3bd7f9ec4b6d9bd7b8a3fa335e3ae9332c5b9cc4e90253152770e85d70e1d926

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d194f7072aafee38f74da7c8315fa9a0N.exe
Size

78KB
MD5

d194f7072aafee38f74da7c8315fa9a0
SHA1

d8419d591d7b19bc6321209bd7be42561a56b641
SHA256

3bd7f9ec4b6d9bd7b8a3fa335e3ae9332c5b9cc4e90253152770e85d70e1d926
SHA512

45a9c353f68a8c52f469023cacd3cc76f71ea1aed7e6f9f28a2437a0ede1ce763bd1d3ef3d0bfedb6125336cc7b685dd7f4de5c13a62df19af30d4416322bd44
SSDEEP

1536:Y6FZ15YRhTMpHZ8GMBHH1BC1VCzAkIggsJVHcbns:Y6FZsoYBn1M1VCzAogsDes

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d194f7072aafee38f74da7c8315fa9a0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe

Executes dropped EXE 64 IoCs

pid	Process
2592	Ofnckp32.exe
1100	Olhlhjpd.exe
1208	Ocbddc32.exe
4836	Ofqpqo32.exe
2916	Olkhmi32.exe
3768	Odapnf32.exe
5012	Ojoign32.exe
4996	Oqhacgdh.exe
1900	Ogbipa32.exe
712	Ofeilobp.exe
3048	Pnlaml32.exe
1300	Pdfjifjo.exe
2040	Pjcbbmif.exe
2380	Pmannhhj.exe
4132	Pggbkagp.exe
4408	Pjeoglgc.exe
668	Pdkcde32.exe
3984	Pjhlml32.exe
2512	Qnjnnj32.exe
2284	Qddfkd32.exe
1528	Qffbbldm.exe
4976	Anmjcieo.exe
3692	Ampkof32.exe
4280	Adgbpc32.exe
536	Acjclpcf.exe
5100	Afhohlbj.exe
2524	Afjlnk32.exe
2368	Amddjegd.exe
3800	Acnlgp32.exe
5028	Ajhddjfn.exe
3308	Aabmqd32.exe
4460	Acqimo32.exe
2204	Ajkaii32.exe
2904	Aepefb32.exe
3428	Agoabn32.exe
2568	Bjmnoi32.exe
2944	Bnhjohkb.exe
4256	Bcebhoii.exe
1240	Bjokdipf.exe
1172	Baicac32.exe
1580	Bgcknmop.exe
2024	Bnmcjg32.exe
2924	Balpgb32.exe
4816	Bcjlcn32.exe
3432	Bmbplc32.exe
4936	Beihma32.exe
4272	Bjfaeh32.exe
1592	Bmemac32.exe
3524	Bcoenmao.exe
4104	Cjinkg32.exe
2860	Cmgjgcgo.exe
936	Cdabcm32.exe
1052	Cfpnph32.exe
1332	Cnffqf32.exe
3684	Caebma32.exe
2324	Cdcoim32.exe
4384	Chokikeb.exe
3556	Cfbkeh32.exe
2908	Cmlcbbcj.exe
1832	Cdfkolkf.exe
2788	Cjpckf32.exe
2272	Cnkplejl.exe
3836	Cajlhqjp.exe
4092	Cdhhdlid.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	d194f7072aafee38f74da7c8315fa9a0N.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5884	5792	WerFault.exe	178

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d194f7072aafee38f74da7c8315fa9a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d194f7072aafee38f74da7c8315fa9a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Olkhmi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 2592	1316	d194f7072aafee38f74da7c8315fa9a0N.exe	84
PID 1316 wrote to memory of 2592	1316	d194f7072aafee38f74da7c8315fa9a0N.exe	84
PID 1316 wrote to memory of 2592	1316	d194f7072aafee38f74da7c8315fa9a0N.exe	84
PID 2592 wrote to memory of 1100	2592	Ofnckp32.exe	85
PID 2592 wrote to memory of 1100	2592	Ofnckp32.exe	85
PID 2592 wrote to memory of 1100	2592	Ofnckp32.exe	85
PID 1100 wrote to memory of 1208	1100	Olhlhjpd.exe	86
PID 1100 wrote to memory of 1208	1100	Olhlhjpd.exe	86
PID 1100 wrote to memory of 1208	1100	Olhlhjpd.exe	86
PID 1208 wrote to memory of 4836	1208	Ocbddc32.exe	87
PID 1208 wrote to memory of 4836	1208	Ocbddc32.exe	87
PID 1208 wrote to memory of 4836	1208	Ocbddc32.exe	87
PID 4836 wrote to memory of 2916	4836	Ofqpqo32.exe	88
PID 4836 wrote to memory of 2916	4836	Ofqpqo32.exe	88
PID 4836 wrote to memory of 2916	4836	Ofqpqo32.exe	88
PID 2916 wrote to memory of 3768	2916	Olkhmi32.exe	89
PID 2916 wrote to memory of 3768	2916	Olkhmi32.exe	89
PID 2916 wrote to memory of 3768	2916	Olkhmi32.exe	89
PID 3768 wrote to memory of 5012	3768	Odapnf32.exe	91
PID 3768 wrote to memory of 5012	3768	Odapnf32.exe	91
PID 3768 wrote to memory of 5012	3768	Odapnf32.exe	91
PID 5012 wrote to memory of 4996	5012	Ojoign32.exe	92
PID 5012 wrote to memory of 4996	5012	Ojoign32.exe	92
PID 5012 wrote to memory of 4996	5012	Ojoign32.exe	92
PID 4996 wrote to memory of 1900	4996	Oqhacgdh.exe	93
PID 4996 wrote to memory of 1900	4996	Oqhacgdh.exe	93
PID 4996 wrote to memory of 1900	4996	Oqhacgdh.exe	93
PID 1900 wrote to memory of 712	1900	Ogbipa32.exe	94
PID 1900 wrote to memory of 712	1900	Ogbipa32.exe	94
PID 1900 wrote to memory of 712	1900	Ogbipa32.exe	94
PID 712 wrote to memory of 3048	712	Ofeilobp.exe	95
PID 712 wrote to memory of 3048	712	Ofeilobp.exe	95
PID 712 wrote to memory of 3048	712	Ofeilobp.exe	95
PID 3048 wrote to memory of 1300	3048	Pnlaml32.exe	96
PID 3048 wrote to memory of 1300	3048	Pnlaml32.exe	96
PID 3048 wrote to memory of 1300	3048	Pnlaml32.exe	96
PID 1300 wrote to memory of 2040	1300	Pdfjifjo.exe	98
PID 1300 wrote to memory of 2040	1300	Pdfjifjo.exe	98
PID 1300 wrote to memory of 2040	1300	Pdfjifjo.exe	98
PID 2040 wrote to memory of 2380	2040	Pjcbbmif.exe	99
PID 2040 wrote to memory of 2380	2040	Pjcbbmif.exe	99
PID 2040 wrote to memory of 2380	2040	Pjcbbmif.exe	99
PID 2380 wrote to memory of 4132	2380	Pmannhhj.exe	100
PID 2380 wrote to memory of 4132	2380	Pmannhhj.exe	100
PID 2380 wrote to memory of 4132	2380	Pmannhhj.exe	100
PID 4132 wrote to memory of 4408	4132	Pggbkagp.exe	101
PID 4132 wrote to memory of 4408	4132	Pggbkagp.exe	101
PID 4132 wrote to memory of 4408	4132	Pggbkagp.exe	101
PID 4408 wrote to memory of 668	4408	Pjeoglgc.exe	103
PID 4408 wrote to memory of 668	4408	Pjeoglgc.exe	103
PID 4408 wrote to memory of 668	4408	Pjeoglgc.exe	103
PID 668 wrote to memory of 3984	668	Pdkcde32.exe	104
PID 668 wrote to memory of 3984	668	Pdkcde32.exe	104
PID 668 wrote to memory of 3984	668	Pdkcde32.exe	104
PID 3984 wrote to memory of 2512	3984	Pjhlml32.exe	105
PID 3984 wrote to memory of 2512	3984	Pjhlml32.exe	105
PID 3984 wrote to memory of 2512	3984	Pjhlml32.exe	105
PID 2512 wrote to memory of 2284	2512	Qnjnnj32.exe	106
PID 2512 wrote to memory of 2284	2512	Qnjnnj32.exe	106
PID 2512 wrote to memory of 2284	2512	Qnjnnj32.exe	106
PID 2284 wrote to memory of 1528	2284	Qddfkd32.exe	107
PID 2284 wrote to memory of 1528	2284	Qddfkd32.exe	107
PID 2284 wrote to memory of 1528	2284	Qddfkd32.exe	107
PID 1528 wrote to memory of 4976	1528	Qffbbldm.exe	108

C:\Users\Admin\AppData\Local\Temp\d194f7072aafee38f74da7c8315fa9a0N.exe
"C:\Users\Admin\AppData\Local\Temp\d194f7072aafee38f74da7c8315fa9a0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\Ofnckp32.exe
  C:\Windows\system32\Ofnckp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\Olhlhjpd.exe
    C:\Windows\system32\Olhlhjpd.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\SysWOW64\Ocbddc32.exe
      C:\Windows\system32\Ocbddc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1208
    - - C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
      - C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1332
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        56⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        88⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 396
        94⤵
        Program crash
        
        PID:5884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5792 -ip 5792
1⤵
PID:5860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
78KB

MD5
d6cd6999284157a1d3ce2e42c1e1ba85

SHA1
d97ada7045c5d868f0ad0544332b57098ac56216

SHA256
7afdd8dff3834bdf6ff19b20902aef2171865851c7b8727043c8a754e72e6356

SHA512
735c678c7bf9f373fc1c7745b807ce9f164b012c8390786f0a4bccd2086e2d14067e1149b8723f5695f62a4f1aefa79ca1324053cf87a696a79015facab2aaaa

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
78KB

MD5
5a2e44b7171ec0b425c295c290db7e6a

SHA1
21d52418120875536bb860f62d90fa021c76e98a

SHA256
46f371c1f71255e51a4c7214dc0ce1d437ca8f0f72330f96e5dd9b48bb323784

SHA512
692682aef2e996cfc3b591c3b1ab59a03ccd49fc48ab9d854826a6b77649f51994b62a81c6d579c34b8097b24cc74e05520f78aadc0eb226e1b48239502a9213

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
78KB

MD5
c34ebea6cd6c085757f82a2fd0d9d399

SHA1
47280caa903d34fd85d17c6ee1f2f1e166736824

SHA256
680d2e12771cb2588cc7b1bcca0d76964d635fe5f534dc61adf1050f8e61678e

SHA512
db82e133d545212d50c8f4afe8943d3e93f35fa0730a753fb4cc46e7ee59522eafe8e8cd6037d4839c3f657f74f1b9213d3d8b517401c1b60f56051a21c17d73

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
78KB

MD5
9068f74b2d94993e94e4e670e943e71c

SHA1
26179dc650a0d124edd27ab00ce94913c9e54bb0

SHA256
4f736f7126f665f1051799aaf2c97077e6a80942be4b548807a9d8db4d2b1c3a

SHA512
21e32f6472df768fb9c2c199c854047c8998c67a98367924e5eb6d4f4a4fe2d34f5514858c6d1a3c340e7570b5bbeb1594e9b4636692474102929697d7b95e26

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
78KB

MD5
f642a008b74a860d885edb5cdbcf6856

SHA1
8f69b0e61652aa7790895d387b04d3cb965055fc

SHA256
18fc164c21d00c6b38c61a78da46fdb440131f27835e20acb59e4d54b05247a1

SHA512
523c2d13de26f5519d8adb90eda73d6b3e89e2f37f94f3bee75617b48a25471de30ec2aabae800eb40f00a235b01b5839756b9b76cf86d237d9738e4c8a93d71

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
78KB

MD5
ab00643b9898fdf76fdfce2e96a89832

SHA1
db87d26dacbc706e2ca6348f639b8a9646a0f2ae

SHA256
367333c1e754b6de47bdfc68e21abd50cd9b3ab860624a6b39f2724103978d99

SHA512
db43a70001f8d6c4c2570d590249c4c032e42554eed8148585ca0113ca9865de162456f16df1cb45213a7316ed0a69f2e0bc5c8d9152041bfde8515742a9dcb9

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
78KB

MD5
a63d7b0ab61067337bc85b695bd59a27

SHA1
25416fc7acc244caf33e0b0002a5da8453597801

SHA256
b7f92da493e186569b2babe0574719caf29f581eba775fcb2a78f49fb63b2372

SHA512
1791abc0618347f88ff6b39d128fd2b90f9d187c64d4ba0008bbd97ee4be12a175cd208794ca10c219839cec0b1b4160d35ab76b36682b1051527df34c9d5ad0

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
78KB

MD5
4c7d9b00ad8af21b52de04fa328944b7

SHA1
d7e70fa84bb9329863fc0670f804de406291c5bc

SHA256
760752b9fbb7f0222b02a60e2a63f50c919dcbedbde709c4c3763aa4609a802e

SHA512
bfcbe8917d25f6dcfb876c9cf67f6c05abe1ae83650e58e04cf831d38373e507bd4a08c715589bee65ec813f41c2a9714827c2ab40a5a115de008185bb725f3f

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
78KB

MD5
27e0ef066eb68392cc0487efa5fe272f

SHA1
095005b55dcf57a1928d0da9442aed6c0fa00d7e

SHA256
42f3c83b38e4133ae4719dd1dcedc95254679a352fda029459e24e31a8de0517

SHA512
2195f342ca38a159ed627d628b9f139cab16870e622c22bbfaaa563759ed2316fc615203e0589bd82a18fe4cbab881929273c50e2444236d54316fd06aa66fec

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
78KB

MD5
3e5341519bd02233fe18237d8bd0198a

SHA1
d577c24eb8548f3c6a01f538693d30469bfa2ac3

SHA256
59fdfe99cb7f0061c092c4ab6549f4103ed5d7d6f92c87a096032d46d01b9522

SHA512
bd2bda0f08da42bdf2390dc40deaffb4e986171e127b87a52145ffaee574d9892d20baba3a49c5b6947c8bcf26c3d13263e4436a04c70737ecacd631d8c6481f

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
78KB

MD5
6d9cefbcf7ed313a4be5e026075d679e

SHA1
c1417d5ffa159a5900b1788828d7ca3d8001ad8a

SHA256
fe83c1ca859ba1bdec8526f8b112cf6620b2d9fd433bc6345314fc82265eb33e

SHA512
8c69c072afbc9a8fb1a7da02dacf02664a00ec58bb451399a7d1db8e0dd0630af5c0e1f6d42b152e87eb6d2e23ca9892c0c4ddbe81b897f9e1907d93de7b4373

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
78KB

MD5
6418d7bf3d592774d52fb6ea23d54d9f

SHA1
cf9a677581020600f1bedc73f150c61c585d7680

SHA256
f872062a7a37bca1f53c34c6fa235dae56574408d09deef91d5555cdee41a20e

SHA512
ef6422aa574aa6b8478d54bcc113422b7611c5f2487ed5b3717804467738638c7affc573e827a6467f40dcfb5261ba3ee4ef239f74a7b601ceca62f5cd687093

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
78KB

MD5
18e794a4bbd82406e379a83eebe013ad

SHA1
cfcdf8506520ac2085839697990f58d7eb14b649

SHA256
6550c77a6c70a98308c7b67999444dcf96d5f19abff2d0534f7b889c7f23504e

SHA512
81e26a0642c6f0379feeea7c941fbdb183d2499c738e270afb5d9e69eb9fe00cb83eb05ca7c99bc296169186f02681833a377446f55321723ce3f8a4df4f88f1

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
78KB

MD5
10959eb3ecf77a40ce356e8a9b4e502a

SHA1
6c4fa9a03631b71233466886393e999ab398708f

SHA256
d02bd60c04d2120614a723192aa2f3ca1ed1b2a5103f101e999c5b08c63d2945

SHA512
275e8d969cbefaf72fe9dd9828dc2dbf1e6092c8f404b7c7532631feb5f281fab99432887a61e164f62d3e6aaad70b66af71e3a769219de75ae7effe538f17c4

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
78KB

MD5
8d783946bb03a6de756aa9c523e2d3a0

SHA1
a87417575507e12d0846ecfe1a6c547520764337

SHA256
f8de7246aab602a4d1173c01c41f68e8603d05fbb5a1e4c50ae1a7099cc9598a

SHA512
a570fe40620ef170b8404ebaeabc5d436285ecfe669353aa81766d6368757092c01631fc836ac7f28b373a6e45d013b639462d1585280a62f0873eb7437c3879

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
78KB

MD5
ea86847e139468856c49f92ad4dfd63d

SHA1
df25f981ef66fc1ce2f10acb8f4998bcad1a721a

SHA256
a62ef28d9085f293fd41ba265b0ca0b45c08afedb6fd7a2a89c7c928de1b1a4c

SHA512
3b80449a9398279a3880444d2593e7d118a905b9c89d2a7a3e04d15cae405e8aa7a8bc1c7bd059f2d75aa7583c4f0d72c0aa31c9425e0d040f7cd8726a85be58

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
78KB

MD5
6afafa571db7a047ff0bc09015d019d3

SHA1
37a2097e361342418bf2a6d481eae03f8969e10f

SHA256
e26d6c3e714bd0c55470916c682607100fac062bcb15c943b9b3a322f807dd06

SHA512
537bf5eb3894d1a1c201c2b940971458275f38a5a45a3348d52f3f4fae339d986c1dcb16fe10e0596521485e16a43b75a79ad4d6546aa77478931aa2260e9d17

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
78KB

MD5
60b69cd57efa1198372a0bebdde085e5

SHA1
4d6821948d7aaf6d0b5c396cc4b8c924815fa5d1

SHA256
b833e22da42b8b1079bb84ea226b72a0204e820d3ae7855d9b3c1697bf5aab43

SHA512
9558b68ab2b5819c0c0a66fb4a449a5d097140782f14a95bef0af08a95a5642eaf4a69623c53f73ff8a586880d2cc660dbb231e541dd6b210d326cd3df1f674b

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
78KB

MD5
d8b4111a650fd5bcfd248b82f150848d

SHA1
22965c23d4a700146a9175723d5013168d7b8bf4

SHA256
5a86b6c6d533dab187300dd97e0236149274988aa381a9e0bf57d4275ad98430

SHA512
922ad0dfbe54b4bf3eb1ed353f62ae5fbfc5fa5b50aafb20c66f07b1e5b2610eb762c4dd53d78bdd53082a8bfb425040a2dcfd7b0a895718137deed6146b6c55

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
78KB

MD5
acfba7b4323610a72233cc5fd7ceb59f

SHA1
cb859b479ddd4ff0ae77bf8f29a60036b9b59f8c

SHA256
0c6014d268f9bccb3cf2bfcd7560b1528be1c059a6f401237a44b8b4e6690bf1

SHA512
b4a454887f6f47eda560f19f44c094f87f9167abdf854c1145b11dd54d7c5ea0b665ed2e45313fb63c1602c95a858a6423176595b186f579de24431dbb296fb2

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
78KB

MD5
e9ca662f62d9b0bea50307b8b2c693b0

SHA1
11d95a2666410ecc63b09c3d31d2709b297e8ac8

SHA256
7eda1e246655e5c87c7bcbc46eb6315d822b5bd1ee98e83ddf061def80fc4b58

SHA512
f3c03af968b71449f8b4721b844c83fb047c050ee0adf183c00f7332aafc461a5353ac0efb02b2a7a67c5825096396a81608b9d213b20636d5e7ac3b45774b40

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
78KB

MD5
ee96f5d98fc959f4c379aa85feb1e916

SHA1
ab0e2c0b2c53ac9df3964a6589f8179db242e6f5

SHA256
b3c34bbd46955b173204fd4bf1c1491bd3806fa412ea7763948aec1a666e3f20

SHA512
dda52810270a97020c18ab66aaa8b54d6d2e5faee0f8b915b3bf73c1292a7366a310dcbd903dd59b5a9dcb697c6f0a53f5931bfe61d1e41c85cbc69a7488b16f

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
78KB

MD5
b166db485a5b8df7965e75101962af02

SHA1
173162bac233ebe254ce325a76378573e5e9fcb8

SHA256
eaa510830c41c759877b58ba06eaf8ad320dff2169b1a7c0db13613512038331

SHA512
b67f4ad409df0e0c1646790ec493a03242357e983adcede720b76a5be8b5acfe748fc13b5fd4703c5ede5cab2372c0c89af3897f02e9d5e6d10a2c8901ffffd4

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
78KB

MD5
fd195b120092c5a038f32f1cf5befcf9

SHA1
d2883d48adbfba8773de79997ad271d2b9446c47

SHA256
22027ae1d695abd0798774e3716557a7f4231dad72f8d9e0131b455a2f49ac43

SHA512
6504568a7ae5216aea166056651162ad218547ef2b082567bf08a2c65b69c07127871765e4aaddf20c6824ea9f5bb128cea4de8ff056398e9057a0a388ef3904

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
78KB

MD5
771950db99f50b3abc4eaeefd3cd89c3

SHA1
329fe7a4c6e395784d6f0a9c5be67867e27bc616

SHA256
7c91a0a9a133946b3d0c4cc0a991bf0a5b27946f55159882935f8bbd12a636ea

SHA512
91741af5c2d851e50f883075c27696cb1fd49275e3b6554d0d8ad675b9bb3f76da7ec4fbbb591184e9592d55480712f34e09aa3247ff8baf7b3578ee162764ca

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
78KB

MD5
3874a84af3b7907b240bd4446502e89f

SHA1
6626e3c0410425107818fbebe6099a5cb0cf4de1

SHA256
3c2466e894e5f32afc5d4574f22a4c9887cad1f4096bfbe68cdb1d57599f52d4

SHA512
3bd10f594dedaec20ab079d615d39c76d5fd2e09abdf7181cab1a73025b795887b2cd57ffe4291068a8cc8b60de22dfd9756683f1b548737928eb554dfbe7241

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
78KB

MD5
ce1948ec6cb73f3dadf8c7cc7f025870

SHA1
2d842ea8724e5ca75ff225ffbb6bd895712e79b0

SHA256
7c55e5f2c93c9ce3734e23bc1f933dcd1b7b3a3e269fdd6214bc0861d37b8632

SHA512
b1745bcf96da3b717daf8bb2c44eb9bb2cdfb39980cdf90be65a502c3ef408d5f31485fc74e80cd68243d558555b7ea0e55e99b87db2e96e36f56b7ffffcc4dd

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
78KB

MD5
95a7f2fd8b236376698ff374d5a20a1d

SHA1
902846b931d09b50174216ef6db201bdcf2c9268

SHA256
11367f22d42ba7eaddf9cd900f7a873317ebce24649a52c57db964eb8b8b7428

SHA512
e6fb84189a179f3a4616f3988b8c4f60af7d764c0aa0dec6b1b2484981246d99989a0f4f29b068cece175c73ca31667badd1be8006d7da4146b350cc18ac607a

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
78KB

MD5
0ed7c9bea2d15ae7d77150cbe901786f

SHA1
6fef86dbdea4dc8a9904841499f04422ba2ee983

SHA256
5b2091e7462fa183e74bc57f863f13f47f389c2deb4a252bee2767d54268dd86

SHA512
e692bb67a138ccc905e8c2232f1c2d3ebbfb80ddfce663ad69af5ca6159fc7daf7b349c34a7add0824777990216887ed61eaa707f506e734913330e2adbdbfb2

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
78KB

MD5
8f2adb13f21f4e8555faf982206b3611

SHA1
643fdee9736c794b671f369f3e4b36cc928aaccd

SHA256
89ad5552bcc6c2b73ee0822ad5fdff1d042b09d6c18424fb113e241107a619ff

SHA512
ddc5fe159a65fd0366f2219501fea66e1a2ca25cdba566888866747c28668d86eda75c0e6bd7433df37ce6834ffc5f099bb663063593243fddd6a3cfbdf7800c

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
78KB

MD5
1fb8aaf5126a3bb7fbdc164b22d7ae4c

SHA1
ebbf946cbbcf9d51ba497e13f8b761daf0df1d04

SHA256
4f73d618318aa76234af9b7e810be6bd25d6afe850e9d179073e85134e3745a5

SHA512
8a50a813ae92f65c647e53b22110a8ce5001f0cbc1cf9c0b1301c18bd164c857b7899a59217fa6f650b5c27a06f585e419476437c0c5f3d53f29cdf58876965f

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
78KB

MD5
d292026573dada705504c885b3c944ad

SHA1
27fc550bf3b5b9928cec08a4a145c7fba1ba869e

SHA256
47e597bb15d1302de7205c0d0c61a0434f524a07e48cc41f8d866e6662d2b7cf

SHA512
7ef7be35bd97f60ddb9b4f3160f8bee2a15819509884baf1ce7bc74f78593085f5072bed5188f910108b8748b9e2c2d3df9cbcae6cbe5339e4470d7244ba93e5

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
78KB

MD5
05545a73bb84b6d9561a364d9c0f7719

SHA1
0acdd30794c1b5ab3e34f8f31d6eb5820a3f231b

SHA256
e524ca537abbcf31e535839f5a72641b67a137155c7716ac64bf143519c5fa41

SHA512
ee674930cac4c36712afc703048d7b26cab54b2545e47506e7f274a2a9a6fe5bc69db910e10cd6d49e11a95960bf4ebe884b681844b20068e84767615024a014

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
78KB

MD5
88f1e7aad1f0e8cbf32aa986a70336fd

SHA1
40b346b379afc3a94361805aeea36493f1522c06

SHA256
b9db3c84114d9b69112ab5f32627b5b66ef7f25c8407c148033b29e918a18606

SHA512
12492dca19139e0d7b4ba3fb11002e5b3a2dde8e14f9b50cd1bde22073661481d622a97dc6b1128df3be816e71491d4aa83f140be9bff68a8b3bf914feab6f82

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
78KB

MD5
9202c993143166152f4f2915f0482e2c

SHA1
b738b53028c10cce7d235d2dfd66bfa8b14c5118

SHA256
6ca68b982ce8e4220ceff2a703226d1b106cbddfe41651daf7fdf58fdcbcea7f

SHA512
f02fa895eef0d2d67426eee13eb571d782d6876c0a1376da66fdad757c8e81249056cb0b1f695ccb32e5dd9cb52d1df190a47ddf95343882589a7e44ed18b42e

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
78KB

MD5
2b964e808278a2ffb8a8ec28ff6211a3

SHA1
95cd6461f3b5a4f142cac0030fd59b2670efe4af

SHA256
1d62644b42bc9ce4fe4b381ce5525fa70e6034c7344899f973db0494de3c2e4a

SHA512
ffef09dcf98ba9e8abb653b4feb02f5be2c605c4f909a5d1fbd60d9aff32e8724e50e95e8c56b331777b268ee82a0411676afa321723a7cd5158b9ab7f3c62a7

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
78KB

MD5
39685f0db21eb9de45494992b75dc3d0

SHA1
5f6e8bc0b8dccd9bab29f8aa4ded04932a9713ba

SHA256
9c002e12bce458bff807db19149acc26693a0835e8296dcdba2e0ad887e75aa6

SHA512
cd1e641d5af7eca290912f28f2a5e0ae495287ed32adce20c2ed2e4153b93c33d73945c6a3986842d770c51a8b5b4a10793b8a90f62908488c81559cd1828069

Download Submit
memory/536-220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/668-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/668-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/712-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/712-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/936-416-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1052-423-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1100-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1100-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1172-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1172-401-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1208-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1208-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1240-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1240-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1300-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1300-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1316-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1316-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1316-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1528-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1528-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1580-408-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1580-339-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1900-161-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1900-74-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2024-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2024-415-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2040-109-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2040-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2204-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2204-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2284-259-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2284-171-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2368-242-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2368-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2380-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2380-210-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2512-162-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2512-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-233-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2568-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2568-373-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2592-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2592-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2860-409-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2904-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2904-291-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2916-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2916-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2924-353-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2924-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2944-311-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2944-380-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3048-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3308-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3308-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3428-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3428-366-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3432-367-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3524-395-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3692-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3692-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3768-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3768-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3800-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3800-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3984-153-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3984-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4104-402-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4132-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4132-219-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4256-387-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4256-318-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4272-381-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4280-211-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4408-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4408-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4460-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4460-345-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4816-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4816-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4836-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4836-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4936-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4976-193-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4996-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4996-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5012-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5012-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5028-331-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5028-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5100-225-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5100-303-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads