addfedb4bab8ba76179be8152e60144d1ad68ebbff4caad574c160682bb75cb5

Analysis

max time kernel
104s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b724aa3724210398f73350faec72f5a0N.exe
Size

80KB
MD5

b724aa3724210398f73350faec72f5a0
SHA1

7cca8d15d5da17940cd88a7528d5b877cafd9bde
SHA256

addfedb4bab8ba76179be8152e60144d1ad68ebbff4caad574c160682bb75cb5
SHA512

be231729b7ae0ecc41a25e21e624ad67c74ddd315cbf4c6c07bdc173e89226e6cfe2ed871613a43e8aefcee3bf9348074c705cf86440bc3e019d021660c87ffa
SSDEEP

1536:v+wA8kaBukDTxNnqiYw4RmF6KMMOc7Eh6U1O+fTZgYJupWceRQAbRJJ5R2xOSC44:GwA89bMQF6K3IUU1LfKYQWceeQrJ5wxW

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe

Executes dropped EXE 64 IoCs

pid	Process
4756	Ofnckp32.exe
1172	Oneklm32.exe
2792	Olhlhjpd.exe
4932	Ocbddc32.exe
4324	Ofqpqo32.exe
2364	Onhhamgg.exe
5096	Oqfdnhfk.exe
2528	Ogpmjb32.exe
3752	Onjegled.exe
1340	Oddmdf32.exe
3452	Ojaelm32.exe
4916	Pmoahijl.exe
2868	Pfhfan32.exe
2192	Pnonbk32.exe
408	Pdifoehl.exe
1008	Pjeoglgc.exe
2040	Pmdkch32.exe
3456	Pgioqq32.exe
4900	Pmfhig32.exe
1932	Pfolbmje.exe
3528	Pqdqof32.exe
4816	Pdpmpdbd.exe
3688	Qqfmde32.exe
1884	Qgqeappe.exe
2644	Qmmnjfnl.exe
3708	Qqijje32.exe
2888	Qgcbgo32.exe
2296	Anmjcieo.exe
4484	Adgbpc32.exe
2480	Afhohlbj.exe
3960	Anogiicl.exe
740	Aqncedbp.exe
1432	Agglboim.exe
5024	Ajfhnjhq.exe
3776	Amddjegd.exe
2008	Agjhgngj.exe
3412	Andqdh32.exe
4864	Aeniabfd.exe
8	Aglemn32.exe
2780	Anfmjhmd.exe
4516	Aepefb32.exe
1680	Bfabnjjp.exe
3192	Bnhjohkb.exe
4768	Bagflcje.exe
2952	Bcebhoii.exe
4436	Bnkgeg32.exe
2876	Beeoaapl.exe
4336	Bgcknmop.exe
3240	Bmpcfdmg.exe
4876	Bcjlcn32.exe
4800	Bfhhoi32.exe
4412	Bmbplc32.exe
924	Bhhdil32.exe
1896	Bjfaeh32.exe
4164	Bmemac32.exe
3556	Belebq32.exe
2380	Chjaol32.exe
3012	Cfmajipb.exe
5064	Cndikf32.exe
864	Cabfga32.exe
1684	Cdabcm32.exe
4140	Cfpnph32.exe
2912	Cnffqf32.exe
3092	Cmiflbel.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6032	5940	WerFault.exe	187

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b724aa3724210398f73350faec72f5a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	b724aa3724210398f73350faec72f5a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 4756	636	b724aa3724210398f73350faec72f5a0N.exe	84
PID 636 wrote to memory of 4756	636	b724aa3724210398f73350faec72f5a0N.exe	84
PID 636 wrote to memory of 4756	636	b724aa3724210398f73350faec72f5a0N.exe	84
PID 4756 wrote to memory of 1172	4756	Ofnckp32.exe	85
PID 4756 wrote to memory of 1172	4756	Ofnckp32.exe	85
PID 4756 wrote to memory of 1172	4756	Ofnckp32.exe	85
PID 1172 wrote to memory of 2792	1172	Oneklm32.exe	86
PID 1172 wrote to memory of 2792	1172	Oneklm32.exe	86
PID 1172 wrote to memory of 2792	1172	Oneklm32.exe	86
PID 2792 wrote to memory of 4932	2792	Olhlhjpd.exe	87
PID 2792 wrote to memory of 4932	2792	Olhlhjpd.exe	87
PID 2792 wrote to memory of 4932	2792	Olhlhjpd.exe	87
PID 4932 wrote to memory of 4324	4932	Ocbddc32.exe	88
PID 4932 wrote to memory of 4324	4932	Ocbddc32.exe	88
PID 4932 wrote to memory of 4324	4932	Ocbddc32.exe	88
PID 4324 wrote to memory of 2364	4324	Ofqpqo32.exe	89
PID 4324 wrote to memory of 2364	4324	Ofqpqo32.exe	89
PID 4324 wrote to memory of 2364	4324	Ofqpqo32.exe	89
PID 2364 wrote to memory of 5096	2364	Onhhamgg.exe	90
PID 2364 wrote to memory of 5096	2364	Onhhamgg.exe	90
PID 2364 wrote to memory of 5096	2364	Onhhamgg.exe	90
PID 5096 wrote to memory of 2528	5096	Oqfdnhfk.exe	91
PID 5096 wrote to memory of 2528	5096	Oqfdnhfk.exe	91
PID 5096 wrote to memory of 2528	5096	Oqfdnhfk.exe	91
PID 2528 wrote to memory of 3752	2528	Ogpmjb32.exe	92
PID 2528 wrote to memory of 3752	2528	Ogpmjb32.exe	92
PID 2528 wrote to memory of 3752	2528	Ogpmjb32.exe	92
PID 3752 wrote to memory of 1340	3752	Onjegled.exe	93
PID 3752 wrote to memory of 1340	3752	Onjegled.exe	93
PID 3752 wrote to memory of 1340	3752	Onjegled.exe	93
PID 1340 wrote to memory of 3452	1340	Oddmdf32.exe	94
PID 1340 wrote to memory of 3452	1340	Oddmdf32.exe	94
PID 1340 wrote to memory of 3452	1340	Oddmdf32.exe	94
PID 3452 wrote to memory of 4916	3452	Ojaelm32.exe	95
PID 3452 wrote to memory of 4916	3452	Ojaelm32.exe	95
PID 3452 wrote to memory of 4916	3452	Ojaelm32.exe	95
PID 4916 wrote to memory of 2868	4916	Pmoahijl.exe	96
PID 4916 wrote to memory of 2868	4916	Pmoahijl.exe	96
PID 4916 wrote to memory of 2868	4916	Pmoahijl.exe	96
PID 2868 wrote to memory of 2192	2868	Pfhfan32.exe	97
PID 2868 wrote to memory of 2192	2868	Pfhfan32.exe	97
PID 2868 wrote to memory of 2192	2868	Pfhfan32.exe	97
PID 2192 wrote to memory of 408	2192	Pnonbk32.exe	98
PID 2192 wrote to memory of 408	2192	Pnonbk32.exe	98
PID 2192 wrote to memory of 408	2192	Pnonbk32.exe	98
PID 408 wrote to memory of 1008	408	Pdifoehl.exe	99
PID 408 wrote to memory of 1008	408	Pdifoehl.exe	99
PID 408 wrote to memory of 1008	408	Pdifoehl.exe	99
PID 1008 wrote to memory of 2040	1008	Pjeoglgc.exe	101
PID 1008 wrote to memory of 2040	1008	Pjeoglgc.exe	101
PID 1008 wrote to memory of 2040	1008	Pjeoglgc.exe	101
PID 2040 wrote to memory of 3456	2040	Pmdkch32.exe	102
PID 2040 wrote to memory of 3456	2040	Pmdkch32.exe	102
PID 2040 wrote to memory of 3456	2040	Pmdkch32.exe	102
PID 3456 wrote to memory of 4900	3456	Pgioqq32.exe	104
PID 3456 wrote to memory of 4900	3456	Pgioqq32.exe	104
PID 3456 wrote to memory of 4900	3456	Pgioqq32.exe	104
PID 4900 wrote to memory of 1932	4900	Pmfhig32.exe	105
PID 4900 wrote to memory of 1932	4900	Pmfhig32.exe	105
PID 4900 wrote to memory of 1932	4900	Pmfhig32.exe	105
PID 1932 wrote to memory of 3528	1932	Pfolbmje.exe	107
PID 1932 wrote to memory of 3528	1932	Pfolbmje.exe	107
PID 1932 wrote to memory of 3528	1932	Pfolbmje.exe	107
PID 3528 wrote to memory of 4816	3528	Pqdqof32.exe	108

C:\Users\Admin\AppData\Local\Temp\b724aa3724210398f73350faec72f5a0N.exe
"C:\Users\Admin\AppData\Local\Temp\b724aa3724210398f73350faec72f5a0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\SysWOW64\Ofnckp32.exe
  C:\Windows\system32\Ofnckp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\SysWOW64\Oneklm32.exe
    C:\Windows\system32\Oneklm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\SysWOW64\Olhlhjpd.exe
      C:\Windows\system32\Olhlhjpd.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
      - C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        29⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        33⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        70⤵
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        74⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        83⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        84⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        100⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 408
        101⤵
        Program crash
        
        PID:6032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5940 -ip 5940
1⤵
PID:6008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
80KB

MD5
d81995d9fd605eac6ef60ede19c17a36

SHA1
b899e755f65f71e56ff9216d042c2c55f8c21f7a

SHA256
05f02df8917d38cceeecbc21b18bfcdf60b73b9019bbc179367119f5839aa852

SHA512
bcce654fd8567ccc5ee58e50199dca4235e5947100155e3f4b3c02824f9b8d75bcbb6f8e7df639cbd19daeea2fe3010fbf0dc8240280fd20758dfcc5426980b9

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
80KB

MD5
d7ce38542a37b5ce6992991189b8ea53

SHA1
12b2295efecbaba3136fcfd1c600565370b65818

SHA256
5eeb4631891f22c67e22956cd554634fd81a6b2b3f47c4b09a21098143995e8b

SHA512
8bda3c69539060234b8976ca1c89079853a2b4eb972d2f2c95ec1e8432c523b23168eed7573e9f104d1261378bb2c32543435595c62d156bc5baf5752c4221f8

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
80KB

MD5
09737420a4e9b166a84c2aae45eebd5d

SHA1
39a2443474b9465781f90e68275fc09e1437b559

SHA256
7485aaf94dfe10f8a963f3352000d14e12ec63dea77e1f3283a20718dd488f59

SHA512
5ae3a64bc59ddcf45ae326195bab3d0202f35b1f9d543c8b844d0058d6044a65b1406afaa5fece1face3441bc0cf8ba2c4a76e0e277b435f6365410cc3a5b9dd

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
80KB

MD5
7e10c5dc428d1be316a279b4e7bb6571

SHA1
b46378bd6e69ea59f00d5cadc5c51021f17b7641

SHA256
9bb8d458d05978c35ee2d46aefb9d910e29e708ab3be509151d8623a5be153e3

SHA512
3132195d02ca45476d3e9a47887c6e8cfe3f6469eee5c6205a27d164d37659a57fc39b073127151e91a5765b8bf6c329f9d6753f6f75ceb194246083d8127f44

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
80KB

MD5
fee9f213cd1915c7da38076bf40e88fd

SHA1
8cd059b334836063481d56722fe7d149986b2152

SHA256
a47aa4e004ab23acf1255978029063df18659c301f74a97b4c15a94588c1e25b

SHA512
d9c93ae5c42a51331783d16b068f9769d1a85bd494fa7d0d726031437d9f53e9653657215aacfb26bf138bbf43cff52e4f1a28580922ed4f9066dd51d0666b20

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
80KB

MD5
b7a22cec07c738a401b3b811af00d8fa

SHA1
a26c0fdee20a5930fb7448a9f399ccb15ec48f15

SHA256
263f1385cd44d0b37019d25b72d17969ef95b3ef04e72302ec4b06810029a987

SHA512
dc99eb3fe2eca1f691217274839f674e43e17fc45d426158807928d48a8a942c03d8c4f0018e18a5c2ae6321df1033a1955f1d466bf1071405e961fb4283b343

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
80KB

MD5
f15370e966ab0b2cbd2fed631f15b6a2

SHA1
a51ce77792cb6e1734856c544cc415cdb7c5df79

SHA256
e5147016b41248e461ca6a646230c271b13f56601a6d6d4bb984e81b67d753a7

SHA512
0248cd338321c7e84867af065e433431ede55ba03a64eb1eac8581f1d868287174133872908f320cf074c015795d0d82ae122e14361ef9b7e6400e722d15ca62

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
80KB

MD5
83aa6f87ec5c20de9cb3b9e60b5098b6

SHA1
ab6c3d1eff7e3aef797d70d6abf83ceeb9414ce6

SHA256
b06e7da4cdbe2d896f167c364d5c2ccb4507e174f38d19e15c747af259e650fd

SHA512
07dc396de9dca2dbac52d0768c5ac32675b53125a28690f2cc82c8ea6b3319c8ce06b1ee028a1fa54332377aafe82753a7a5f05acbeb688f5f336b58c2dd0481

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
80KB

MD5
876b4460fe2ba6e2b038dd6e2a4c8489

SHA1
b69295e842e75c2b3b3c4ec7df8415576dba6b10

SHA256
210abdce49be9c07d1988ab17e460ce978908787385901b70b8d4cecb491118c

SHA512
976bf3987d8f54f779958b76f35a0ba75850cb2048e4afad76337b91557db224d8013ffb41153994727301ea02e6eb82be3b642df71bf91ea7829f2c121085f4

Download Submit
C:\Windows\SysWOW64\Donfhp32.dll

Filesize
7KB

MD5
5b675ea7d68b068304d3d8eff19e61f4

SHA1
20bce87726df19a7c6f2f1211acde0d7d50f6b81

SHA256
a5b2909af72992f6865a2cd1d9eb83c6aefc32d44235fcfcddcbfa62a3efd5e3

SHA512
b197289857033774e41f01bed1e3c806ad3d7827107577e34a7d2885a7a52a2c93de5c6022160d0c9d3552fd497c0e9f0eb1da24314bc9215e0b837b6239e000

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
80KB

MD5
828ef7d1e12655d3c97b08ef34962e12

SHA1
bd9b0b7fa2fb8f47f76111caeca1ea88d494a480

SHA256
0ab35129eb16c9a6fd7c9d87116c8ee89d5b043b2e73a0d1563a3d1260c12422

SHA512
d4a0fde9e9a39f9238d84da8188e39f56dd598d639a8bb4bfe404d72d742d6ebb09060e43d0a3ed560445e4ecac371fc5c0ab9686fd7603f6968601930b958df

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
80KB

MD5
c1cdbc06e25c5cc3386808fb2a5984ae

SHA1
485c57e4e3e78559d2d5f41a731d8e63d8f9a640

SHA256
e6d448bb15a82d2c742441ceb637548695f8e9989acdbae6bf8d2dd0ef8a2bb7

SHA512
c14e873ebf3596d88079cb658561c18946dcfc9ee89a7deeaeadd63611dde3a48b44a9f290a8d3b5badf0ce2a4ef1c187da81f05618033a5bb856b1884101a56

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
80KB

MD5
4d81a3021a73500498702312d34bf5a2

SHA1
486450eebbaaecb4c72b4dbe1fa1619e9a214e10

SHA256
d287f43b1bf967b0114c676bc08d9bb1f7a72fd01518adc08867c6c4025faf73

SHA512
dbe943835ee266e007330c13600be8953752a219b5ef574d9565eb4fc6f8501021cf28268f86e7f01ddd189264798303415f16ca1311f11b0399784ecc40f53b

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
80KB

MD5
d8db84e74f9a03236a924488d8293ce4

SHA1
c63f48746e31700d21a7fe884106bb32653b4292

SHA256
8d71efaeaba32db13aee912eb3916df70583903283c8086a1d4f58727ef91c11

SHA512
42e89f6ae07e31de66ba1fcbbc50872060e571858bc635c9bf5c1b19e51e82320e9bf2ef8da4b44b194bd5be050d55c65ce0d3f56f23f6e7e31f576d6657beaf

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
80KB

MD5
d17fb95be05b437b8cb9242e539b3806

SHA1
98b9f524574550137c3ecc4a168db399288231c7

SHA256
9e388bc52c2ca7358405e55ea7fc6f42019e03134b96ae119f9fa9e7890600fe

SHA512
0bc25525e59cb3b6bad22f236581a7988a06194e4771d387a98453014e06956cf9b660ed3dbcfaedcb8be6d1625bd6971505b297cc07629f119d5a502645d5b2

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
80KB

MD5
e172cd296d720b0efaee0298a170c614

SHA1
d04a3aae69847fa376b13172f2ddff344bbe83cd

SHA256
4e586fe3cacb37befdfe3cecae24751eda85250bdba6ccf453ddd1fd18520e7a

SHA512
74a48c45b6954610ed940178a981cc18881299609bd8a43074f7db47a0593ac79da6b9d326de940a2367690b7b8dde38ce0611837bde2c0c440ce5f03a3d172c

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
80KB

MD5
001214685a4e0d29bdd4cd1802c3a845

SHA1
8618b781174b886688a89b7536ec077173c7fd0c

SHA256
c9fd70507c71b643694f076e0b9a0d83bb1f687c80cabdd3df49eb061a86992c

SHA512
f711b37ef7d141a55d67db8aa7c870a0bc2a4f01f0bd0286f28c71132ee31d5eb27104458ad13168dea790f3397b79b2b42525e73b92f065218127eb2c5912fb

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
80KB

MD5
69df7ddbd2de6465e9ae0b2671f82a79

SHA1
6159564b5c000b21ea0ad69641f44a56940ddda3

SHA256
d33f953f6681b105f34d95ed3c16f8132da9d2ed06ee4ab84d8b1de00104f46e

SHA512
cb8b3b3190745904ae144bff00b75a211f7c3247cbe7b7d246a73d149759de0c5a7bcedc0affcc3e628a43235ff0ea9a1084500045f8714e2fc09b63d1b4af47

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
80KB

MD5
4950092f69167d438319412ea41471bc

SHA1
8b20dcbc21d9a45d2be2cb7bceed910a88d372cc

SHA256
93fbecbfc65e7abe1ce8d7d18650f4cdf326df8f29b9e8bf882aeefc2c299daf

SHA512
556a26107034357a522c5cc17f4ee93aca13c047f3a2b5393a1b52a92318179343fb2e67f67625b9358f0788e5c350f83c75ff78813b48f81c4b4c4978bf5b61

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
80KB

MD5
f39066e466d67b14a3906e7ab6681731

SHA1
cea92fb341a2d11a00999c3e59839cff6512e0e8

SHA256
40f66aa88990459c2e37934b5dc3aa21bd8f75f348a0710641f901f432e38ea9

SHA512
b4379d5194298d2fed9419521818984488a8547eb238b4b46050036b9c2b5b22a893a589e6d91ac0b253b8a9504e7e401b545127db6275ea9f4312508a27803c

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
80KB

MD5
41ee14b2915934e52b858c99d1873bc4

SHA1
c1fbcaa53ebd2d9e88953b9d65329dde7110c1d2

SHA256
e6e9dd0f086144ceedb01ce5158576cc09d93c842fa81222fd4369b4e5beed4b

SHA512
07a209427a5da4cee3b5819494371a933846235e161422bbe64b63bf7e59bc32633197d5a7593c476b115193060e8d63a040628439ad947f1836409e41167f5f

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
80KB

MD5
4cf0d7c31786bc30d54ec43f51addd8c

SHA1
b6dbb612c177dc46045f0d0c08b28854a24d5466

SHA256
e723f5b7a52eeee97da49f65844bd408aad37071351700b4c8da2dcb085d4521

SHA512
60fc6d10de37dd91559a8c6882202b7343a79ea224d71b820792016f342a0d426fdacd0710aa92c86b8d954af43b6608ab9b37f7751cb489b214d0fc07a4b9e4

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
80KB

MD5
b06b48f74de92d477b857b6d30edbd8b

SHA1
fb2bab8e6ac567310a9c96e015d4459a749fa66b

SHA256
4d3a94ea67890de71b8077243a3b539d25b3a6e3ee42329f8117c2b79cd24fa9

SHA512
a94badc72e681cbfefce351c5cc4c11eede61adc291a369910f8dc57d7d426f767db0cc2bc4b0a312b417a05561254a0cd1f85b0d53ada625bc810c8e6f6197c

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
80KB

MD5
b63c76f2f3b8865fa6de453fa2573f64

SHA1
e871ab5a4be48a616348cec8d4d30b655ea274f1

SHA256
8830f652f7d2b96f88eb6a6a58f243a544deaf684476f9434993f98fec555604

SHA512
058461da25c1b397be54aba1c04df1de910f2a094fdf96ee26ee594386367c9941fb7996f58c073cbd1aa359bc8777d9d58a66ce13a32930ea3a23f5b6f3ea20

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
80KB

MD5
e0dcb32fefd14dc4878bba8a21f0f0b7

SHA1
12ae72ff5247fe1c1b15d0f966404f3b10dc7675

SHA256
fb5181ecef35140202f77247bf5a4bdc439c9eb7aba8580d97ec892d053bf3c3

SHA512
8b0b1825ac73c3efae3d2b39225359c88646a3d7b3f22713f95d5dee99d94e16b14e8f354a7f336e216dcad43caceddf19cf595da5b257c20e118bc66ecd2e68

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
80KB

MD5
422c762d98e944e0f12af6cccb0f501a

SHA1
f40c81a1ca37cdb87ad6c2fcaedcba9e69e6b4c3

SHA256
cd9beb30ab25e5940e2b3ea7b6780197e0a8c8db9c59ec7ab696f6262bea15b7

SHA512
9212c8fe2eb26a3d03b6f02dc0e7862761daf225833f408952a3488567cce85be10028f3f10054b30770a7e2007f992c883741f54dd1cd2b6101e18516d81e79

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
80KB

MD5
082a70e0fe1eb8d9422a37a1b9d8a1eb

SHA1
5d5d5ceacf7c87f4601f0b863684711114743012

SHA256
f5760771c428fd06e195dd9744905cef3e7da68af2c3e2fd19a8239e6b361948

SHA512
987c200b3aef0127a6061a131e269dc590068a08d227c45562a581c5b6f434926ea9cb43ee11b1f319a5c89bf658f5896f70edbc27b245bf208f2ca50608b023

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
80KB

MD5
464e5121e9655dd493d09240d3705d0d

SHA1
8f73742a575fd7d329052fb67c1117b674a88afb

SHA256
68280b5342d348b9d6d1d7d1d1ffa0ee013f638d4dcccdc3ed688543bb8440c3

SHA512
92847e0b6167cdd291294959fef69ee09e8ea094637bfccb6c2aad45daceb455fbca84ea42b13d7983e59de2a6341ee0424359d2da5f023219961d803225525d

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
80KB

MD5
421fd52ee081cc859ee795ba7ea14e7c

SHA1
e2732947dfaa4a003aa3f6667fa753fd7e665dd6

SHA256
ba817a06d0f124453775da219ee92655c1be013ce568a799d07031d16d6038db

SHA512
df519b9d64de10ecd4ecd1d9df50fa9fda9f8bfe57a0e83574180451239be3d324841e601ed7fd0b6ac2514de6e6cb11b6643338cc3060e20ced9873feaf6249

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
80KB

MD5
04341c18c0b34b61fcc9cf0337c06046

SHA1
8ef2e6d28a8438e937fc550c46518f9185064450

SHA256
01cd56d71b58fc3d14c7d91460153c8ba292b6c5a083a53597c1bd1fe6121f41

SHA512
0ad5af3bdaae2c92282b2a854e751e7ade94079fc10e827d1601439ae07414ae6da7ad187bf84102eb25087d22575c8729c35329790f48455cfd9f4c49c938b6

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
80KB

MD5
d17b2614a60ca0a4b8007475d7d2a603

SHA1
b1ff47827e47d19239506f5258d18e5f6573fde6

SHA256
0479ffba03854bface68d9552f68a3a1962c128b870e30d4bf8dba7576372e5b

SHA512
48f8c382b829fbdbc1cbeac30476de5c061eace07277628798b1083a033fd07a6329b71eb9d5b5b822df6c9263640df3315f680353741fd249c6b60ce216ba07

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
80KB

MD5
3e8e2bd25b437c466467828db3c3c1e5

SHA1
c1e4beaa3eb1609817591404a26727411348f7a0

SHA256
d1f19290696f5c51ef83eefa689b6651f1fed1e5fd20a17e58095e1d492dbb55

SHA512
62ef81f3701b7bef4dfb804ddd5c6a53cd4f3d49f12af444e3c230f7aed74b1121ef4e30b089244126a9e4a5239b3c7ab942239d627f1494a29680616aa9aa0c

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
80KB

MD5
97a88677601877c0b8f2971fa4388fb1

SHA1
47fe64f69a50f6eac10b6706028dc3b099560282

SHA256
e8029b29e88463e11028305e5a31d41ed887f83b480561f30c7651799bc24b3d

SHA512
3f2872073ac9565055d710d4579c27b55a148c947bb2683e06ad3d1db4bdc01fb3be11435fe67c61bd82002afb93952be5d43d17cf0108063e223d25579a55a9

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
80KB

MD5
5612ae2d7c81b59f920c746292a0615a

SHA1
fc9e595b7731881aae98f809a6617148433613d6

SHA256
b6bb65f19eaa747643a6ac89f99c900445b225f61deb5f58f0a21326698945fa

SHA512
c7dd990311d5e86f6a060788fa490a15f683fd3ff79d3eadb4e0bdcbcfbbfcf657dc2caeff15404d2f0541f035de2c6f29d8e339d4eaf662f9a4d6abb4832f4f

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
80KB

MD5
a9325dca9b41d3e369f4d1fadc5c6965

SHA1
7144ecdba3199486c2a94e6168707b7cb0bf7b09

SHA256
0210e822987b315e18e33dbd801ca028d4800d44fcc78725e73c0a3d3566647e

SHA512
eb385f9b25a528daf87f00da43a8d7ecbcf1d5892b23295d681c2237e0769124d56e4a1adafaec48ee5e5540d5552d51bc3fa1584156e3e3be408495daa43308

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
80KB

MD5
58bc5958d21625584778802fe95cca93

SHA1
2928e5f17d384c2f507bf55ccbf31000285b307d

SHA256
975d6530b80cc12ab58f5e414ee2d7229d8909c341595a5680882bdf4b7ab70e

SHA512
e9c3f345198f6f39dd928dbfbbcd1afbc10f789b59730fe757bf370e37a06bb527c7347b457f378d67c4e3fd1fc0d3de5888b33b80f4c77754a80e2376f94dab

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
80KB

MD5
3ef1360c1493137c44d3ddcfb4fde0ef

SHA1
77be37e160f458144a29caecf2b614ac0ba22360

SHA256
10cfd6e68d2a08d9b6613b1ac9c22d0d7d02e5039b8ef07342a3acf88ca38e6d

SHA512
682f5b911c47d7e59c6a4a355dedc6fb83d5951fd802363753176b4689eab4e12b1c1df3c3dc6ad408a3034c3c1178eb2e6586d9ea072a5f2a3d29c5d515ecc3

Download Submit
memory/8-396-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/8-328-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/408-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/408-125-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/636-79-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/636-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/740-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/740-348-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1008-134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1008-223-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1172-97-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1172-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1340-169-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1340-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1432-291-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1680-417-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1680-349-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1884-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1884-207-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1932-170-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1932-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2008-375-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2008-307-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2040-232-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2040-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2192-117-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2192-206-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2296-320-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2296-242-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2364-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2364-133-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2480-265-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2480-334-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2528-151-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2528-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2644-216-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2644-299-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2780-335-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2780-403-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2792-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2792-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2868-108-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2868-196-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2876-383-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2888-313-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2888-233-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2952-369-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3192-355-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3192-424-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3240-397-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3412-382-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3412-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3452-178-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3452-89-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3456-241-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3456-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3528-180-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3528-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3688-290-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3688-197-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3708-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3708-224-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3752-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3752-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3776-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3776-300-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3960-270-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3960-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4324-124-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4324-40-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4336-390-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4412-418-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4436-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4484-251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4484-327-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4516-342-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4516-410-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4756-88-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4756-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4768-362-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4800-411-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4816-277-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4816-188-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4864-389-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4864-321-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4876-404-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4900-250-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4900-161-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4916-187-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4916-98-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4932-115-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4932-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5024-361-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5024-293-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5096-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5096-142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads