fad0930928c246e736

SHA1
0e5499081453f808bf0409d4efce51d6be76188d

SHA256
046b1138aa3a3a426d0f947087fe75a585a21dc76ffed70ea2104142afcc2dff

SHA512
195b50bbf5b27067ae56271dbbe01d7f8354bad60695d7bd26c40703866e0a9d50eafd814de5cfac609802f3f4a1d91a2d734a70cd50d08d5e986461eda7a6f6

Download Submit
C:\Windows\SysWOW64\Aoihaa32.exe

Filesize
100KB

MD5
91bd1f498b1a45d3d5dd30f24d64326e

SHA1
d973565d33797bc2a40119cefd3e960d347c9350

SHA256
0d85adba973ecbf52d175b05b991c6c7877d760f2424bbf5fc00ea634a05a6f5

SHA512
62f12ae5ee4d3ab4459bf3aed335f9d04c9d507f3e4298eed373a6309b73ca8865b2456d755356ca538b28bc8cf1aa2ddabd2f0dec523519cb5ec373835ba50d

Download Submit
C:\Windows\SysWOW64\Bejiehfi.exe

Filesize
100KB

MD5
7e76304602eaeddba53f63f90c50991a

SHA1
00bfc0e27bc2fc907038be318ecccf0915abaffc

SHA256
9e70eb9f4405494d544e4a003ebf555eac23ceb03a60cbb47ceaa708ca4768e2

SHA512
756cfe4e9498a3808aac0e52c4f53ab6d2be46ab69e3cdf5463a6bfdaf73c70abafa58dd6f63d0b3339546498492cbf760029883cd8e1621ef9cbb1e1b5d79ac

Download Submit
C:\Windows\SysWOW64\Bmenijcd.exe

Filesize
100KB

MD5
813791d9fdd4e91ca4677935f84f8187

SHA1
c62600373f9fda1583c3d0591f5dc6c0d746e536

SHA256
36a182d9ff8d9fcd934f94bea02e7df1a42a167729f3626eafeac62b4a5af2e1

SHA512
10d9df212a11dce9bef94f3130f8dc4cb5ac646986869e49595008abf7b68d5f70aac49db3a52af9ed53ac64c9d64fb6bd9db9cc83a15d5b47caad00f5ab9823

Download Submit
C:\Windows\SysWOW64\Mmkcpmmb.dll

Filesize
7KB

MD5
3bd8df306185f9c0666ba87afbd9eefd

SHA1
1281763d2f106562d9ee0c73ae87d1d111ca38a3

SHA256
0e35dd6bceb1f055562fea21a1a6e3c3ccc0008a4e3a06373e49d242bff5f55f

SHA512
bc8555223968ef2a45a4efb3db48c64a51b2c95db370074f903f121f7edb4deee22b3d036d6833bb23ca1a87df587ca13657522b45cfc7384d36c85137d105be

Download Submit
C:\Windows\SysWOW64\Oomlfpdi.exe

Filesize
100KB

MD5
1ca65cf4d862975b10f3ed4e3b1e8647

SHA1
004202d086f5311212ae1b21636218dbfb457f8d

SHA256
bca8c15da59355c56e2d5c74b98d597d809482997c631124014106a7b8a07a8a

SHA512
eaaad620bb3c7b0277c8dbb15549f62570609f05a0f794bc668789bc7b7e3e1390e3443fdc4dd528ad02c1f9b221623eefa0839c5e98ab9b343f4f8d3ab7f87b

Download Submit
C:\Windows\SysWOW64\Pgogla32.exe

Filesize
100KB

MD5
7c955438691320141384cd32eb3eb36b

SHA1
8d24b3ab18cf2ddb9fecd231733d53b2db5d6dfc

SHA256
036f02be780b4a664b3eaf6001168f5f48afcc5a1e481f429a1f7493755dcd35

SHA512
6675cf64a8975f0e8fdf95d8dc30ac34b323c3ee4ebce712e76793650cf9536928b83fc435be19ea193f1af30fe529fdea61bc52a871b46fa8bbdecf337c946b

Download Submit
C:\Windows\SysWOW64\Plffkc32.exe

Filesize
100KB

MD5
ce9a77c216b1d79bbc8f6d61f034333a

SHA1
aa6f3b086833327f65ee4791635ed588995ece30

SHA256
1e097e12e8f8ccc5ffd2166061b6de321828c5919e95a83dc261306db0013aab

SHA512
51112fb88f403591b3d707fa2abb9ebe31cd322e4487a6f7f6bca97165027c39cb809dc8dae562141dc05a2099ace195bd6eeae1fe5387ca537c43b4a3d9b098

Download Submit
C:\Windows\SysWOW64\Qcmnaaji.exe

Filesize
100KB

MD5
8f1fd269b5d27ccd2d3f6f01eadda26a

SHA1
921cd1aad3be71d98d801462ac43923d9d4cc452

SHA256
20c525a9daa5ad2c78a4be2eab6d36210570a25547774ac87ea923a9ee79b451

SHA512
ed90eb3dfb8756f27ac14b8f3cb0ba632d4db3400e97e6ce4deeb3e124cb53ef9fae657b2d15f34159d18f6e5691c90c9f2ac97a987b512434e57454543ca19c

Download Submit
C:\Windows\SysWOW64\Qmcedg32.exe

Filesize
100KB

MD5
9a3ca83062629b4fc5660c3dcf9cea7f

SHA1
adf8ce6fdc42dfcb54939b85253e085beed1b51b

SHA256
59d59aae461c0d0597955a88253e78913729dc2ba9219ddc4dc845827bacd538

SHA512
2ea0a19056fffece847aae37e9900d398d5c8dd16a5cd4db56d862d0fb5490ce34a8461e1955356f580cbd1f1461541d30cd2b2422d50b6cf5f4cf539f8e42f9

Download Submit
\Windows\SysWOW64\Ogddhmdl.exe

Filesize
100KB

MD5
89e80a8be52cf730ff6b3bf4e1f5817a

SHA1
5353c7b3eab41a7e1529b3e5470a17c5ec5ccbc1

SHA256
11d3bfbd781795d0d0b710208f651ad0033e058554073c2527f83371a72611f3

SHA512
a14686b46d0f937ae9c0637716083a519d9f8ecb5b6cb61a722ac892b5b0a9d2594eb56fe956eabdd1c2b0d5b5ecb08471fcea0794cd80cd6c280380a9fea837

Download Submit
\Windows\SysWOW64\Oophlpag.exe

Filesize
100KB

MD5
1f6ead2186cee8445e3785325607c8f8

SHA1
17b46dffd79a5bdba4f1eb62811b9cdd009a731a

SHA256
b6b901580019acf3f46389ea30ef10c8325b98b2ca3b00c6ef0ae3d8a021228d

SHA512
402cf9e2fd78cfe5e926d8af7d911720ebaff18565183d6a4f229d1eef422275724f324fd8204636609a49eb5c0578f1bacb3e106703441eb15ec398ac41aee7

Download Submit
\Windows\SysWOW64\Pabncj32.exe

Filesize
100KB

MD5
56ffba7676c68103996cde92aba08115

SHA1
61601288ed1b51b3f6122a8fc9c13b6880fde8d4

SHA256
d515f0cc719b2dff66cb75521b55c78d667b547d40c2a9fa5841fab03d8d250c

SHA512
2b9ee085cf9fdc042141920a0d3a762b7c6b01195fa0980372e78ac02adf9ca58d4380de08035c93679a4d3ed6b0e72297d5dc87c533679eec2b34add6d3d2c3

Download Submit
\Windows\SysWOW64\Pcmabnhm.exe

Filesize
100KB

MD5
76b217968725183b320bc9946db6c89d

SHA1
7c8388b143acd7687db6d1d288bfdee1c87e5b34

SHA256
a409227fd459154d5f3e266edcc280e0fb7f874d7356f2c2c2decd68198d3ecb

SHA512
97986d9c357285ffe1d3008e579e2e6cfff1144117ff063678d6560f6260ded2951384573ebebf30601ce0a1bd40cc2fc1ac77f64f6da952317faba070f87d70

Download Submit
\Windows\SysWOW64\Pdfdkehc.exe

Filesize
100KB

MD5
75e12f2e43ba34d8d1c752124359187a

SHA1
9bab921e7cf4da090224908aa0fc6ca198d567f8

SHA256
fb3acdd559805bae42cd6fe3cc72b3a5a2d75665b78d09d6cebfc504194d1117

SHA512
132023d8fa3261f21d0fb690d81e45555375bf0ae6aaf83aaf4cf21de20e9256a551390b80982f331b480d61cdf62f7117bb6e49a57d15ab1df9d10aab5e6d8d

Download Submit
\Windows\SysWOW64\Phocfd32.exe

Filesize
100KB

MD5
9b2ece170e7ff0e0c04dddd8f57e3ad5

SHA1
d4658c8213a7429aaff42d8003ac01e6b51ccbc0

SHA256
4db35cca0e87e2166f14f30626f98fd387ee2e45fb25a5248ca89e763c3d0808

SHA512
3002c3d8b9efbae0edd0c47c7eefddccc474521b535aeaef0d47b32c510c94ac135c828302bbbda89ba153db9bbdadd654d40c7d07030fa06bbe5f6829237f04

Download Submit
\Windows\SysWOW64\Pjblcl32.exe

Filesize
100KB

MD5
d6ee72b7263bad051e7d715ad89b6fe9

SHA1
3986d76c05961c581f90b0ac471c43a4ce853b1e

SHA256
f03ef65c2e2394a9e4da910ae2410379514f81f232f16413c2ee5588584ba919

SHA512
fe9577238673ebec24c949e2cfa2d0e46c12d39ac41e473302378d353932f1cbb85dee7fc49e339fd3affe5872eaef6adac37c8d0bbdb9fd741579331d8ecbf1

Download Submit
\Windows\SysWOW64\Pjppmlhm.exe

Filesize
100KB

MD5
af66d57d6126ee9525a382e8321fa178

SHA1
1be5a0fdb5949c49b5908f5ec474b3cfbc06332b

SHA256
cfaaeff86ad15bf6a077674608355e73d2974ed7d190159c61a54dd47d26bc03

SHA512
48811e40a6bd47bab6b87993b220a57f57f85162d4bcf58e2a82959dd7623b72711951e6277b74a855285e8e0c316d3d4e92777d7b1b869db980c71158edb019

Download Submit
\Windows\SysWOW64\Plcied32.exe

Filesize
100KB

MD5
bf82b93c8dea0c767446b7f9963fd55d

SHA1
4ee03f58098a8eca34a037e0741efd850127d2c0

SHA256
2f2dd10f10a07d341d4292d26cab05af3275e30eba731761e044768b7ac59f06

SHA512
411a5b5debbe5cf78155ddd401400fdb10e75f5db57c3876be42a872f02f1d22def0a370d9ba20e19cd7a7e7540b5996f6cbe0b26df39d42b1b2b03078997a92

Download Submit
\Windows\SysWOW64\Pniohk32.exe

Filesize
100KB

MD5
59f1b38d86c6cdcf0c0808b4ec5be900

SHA1
012bf922e43fedf86991afcea6cea8c283904725

SHA256
b2dfa9de8b4f0f4dbadc379ae0ec5432e16414b9a1fef6e1f88bd05ec46648a1

SHA512
83b5ca186ff8bd6dcf78795ae1923dc321ebef251e088637eaca1111a2658b49c35ce94b10c81a8ac63c008a495470a34928b9939e8b7c0c6d4c8db666657157

Download Submit
\Windows\SysWOW64\Qjeihl32.exe

Filesize
100KB

MD5
9b1417154ce0d22693c584e27a4a1944

SHA1
fa7132b001b0924deee3d72083166e651fef4ee9

SHA256
81d17f2750bec9150eda5e583bb397d7db4b7b29e7030c9ea7c8909107b735bd

SHA512
84a8a0838faa06275285d68bd39e2de0bf3d8fec8f25634194dfaa093a30f497ec4ca4c6c90ac4c188763826f8acaabf347f39ae2337b532a7058abfc34b5c4f

Download Submit
\Windows\SysWOW64\Qmahog32.exe

Filesize
100KB

MD5
8cf211f61bdb85fc60f4b012b347ced8

SHA1
afb617433d65839401b8db7d05cf2df559e78d5f

SHA256
b97cc28006c25e787f24dbd3e9c7ae7501ad7844730c52ab5d4f7e857c4bff3d

SHA512
7b3e1d220a295bb996c6cb7e20e96dc63aa94a3c39e808bccf0e9e52efacd39d10503af4980bb10a88b9e72d096e285e431ed16480f69e76859f13103ed7e63b

Download Submit
memory/280-379-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/280-139-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/280-146-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/388-385-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/388-235-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/808-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/808-381-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/812-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/812-386-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/812-246-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/812-242-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/864-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/864-384-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/864-226-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/864-222-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/892-387-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/892-256-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/892-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/892-257-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1080-288-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/1080-289-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/1080-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1080-390-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1088-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1508-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1508-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1508-205-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/1760-369-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1760-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1760-368-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1824-126-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1824-378-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1836-364-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1836-363-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1836-365-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1972-299-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/1972-290-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1972-391-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2064-274-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2064-278-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2064-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2136-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2136-206-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2192-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2192-40-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2192-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2256-392-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2256-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2256-310-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2256-309-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2268-268-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2268-258-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2268-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2268-267-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2300-367-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2300-13-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2300-12-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2300-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2416-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2416-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2676-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2684-366-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-374-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-95-0x00000000002A0000-0x00000000002E3000-memory.dmp

Filesize
268KB

Download
memory/2724-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-375-0x00000000002A0000-0x00000000002E3000-memory.dmp

Filesize
268KB

Download
memory/2784-337-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2784-344-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2784-342-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2804-332-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2804-393-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2804-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2804-331-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2828-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2828-166-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2876-158-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2904-373-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2904-86-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2904-372-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2904-74-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2972-353-0x0000000000370000-0x00000000003B3000-memory.dmp

Filesize
268KB

Download
memory/2972-343-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2972-352-0x0000000000370000-0x00000000003B3000-memory.dmp

Filesize
268KB

Download
memory/2972-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2980-321-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/2980-326-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/2980-319-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2988-59-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads