ba76c8e81e7de0ce8d014498cadec5b4bdeaf352929b511dd94a31fd62938c51

Analysis

max time kernel
100s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15ddb38ff4fcbb67f26bc36394367410N.exe
Size

74KB
MD5

15ddb38ff4fcbb67f26bc36394367410
SHA1

16e68bbbb020aaec5009890a6bd681c31756186b
SHA256

ba76c8e81e7de0ce8d014498cadec5b4bdeaf352929b511dd94a31fd62938c51
SHA512

ca89577822e5ab98162d6145341f458becbd9bc848dba5c3777f2328fc60d81e6cd08f88b3143435d79a172e10522590b57db35a8d6650afcd7c82a7ff2f340c
SSDEEP

1536:0H29ZWM47TYcM9vifLHMykb5WzDHtO0lNUElJJc6kpBaEH:G24EcgV5IHA0lNl1kHrH

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	15ddb38ff4fcbb67f26bc36394367410N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	15ddb38ff4fcbb67f26bc36394367410N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe

Executes dropped EXE 64 IoCs

pid	Process
3284	Odapnf32.exe
4932	Ogpmjb32.exe
1960	Ojoign32.exe
3916	Oqhacgdh.exe
1876	Ogbipa32.exe
4196	Pnlaml32.exe
2488	Pmoahijl.exe
3200	Pcijeb32.exe
3116	Pfhfan32.exe
820	Pmannhhj.exe
1948	Pdifoehl.exe
1432	Pggbkagp.exe
3264	Pnakhkol.exe
3164	Pdkcde32.exe
3192	Pgioqq32.exe
5016	Pjhlml32.exe
4840	Pmfhig32.exe
4900	Pcppfaka.exe
2000	Pfolbmje.exe
4624	Pmidog32.exe
2632	Pdpmpdbd.exe
2820	Pjmehkqk.exe
2116	Qmkadgpo.exe
2892	Qceiaa32.exe
4812	Qfcfml32.exe
1228	Qnjnnj32.exe
4856	Qqijje32.exe
3104	Qgcbgo32.exe
2328	Ajckij32.exe
936	Ambgef32.exe
4964	Aclpap32.exe
2480	Ajfhnjhq.exe
1816	Amddjegd.exe
2768	Agjhgngj.exe
4592	Ajhddjfn.exe
1068	Aabmqd32.exe
880	Aeniabfd.exe
2216	Aglemn32.exe
3844	Ajkaii32.exe
4512	Aminee32.exe
1844	Aepefb32.exe
4872	Accfbokl.exe
3680	Bfabnjjp.exe
4264	Bjmnoi32.exe
5068	Bagflcje.exe
4328	Bcebhoii.exe
1372	Bjokdipf.exe
3400	Bmngqdpj.exe
4888	Beeoaapl.exe
4620	Bgcknmop.exe
4712	Bjagjhnc.exe
3708	Bmpcfdmg.exe
5036	Beglgani.exe
4224	Bcjlcn32.exe
3208	Bjddphlq.exe
2028	Bnpppgdj.exe
4452	Beihma32.exe
3620	Bfkedibe.exe
1036	Bmemac32.exe
368	Bcoenmao.exe
1340	Cfmajipb.exe
4508	Cmgjgcgo.exe
3960	Cdabcm32.exe
2900	Cjkjpgfi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5724	5588	WerFault.exe	178

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	15ddb38ff4fcbb67f26bc36394367410N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aepefb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 3284	3648	15ddb38ff4fcbb67f26bc36394367410N.exe	84
PID 3648 wrote to memory of 3284	3648	15ddb38ff4fcbb67f26bc36394367410N.exe	84
PID 3648 wrote to memory of 3284	3648	15ddb38ff4fcbb67f26bc36394367410N.exe	84
PID 3284 wrote to memory of 4932	3284	Odapnf32.exe	85
PID 3284 wrote to memory of 4932	3284	Odapnf32.exe	85
PID 3284 wrote to memory of 4932	3284	Odapnf32.exe	85
PID 4932 wrote to memory of 1960	4932	Ogpmjb32.exe	86
PID 4932 wrote to memory of 1960	4932	Ogpmjb32.exe	86
PID 4932 wrote to memory of 1960	4932	Ogpmjb32.exe	86
PID 1960 wrote to memory of 3916	1960	Ojoign32.exe	87
PID 1960 wrote to memory of 3916	1960	Ojoign32.exe	87
PID 1960 wrote to memory of 3916	1960	Ojoign32.exe	87
PID 3916 wrote to memory of 1876	3916	Oqhacgdh.exe	88
PID 3916 wrote to memory of 1876	3916	Oqhacgdh.exe	88
PID 3916 wrote to memory of 1876	3916	Oqhacgdh.exe	88
PID 1876 wrote to memory of 4196	1876	Ogbipa32.exe	89
PID 1876 wrote to memory of 4196	1876	Ogbipa32.exe	89
PID 1876 wrote to memory of 4196	1876	Ogbipa32.exe	89
PID 4196 wrote to memory of 2488	4196	Pnlaml32.exe	90
PID 4196 wrote to memory of 2488	4196	Pnlaml32.exe	90
PID 4196 wrote to memory of 2488	4196	Pnlaml32.exe	90
PID 2488 wrote to memory of 3200	2488	Pmoahijl.exe	91
PID 2488 wrote to memory of 3200	2488	Pmoahijl.exe	91
PID 2488 wrote to memory of 3200	2488	Pmoahijl.exe	91
PID 3200 wrote to memory of 3116	3200	Pcijeb32.exe	92
PID 3200 wrote to memory of 3116	3200	Pcijeb32.exe	92
PID 3200 wrote to memory of 3116	3200	Pcijeb32.exe	92
PID 3116 wrote to memory of 820	3116	Pfhfan32.exe	93
PID 3116 wrote to memory of 820	3116	Pfhfan32.exe	93
PID 3116 wrote to memory of 820	3116	Pfhfan32.exe	93
PID 820 wrote to memory of 1948	820	Pmannhhj.exe	94
PID 820 wrote to memory of 1948	820	Pmannhhj.exe	94
PID 820 wrote to memory of 1948	820	Pmannhhj.exe	94
PID 1948 wrote to memory of 1432	1948	Pdifoehl.exe	95
PID 1948 wrote to memory of 1432	1948	Pdifoehl.exe	95
PID 1948 wrote to memory of 1432	1948	Pdifoehl.exe	95
PID 1432 wrote to memory of 3264	1432	Pggbkagp.exe	96
PID 1432 wrote to memory of 3264	1432	Pggbkagp.exe	96
PID 1432 wrote to memory of 3264	1432	Pggbkagp.exe	96
PID 3264 wrote to memory of 3164	3264	Pnakhkol.exe	97
PID 3264 wrote to memory of 3164	3264	Pnakhkol.exe	97
PID 3264 wrote to memory of 3164	3264	Pnakhkol.exe	97
PID 3164 wrote to memory of 3192	3164	Pdkcde32.exe	98
PID 3164 wrote to memory of 3192	3164	Pdkcde32.exe	98
PID 3164 wrote to memory of 3192	3164	Pdkcde32.exe	98
PID 3192 wrote to memory of 5016	3192	Pgioqq32.exe	99
PID 3192 wrote to memory of 5016	3192	Pgioqq32.exe	99
PID 3192 wrote to memory of 5016	3192	Pgioqq32.exe	99
PID 5016 wrote to memory of 4840	5016	Pjhlml32.exe	100
PID 5016 wrote to memory of 4840	5016	Pjhlml32.exe	100
PID 5016 wrote to memory of 4840	5016	Pjhlml32.exe	100
PID 4840 wrote to memory of 4900	4840	Pmfhig32.exe	101
PID 4840 wrote to memory of 4900	4840	Pmfhig32.exe	101
PID 4840 wrote to memory of 4900	4840	Pmfhig32.exe	101
PID 4900 wrote to memory of 2000	4900	Pcppfaka.exe	102
PID 4900 wrote to memory of 2000	4900	Pcppfaka.exe	102
PID 4900 wrote to memory of 2000	4900	Pcppfaka.exe	102
PID 2000 wrote to memory of 4624	2000	Pfolbmje.exe	104
PID 2000 wrote to memory of 4624	2000	Pfolbmje.exe	104
PID 2000 wrote to memory of 4624	2000	Pfolbmje.exe	104
PID 4624 wrote to memory of 2632	4624	Pmidog32.exe	105
PID 4624 wrote to memory of 2632	4624	Pmidog32.exe	105
PID 4624 wrote to memory of 2632	4624	Pmidog32.exe	105
PID 2632 wrote to memory of 2820	2632	Pdpmpdbd.exe	106

C:\Users\Admin\AppData\Local\Temp\15ddb38ff4fcbb67f26bc36394367410N.exe
"C:\Users\Admin\AppData\Local\Temp\15ddb38ff4fcbb67f26bc36394367410N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\SysWOW64\Odapnf32.exe
  C:\Windows\system32\Odapnf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\SysWOW64\Ogpmjb32.exe
    C:\Windows\system32\Ogpmjb32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Windows\SysWOW64\Ojoign32.exe
      C:\Windows\system32\Ojoign32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:936
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        33⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3812
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 220
        92⤵
        Program crash
        
        PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5588 -ip 5588
1⤵
PID:5656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
74KB

MD5
d0420569c468d1cc2f276b3400a46544

SHA1
690f243649ff52dc7ff841d215ae9d718620561a

SHA256
3e31ebcc9c66e06f51ffeebbd70436f54eb7d2a119882e0de2275357239ffa6d

SHA512
fe1edc661231159d4481e38e4ee877392b7a42300bd518325fd2345d7f25d05ac8aad5f09cb79b409297457099bb6ab2df186d49f4f4ea94c8cfe09dd9f1d4ce

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
74KB

MD5
899ec6596924603ef3e575417d30b104

SHA1
78495ad5150e93ec198636d8f420edaa1863baa4

SHA256
6d6dbd30a1d4c82c1eeebfd7dee269ab6a4ff7d09d78bb02f83a0355c765373d

SHA512
fce5cb5ecf7cb53e67b11c4cfa94b8ea14119cdfc3fb90c26ed57353624bd905d0baff54fa12af35b2b57849bb7b044d01948c33867a0ffb1db1f7be1c781349

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
74KB

MD5
5141938edb67a47667401af574d5333b

SHA1
51bcee3fc08e136abb73dc7d6763960640b3da03

SHA256
eadb88fbdfb780bfa1519eee84ba20163794bb1ef12bb8b41f7627767d9d6dbf

SHA512
54057a65084cb86859aafaf965804ff0db1e0358a61c99f7ce43e9f1f001532b2c8a01011560dfc7314e0934baa21979f35b3b2d78a1b15e40b510ef048df7a7

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
74KB

MD5
3e2886efd0c9a683a766d2f4e602504e

SHA1
7b5911ec39d671400610742b1bbc4ac6c1babf29

SHA256
29ed6577893ed3e6232e4fc688d103b20d62ae4e57593c93183044515f5949b6

SHA512
0ad469e119398affc1a2f32872b875517d7ca710ca816c9f9f861b71eca3485ccf8d13dfdefbc6f43786911c8390782068d6e0e7eb5702113f0b5804e27bb7bf

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
74KB

MD5
5344ddee7b9283222d9099fea8fb4c25

SHA1
e3940decb38f56d69cf9db6743c590f37d390196

SHA256
b6b526061c11f497482141d15bb70de9f6c681a1af905ce633873fd8f3f248ca

SHA512
00666a87da48ce9e3002e5894ee40b46fe83174ee0518874e8699523e0f0d318460b3bd000f6d1db8b4114e8f8ca762be5f427e1df7b758fc85fedb372775fb6

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
74KB

MD5
2a58c4ba5c35b927e4684bb2030fdd99

SHA1
28238ffcc8b449da075bd3d3260f05829ef1c973

SHA256
878ac07482b8c349d453f45bf2a83c79d8e1c51e23d6a419d98a4f810c118307

SHA512
2f5d689d65b1e8b2c19b51ae23086e27b9c929a42cb32629f0d8b74aa97a35a6de560d5eb45877f884ef49fc554f265121b6f3974c5f7050f5fa26d78ea554c2

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
74KB

MD5
2db34e263f6bf9a18095dee02fcda686

SHA1
ec152f0277b2b84c2dfd441195178cfb08206de5

SHA256
3eb271bc32d97e03af7e688ea381d5dcd2e5dc501cd6787296d2515eab628f9c

SHA512
5026711bea3910c81a07d9121c21b444f9dd8c2826240c1ba76662e1810f59fc470e767cc79004e4bd7c80115122c18070623442e106b656a33fb90a2da8d3f0

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
74KB

MD5
6bff79df6735dea8fe58b124ac12aef4

SHA1
4feca9dd16482289dbd2413530b4403ac01b3fbc

SHA256
1971570f251b06097ecbefb86af63c5f883e0028f38c83ec50a097647dc7ee92

SHA512
c622b0f15d5920939f477e90e0be674d5e316516f4665df1a4604063fa95782793993fa5fa63eb849db2bcfb14398a7e3cd70b2287dc83cc4b86115030483513

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
74KB

MD5
54793eb9b3aecb0d9364daccd96180dd

SHA1
53de0f0e1b7a6dc550633ae34e185d667dbf1965

SHA256
019aaaf376cadb55afaf180db8a21e94e198be41878c3afab557f48a3d27362a

SHA512
e0da704f4f8f0e234f728fb5be4a5e6adbcdb10103047ac96c73257d098dc920a03343fc9a2a72cdd291c3eed92a2ff2a55613ddf05cc3ec86e82f6c7c2f6eab

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
74KB

MD5
407c46c42814c81e79192abd7cbb390f

SHA1
888a258b78b681d30df20a03f90ffa2b90a741c1

SHA256
55381fe857344c3df0e70f75fefb004b8017ae2305f89e38c8cf00c6724ae820

SHA512
597796642e365dc732291ee9ff37389bf66936c3cf0b4e1ec9cbe43dbcae1432d4e1c709b0a105cfb2176cc166f62c5d1ef444568935bfcf0b451b79c8574cbf

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
74KB

MD5
f0837c01809c6ea5d9d9e97b61fa3d1e

SHA1
efd32af9119bc83fa8f1607ead8ece82d17d8be1

SHA256
a9cfb8a7fcc5c6a52f8c861a41857fac24c46346c46787adc62ca1d1f0953a29

SHA512
0f0a12b43840fa9428fc7cbc0fbe6c69fad9e21e090e64c917795efcb3c78d0b7d468d77d93b2f38f85baf25ed7fe020cf2bfd6098eeb9113a0e3ba57279ce36

Download Submit
C:\Windows\SysWOW64\Gqckln32.dll

Filesize
7KB

MD5
d0340a9d3af8294007142f96c2bc9565

SHA1
f7c8e1cdde870498fa7c038934daeafcd96d192e

SHA256
f35dc65f035f3a6a6e27d6a865e9aa6f236dd513abd567f8f5fd33fd3d79334c

SHA512
48776aff34d91e32a0ffd440e7d7effc941526d90e0796c726a821c47ecff9ca618dc72a06ea7414043d209cbbc99008de29dec46d2c4b0914d68e033d3236f6

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
74KB

MD5
f43329c4465649098a8503dd9f81f8d8

SHA1
3d6daa5db38da7f3efd6c08a4ed330b9de79f208

SHA256
c7efa54fa6ea2ea8d8d83d050f379c93f3426f8b69d73156c31921f90e3e43df

SHA512
2bdd01e59672e9c6aa1314e1b9682a1773a967424ea5d13b5de389dea9c9e42f34de31986420bbafe3ee70d349047ad56d6a2cf35ec1f0c9775dc210dc057614

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
74KB

MD5
c8eb7ba5a8edb759718d7f276b306d71

SHA1
abb3112f783b448d0a1fb31fd5f0713b64ac719b

SHA256
312fd237af5a2de1a590974049fea5dc87a7ca020b54c97b2109d04b07520571

SHA512
1d977e76b1c9cd93912a08ee6af6ef64f3b0fc2899bb5971eceb3f67d93bfb56793626d6500472f2097975682dec4b879f1cc0136778f6801642e3e8f21a6167

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
74KB

MD5
318571075b170739faa8c06b94e46f28

SHA1
dd4bc42cefb63322bc426f682a03aec0be9df818

SHA256
daa9168951e8c7c5bb919b685991b450c14329d8dfd38574877e1eb7a1abdcd7

SHA512
946d5e55ea4a9014c939c1670e0b9b7aa0e718e15d896a16d07d19671fe8643834a69fe6ef58a2491ad30581924b83f2ed8b7a52c90b67ccd85f1025410444cf

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
74KB

MD5
ef19a95ebb92ecd85ae93522ece855d6

SHA1
0eb67b6b1dfa9704307b0f6c674ed177f0218d9f

SHA256
3963781ceb5955be9026bf301b854775d8576aa798993442621f211234dc778d

SHA512
2ec03f67d5135b94ba05d6070137f11b75df71642860f687055756a662016489caf4c343d3806d3ccd223ed3f32cb53bb7074c1c3daff95d67f95196f4bdf617

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
74KB

MD5
4c142f6e1ed71cbd0a493f6b130829bf

SHA1
2913d5ef362fd91e92058af45bc71323dac0d4b1

SHA256
d880c151c25ef2b83c85340ca3652501cf8ee42c065ca8e3e803c355ad4fd2c1

SHA512
180d0a0aa1e1fe7f2fa3fad086582dff382ef2d226011755615daa0e942a044409ba4e131ca30ee52bfc30e20d0f6ca6b81024602cc533e06b4836d39966660f

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
74KB

MD5
918333385721f474a726e878a4261d8b

SHA1
d95313ef72405344572065f6d0764b6c2ce3951c

SHA256
d4d05cc299d4f9c2321445e4082459b78b6e255fc7ed55fdcbda7cf6d5183ccb

SHA512
585212dee184c99c10332cd405e851141ac095ee0df6ad7fa1ece8d1ee7ca3253fcacace5c318efb0cdfbe4f21b24a58c775820875bfc782d585c4ea205cad38

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
74KB

MD5
d40a4ab35f3455685f30f78d69e7a5e7

SHA1
e8fdc7cacad66bc1ae7dd0918ade4b49b4cbf993

SHA256
212a8799b22f46c03a5f02123e3ed98b052f38342007db0b60edc742aa0861fa

SHA512
831723f53c06bba02bca57d4aa9ee0e3dda8a8ef42b7fe24fe0dbb6c254571133ef7a8e962f9e432def10013a0e933af91aba8032bf7b2bec0d39b93a575091f

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
74KB

MD5
52dbed6c64a52d668dae0f00091f0810

SHA1
1a6809bda5f1d7e3ceca9c9e9a5a887f1ff78b4c

SHA256
c32b815bb645af69d582decaa6c39907eeddff4ae4214336f31a417ff74b9f57

SHA512
8c7a2a2028aa98aa392a653ac7a83c525044075d7062bc8e80d81beca5262c4ba5e0eb5141ed75d159062af7cfb6e5cf1519d3f29ab428bfa7c42328d8b4c48d

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
74KB

MD5
d3e9cf77efeaed58a027d3586948c76a

SHA1
fef2fffb989b876b31d8a91a852acd58fe4f2234

SHA256
6738580ac07dbd964028ae4eac62ab7b10e8e6958f914d947f42ea3d3a351c0f

SHA512
2d27821370600ca8b8c20b363cb1919adf480a548316ad25f692426fd59a2eedfd9cb42966d0edd4ffe52de033c77689c427a4688202db49b253044dc46af66d

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
74KB

MD5
3971870fff07e0bccc6ff68ccc6366ab

SHA1
e81be8168d8734f78e0e55da00522ee3eb8cb252

SHA256
041920febeecce54102eb54b6a8fdd255a637a051521ee1abe05b26503845caf

SHA512
75bd0aceb2ecb906513bc07443e955e72f2c0c23aef5f5e17e551acf64fe8d982d188fdb0f0310f7447f6c847411d5ad1a8fdbd70b7ec8a48f8323b02c3d469e

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
74KB

MD5
58175bc9a8f80be36e13b02633b7c637

SHA1
3214b938b96a263e30bebf170dbc42dc956d47dc

SHA256
89b6e79c752f6c32ede77e8ad79190afe6eed852b7ac1bcdeb186711b23be4ea

SHA512
a8bc636ee3f7c262570cbbaf42c5d120f4f2c430e9192f1b9036b8e7e7166abfe260adb5b7668ff655615d5ab785da1a4aa184e845daa4dbcdb3957aadd2714f

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
74KB

MD5
7a2e13d60990d1de26757012a8fb5afc

SHA1
bfd0b709f0a6d43332982ff568c7f6c5ed1c4681

SHA256
92556b1ec207f5a2107be68e985e62bf9aeb3e3132020a96cb18ea82abb231ea

SHA512
29a946239f98f2ae685b6e92fb03f0199bd47528b02994105f22b925bc2350416fc7b697b04df85e29f55f4dbc01a7c0faa3360d65a93661aa9bba225ff25f24

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
74KB

MD5
4e41d9460aeb645291059f7af89b424e

SHA1
151ad15215e8946fc6ce5cb947b08550d6f6c93b

SHA256
ed5fe0244654ad923e22ce5051e2fe9bdd4290eb38ffb5b79d4cfa105173f8d1

SHA512
7cf1365ec112e1c989d0d95e363174fcbd6885ceaeebece8a61023fd2c601b0543da7cda19a9f25ddf4b545b3c34fbebc8980f125df9873016cdef9ac351866d

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
74KB

MD5
6b44326a3ff60415347e7b8b99557b8f

SHA1
ed3eeaee157072f43d06001b2fa277475df3fef5

SHA256
0cfe01c427cbb839894b664d0f57a716c35911d3a88d3e07d1fb6b243d2a97d8

SHA512
3a3dfe6f117600a9e17bf5826b1b8015ce0337dd19639739a499ffde56c919365eb96b0a0f4cf1d38b0b5aaadf9582e54769196056b577ca49728bcf7b3431c6

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
74KB

MD5
86cf9e67cd863b964b749cf0eb6fe890

SHA1
f4b55798f7ca2cfadaa6ef13ed30b68bf40bc018

SHA256
16babacc3121ab07264f43b1c415f12f4b807e8957d08ce9ffcaeeaf02a3f8b0

SHA512
340e711010ed104dd691fd302df8dff3098847ed87e281bec247eb3799d18cf9d4895b3f5fd7a56f9455c635b89a5cfe33024f2a99311d28abc6af00ffddf441

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
74KB

MD5
ab67d632c5ab3e73da4622f5165a31d9

SHA1
5978ca3ef8d490cf6eddf83ce4c0670298c703e4

SHA256
29c16b3e904c33e1ca48d3f6659ca2807a0c0cc87f68af3a0c621796730388e6

SHA512
b168b2c17e2748f0374d9a080534083eaea46b9392875f474c93ece77d8c0640dd7418f35ec969313ee4c929e192f345213ad1fec146623561e7440f3b7d8391

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
74KB

MD5
2a2b2d3bc2a04b1e71b2692af248c825

SHA1
0ed9abe04adb62088c3ac98389e4c61c2990eb46

SHA256
c2e1240912f6bb9423cf36aa5284fee95beb81c43920b343302a52cfb283b45b

SHA512
0e60ca24254a2b4e820d9199646af1acd44a9c092edc1a299060b634328512db6b326a3079a865d16e282384b88d7f139e4a316ecb6746488001d219d102d14f

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
74KB

MD5
94a00044e5899ba14f857a1f1667dfca

SHA1
269a23ac410aa52adf094405c9a92c0bef82c363

SHA256
d1c14a4a31e8d362ca05c178b49812c8871a944cc97a614e07a0fe4d3780fc35

SHA512
3f174747ecae85aedf12e9ca1be7aa2283390fe76541587e6bb26ca3492006aa88d07891ec1884c63fe243929f94d98564457d4994dded818d027b40ac4fe7de

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
74KB

MD5
461149422febc69f3b36e746a9314027

SHA1
71c5303f17e3a6195c12592b2ae897d7e7c4abd1

SHA256
b340011dbf5af933662b984441ac2d85f553e8f0b5a384d6bf045e34a68aff04

SHA512
8359b3d423c70eda5d4301727bc000a924a0f320d134e2f10697386a0db7d5fd10e2889b2867cb780c6656726cd25a2a5e04c09a6d657de7fce85365b6ba06f9

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
74KB

MD5
7ac027ca2c6f0e7851f6577925a167ac

SHA1
c6dd8a446d69bdbfb6816c8fcb2060170f6ca89f

SHA256
69db9ffd95c8c90cfbbd5aff17c45296f882bc0ee59e0a6865d89ffb18e3492f

SHA512
3f9ec9ff05701b31182700ca796cbf2bf62078731dbdd4ef2b93c563ec9bf1f368ed1fdf7c50a2c661a397d31240f620d6edad1f639a90f12fe2f0a9dcaab686

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
74KB

MD5
1ef8375a6839fa0bd64d8b111a3b40c4

SHA1
948d757632cc1b027790d0499f014e6e82efa98e

SHA256
712cbab1967250b16dab7a1d954c89e1f4dab3e5f967aec85c4939ea1fccb934

SHA512
424e0a82e371fcff12b0f3ac34a78aef49b7674ca923f4f2b78ba8f909122690b47bae8a358f6c475bed3580f361f3f9f6178877521410279911883fb1065c26

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
74KB

MD5
e3bd1f8e6bde55cff039be42ecb28eb0

SHA1
fdbacaa6db3e0c36dc12a87fd9a43a9e9db5c871

SHA256
04d1537416d4befc72bcd2c468ee190911dde139a329feb02ef1ce2ab63c09ca

SHA512
54d0736196100170cf946ee7a159e588d5dafd99bc2673d0d070aacfd4c9e6d324b0ffc6fb8a9658da69c178fcd0a19c5defcebbe32695bf78e3c27d7e81f6b8

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
74KB

MD5
9788df6b2a5660b6f49c499cca549dd3

SHA1
40ac61169656e2ca6a055824614ec0212c8b0675

SHA256
1e75e017eee11bf19dd43878714cc7813d66bdb213dca055eb2d63ba8b3341e1

SHA512
98fb9685d407956b09ff78d7f94e0665248c40c6aca74762d8181f90ff72f2652337dde38f49c6a7c0117ef9f7de447b74750e1cb2de9eb222f72d7ba46870ee

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
74KB

MD5
2b577363dd3465dbb627e18e4928ce3c

SHA1
82c6b78ed432db9dab2856c7601e25d3d543fc2d

SHA256
da5e92c9b55e45a580affa846dc1ba0f866e00d00db58d70179ddc64ef6aba68

SHA512
81b3dbfdabc5c63fa862ac48a39f261986867c0d15935d4b9313128bd05a9494500c3877018f5445067ba0c08b4f80b2b3681ea6592140164b2faf9d2ec0d8cf

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
74KB

MD5
d3b94fc09f1e43f11705034641cbb2af

SHA1
3c26daef7dfb0be44c3449b2ec9bb99414432750

SHA256
bbe2c9eff15493f1d8e899fda2887bf75b2c46cfb218bf4ed424118e588b773c

SHA512
1e8a869442c9a505209843f849745d4627cdb5c6fcacc695959f85004393f827dcaed77b140b7a8027125cd6d087f062b5387358482e0e75f1194e91506c704e

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
74KB

MD5
71148baae1ff5f056f97dd0d44d84282

SHA1
97fb446a9c83091e5ea4783cdd6d94436b8089b3

SHA256
38ffcdb9de9df32fe43965cc13dfcaaed60e33a408def738b28e0a8536177d95

SHA512
76dc7db89eae547a58b4aaad8a117bf37586804775de977447514f9e7b1782cd7a8f73174fc026e7d91ce607db2655de786d89219fb6f1ed3cc5e108714d0ee7

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
74KB

MD5
e3c1ada88fb780d615b28e217d53da94

SHA1
9c301793bd36c228ff1fc5741fcacf8b128a3b8a

SHA256
51ed411353eb8aa85228ed528236e03e0f59007a92b4cf8cedaaa930b6cc05ea

SHA512
53269a8de6cbc365a516d053832776ffaa5afb3ca80c12e8e20f840788617cb1123623570c93a96ba20f4ad815abf52dadba786c4441f440963097227e3757c2

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
74KB

MD5
de7069a7cc2c345bdc27a14c8675d39e

SHA1
e9ffbfe6a909e8e23f7e1dd8a79c72d9f39a2613

SHA256
333d92ec4e3dfc8145509b2f87d222c1244de04c9af0ec3805eee05d5ea33c60

SHA512
51009bf2cd07b18ad9397f8d348d4713b34fb5f756d6a4b13355fdb1426950916228468f6758a521c31e29ce654d1fd1d66a3ba0f5c4f831c09cfa4191abeaab

Download Submit
memory/368-425-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/820-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/880-287-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/936-240-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1036-419-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1068-281-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-533-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1228-207-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1340-431-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1372-347-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1432-96-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1512-503-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1760-473-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1768-467-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1816-263-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1844-311-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1876-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1876-574-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1948-88-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1960-24-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1960-560-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2000-152-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2028-401-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2060-485-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2116-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2132-527-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2216-293-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2328-237-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2480-255-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2488-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2488-588-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2632-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2768-269-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2820-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2892-192-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2900-449-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3104-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3116-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3164-112-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3192-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3200-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3208-395-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3264-104-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3284-8-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3284-546-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3400-357-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3620-413-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3648-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3648-539-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3680-327-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3708-377-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3812-521-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3844-299-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3916-567-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3916-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3960-443-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4124-509-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4196-581-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4196-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4224-389-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4264-329-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4320-224-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4328-341-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4344-455-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4376-515-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4452-407-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4460-479-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4508-437-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4512-305-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4592-275-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4620-365-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4624-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4712-371-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4784-461-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4812-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4840-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4856-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4872-317-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4880-497-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4888-363-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4900-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4932-553-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4932-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4964-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5016-128-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5036-383-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5068-335-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5116-491-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5140-540-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5184-547-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5236-554-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5280-561-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5324-568-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5368-575-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5412-582-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5456-593-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads