aaf018e1e1432c44e740bd437b6cf2799875963beea65d49f6aeeacedfaebcf2

Analysis

max time kernel
147s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaf018e1e1432c44e740bd437b6cf2799875963beea65d49f6aeeacedfaebcf2.exe
Size

56KB
MD5

99c3dec4fdedb7ec824e882f7a1dead9
SHA1

9f91f8e174ef4e6c32ac422fe7ab0eab2b57ce74
SHA256

aaf018e1e1432c44e740bd437b6cf2799875963beea65d49f6aeeacedfaebcf2
SHA512

498c313b237b7f0ad7fd37ee1c77a6a7d90fc9807becf9661fdfd1ddec1c95585600d4ce6b756732324fa24029789b999e75fe0aa8cb5c067450e839a9d01091
SSDEEP

768:+sRZIHCUcwOUnXJLQppPUORPmrU+XUkI6M2NJ7iDrhUa/1H5IrXdnh:+sRZIH2+ZOPUOxmrUq7KhPKp

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	aaf018e1e1432c44e740bd437b6cf2799875963beea65d49f6aeeacedfaebcf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alncgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deimaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiefqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fofhdidp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqemlbqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgcbmha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elaego32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gomjckqc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoood32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdalo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akhndf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpkfb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eigbfb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fofhdidp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdalo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akhndf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfieec32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbkljd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfbdje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hqemlbqi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alncgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfiofefm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmhogjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkfgnldd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoood32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bohoogbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gheola32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Happkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjehkek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glongpao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfpkfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjfjjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgokcja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eenckc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glongpao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnimeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akfaof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fagqed32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfiofefm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppgfciee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhehmkqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Happkf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oinbglkm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pikaqppk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdophn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	aaf018e1e1432c44e740bd437b6cf2799875963beea65d49f6aeeacedfaebcf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oinbglkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cccgni32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjkdoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjpnjheg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbkljd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfaof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elaego32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odgchjhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpgee32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpedghl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkfgnldd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhgpcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcobdgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cccgni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpedghl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcojbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gheola32.exe

Executes dropped EXE 54 IoCs

pid	Process
2248	Oinbglkm.exe
2856	Ojoood32.exe
2352	Odgchjhl.exe
2800	Pnodjb32.exe
2700	Pmdalo32.exe
2620	Pikaqppk.exe
2084	Ppgfciee.exe
1692	Qhehmkqn.exe
2920	Qbkljd32.exe
2956	Akfaof32.exe
1084	Akhndf32.exe
796	Apgcbmha.exe
1912	Alncgn32.exe
2564	Bfieec32.exe
2052	Bcobdgoj.exe
2024	Bfpkfb32.exe
1716	Bohoogbk.exe
3028	Ccjehkek.exe
1588	Cjfjjd32.exe
1624	Cfpgee32.exe
2488	Cccgni32.exe
2400	Dfbdje32.exe
2228	Dnmhogjo.exe
1596	Dnpedghl.exe
2740	Deimaa32.exe
2108	Dcojbm32.exe
2884	Dmgokcja.exe
2604	Edfqclni.exe
2632	Elaego32.exe
336	Eiefqc32.exe
2060	Eigbfb32.exe
2556	Eenckc32.exe
2904	Fpcghl32.exe
3004	Fofhdidp.exe
2900	Fagqed32.exe
2468	Gdophn32.exe
2152	Gphmbolk.exe
1832	Gaiijgbi.exe
2272	Glongpao.exe
2244	Gomjckqc.exe
2160	Gheola32.exe
2608	Hfiofefm.exe
944	Hkfgnldd.exe
2032	Happkf32.exe
3036	Hhjhgpcn.exe
2716	Hjkdoh32.exe
2116	Hqemlbqi.exe
2404	Hgpeimhf.exe
2576	Hnimeg32.exe
1644	Hcfenn32.exe
2644	Hjpnjheg.exe
2860	Hqjfgb32.exe
2684	Ifgooikk.exe
844	Iqmcmaja.exe

Loads dropped DLL 64 IoCs

pid	Process
2388	aaf018e1e1432c44e740bd437b6cf2799875963beea65d49f6aeeacedfaebcf2.exe
2388	aaf018e1e1432c44e740bd437b6cf2799875963beea65d49f6aeeacedfaebcf2.exe
2248	Oinbglkm.exe
2248	Oinbglkm.exe
2856	Ojoood32.exe
2856	Ojoood32.exe
2352	Odgchjhl.exe
2352	Odgchjhl.exe
2800	Pnodjb32.exe
2800	Pnodjb32.exe
2700	Pmdalo32.exe
2700	Pmdalo32.exe
2620	Pikaqppk.exe
2620	Pikaqppk.exe
2084	Ppgfciee.exe
2084	Ppgfciee.exe
1692	Qhehmkqn.exe
1692	Qhehmkqn.exe
2920	Qbkljd32.exe
2920	Qbkljd32.exe
2956	Akfaof32.exe
2956	Akfaof32.exe
1084	Akhndf32.exe
1084	Akhndf32.exe
796	Apgcbmha.exe
796	Apgcbmha.exe
1912	Alncgn32.exe
1912	Alncgn32.exe
2564	Bfieec32.exe
2564	Bfieec32.exe
2052	Bcobdgoj.exe
2052	Bcobdgoj.exe
2024	Bfpkfb32.exe
2024	Bfpkfb32.exe
1716	Bohoogbk.exe
1716	Bohoogbk.exe
3028	Ccjehkek.exe
3028	Ccjehkek.exe
1588	Cjfjjd32.exe
1588	Cjfjjd32.exe
1624	Cfpgee32.exe
1624	Cfpgee32.exe
2488	Cccgni32.exe
2488	Cccgni32.exe
2400	Dfbdje32.exe
2400	Dfbdje32.exe
2228	Dnmhogjo.exe
2228	Dnmhogjo.exe
1596	Dnpedghl.exe
1596	Dnpedghl.exe
2740	Deimaa32.exe
2740	Deimaa32.exe
2108	Dcojbm32.exe
2108	Dcojbm32.exe
2884	Dmgokcja.exe
2884	Dmgokcja.exe
2604	Edfqclni.exe
2604	Edfqclni.exe
2632	Elaego32.exe
2632	Elaego32.exe
336	Eiefqc32.exe
336	Eiefqc32.exe
2060	Eigbfb32.exe
2060	Eigbfb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ncpcapia.dll	Ojoood32.exe
File created	C:\Windows\SysWOW64\Hiegacgd.dll	Pikaqppk.exe
File created	C:\Windows\SysWOW64\Bjfhad32.dll	Ppgfciee.exe
File created	C:\Windows\SysWOW64\Bcobdgoj.exe	Bfieec32.exe
File created	C:\Windows\SysWOW64\Mfihbo32.dll	Dfbdje32.exe
File opened for modification	C:\Windows\SysWOW64\Qbkljd32.exe	Qhehmkqn.exe
File created	C:\Windows\SysWOW64\Gheola32.exe	Gomjckqc.exe
File opened for modification	C:\Windows\SysWOW64\Hqemlbqi.exe	Hjkdoh32.exe
File created	C:\Windows\SysWOW64\Jgqmmiph.dll	Hnimeg32.exe
File created	C:\Windows\SysWOW64\Jcdnfckl.dll	Odgchjhl.exe
File opened for modification	C:\Windows\SysWOW64\Bfpkfb32.exe	Bcobdgoj.exe
File created	C:\Windows\SysWOW64\Eigbfb32.exe	Eiefqc32.exe
File created	C:\Windows\SysWOW64\Kciblh32.dll	Eenckc32.exe
File created	C:\Windows\SysWOW64\Ageifc32.dll	Fagqed32.exe
File created	C:\Windows\SysWOW64\Gaiijgbi.exe	Gphmbolk.exe
File created	C:\Windows\SysWOW64\Ccbpjqqq.dll	Gphmbolk.exe
File created	C:\Windows\SysWOW64\Hfiofefm.exe	Gheola32.exe
File created	C:\Windows\SysWOW64\Oinbglkm.exe	aaf018e1e1432c44e740bd437b6cf2799875963beea65d49f6aeeacedfaebcf2.exe
File opened for modification	C:\Windows\SysWOW64\Alncgn32.exe	Apgcbmha.exe
File opened for modification	C:\Windows\SysWOW64\Deimaa32.exe	Dnpedghl.exe
File created	C:\Windows\SysWOW64\Glongpao.exe	Gaiijgbi.exe
File opened for modification	C:\Windows\SysWOW64\Glongpao.exe	Gaiijgbi.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhgpcn.exe	Happkf32.exe
File created	C:\Windows\SysWOW64\Hqemlbqi.exe	Hjkdoh32.exe
File created	C:\Windows\SysWOW64\Ojoood32.exe	Oinbglkm.exe
File created	C:\Windows\SysWOW64\Opfjnm32.dll	Cfpgee32.exe
File created	C:\Windows\SysWOW64\Elaego32.exe	Edfqclni.exe
File created	C:\Windows\SysWOW64\Pokjahgh.dll	Hgpeimhf.exe
File opened for modification	C:\Windows\SysWOW64\Hqjfgb32.exe	Hjpnjheg.exe
File created	C:\Windows\SysWOW64\Iljccajl.dll	Bfpkfb32.exe
File opened for modification	C:\Windows\SysWOW64\Pnodjb32.exe	Odgchjhl.exe
File created	C:\Windows\SysWOW64\Hnfaghha.dll	Bcobdgoj.exe
File created	C:\Windows\SysWOW64\Mmdigbbj.dll	Fpcghl32.exe
File opened for modification	C:\Windows\SysWOW64\Gheola32.exe	Gomjckqc.exe
File created	C:\Windows\SysWOW64\Akfaof32.exe	Qbkljd32.exe
File created	C:\Windows\SysWOW64\Dfbdje32.exe	Cccgni32.exe
File created	C:\Windows\SysWOW64\Klfbmd32.dll	Dnmhogjo.exe
File created	C:\Windows\SysWOW64\Hjkdoh32.exe	Hhjhgpcn.exe
File created	C:\Windows\SysWOW64\Fkficd32.dll	Hjpnjheg.exe
File created	C:\Windows\SysWOW64\Pmdalo32.exe	Pnodjb32.exe
File created	C:\Windows\SysWOW64\Qbkljd32.exe	Qhehmkqn.exe
File created	C:\Windows\SysWOW64\Ihckdmko.dll	Gdophn32.exe
File created	C:\Windows\SysWOW64\Kbajcaio.dll	Happkf32.exe
File opened for modification	C:\Windows\SysWOW64\Gdophn32.exe	Fagqed32.exe
File created	C:\Windows\SysWOW64\Gphmbolk.exe	Gdophn32.exe
File created	C:\Windows\SysWOW64\Hnlhcobj.dll	Hkfgnldd.exe
File created	C:\Windows\SysWOW64\Ijolpgjc.dll	Bohoogbk.exe
File created	C:\Windows\SysWOW64\Bdieho32.dll	Cjfjjd32.exe
File opened for modification	C:\Windows\SysWOW64\Eigbfb32.exe	Eiefqc32.exe
File opened for modification	C:\Windows\SysWOW64\Fagqed32.exe	Fofhdidp.exe
File created	C:\Windows\SysWOW64\Hkfgnldd.exe	Hfiofefm.exe
File created	C:\Windows\SysWOW64\Hhjhgpcn.exe	Happkf32.exe
File opened for modification	C:\Windows\SysWOW64\Hjpnjheg.exe	Hcfenn32.exe
File created	C:\Windows\SysWOW64\Odgchjhl.exe	Ojoood32.exe
File created	C:\Windows\SysWOW64\Qhehmkqn.exe	Ppgfciee.exe
File opened for modification	C:\Windows\SysWOW64\Akhndf32.exe	Akfaof32.exe
File created	C:\Windows\SysWOW64\Cccgni32.exe	Cfpgee32.exe
File opened for modification	C:\Windows\SysWOW64\Dnmhogjo.exe	Dfbdje32.exe
File created	C:\Windows\SysWOW64\Gomjckqc.exe	Glongpao.exe
File created	C:\Windows\SysWOW64\Ecpebkop.dll	Hhjhgpcn.exe
File opened for modification	C:\Windows\SysWOW64\Pikaqppk.exe	Pmdalo32.exe
File created	C:\Windows\SysWOW64\Ccjehkek.exe	Bohoogbk.exe
File created	C:\Windows\SysWOW64\Cfpgee32.exe	Cjfjjd32.exe
File opened for modification	C:\Windows\SysWOW64\Cccgni32.exe	Cfpgee32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
388	844	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmhogjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fofhdidp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkfgnldd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Happkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqjfgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaf018e1e1432c44e740bd437b6cf2799875963beea65d49f6aeeacedfaebcf2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpgee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fagqed32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdalo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iqmcmaja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcobdgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gheola32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqemlbqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgpeimhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdophn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gomjckqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfieec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhjhgpcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjfjjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cccgni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcojbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfiofefm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifgooikk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbkljd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bohoogbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpkfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjehkek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gphmbolk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnimeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhehmkqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfaof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaiijgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoood32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alncgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppgfciee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eenckc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oinbglkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akhndf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcfenn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnodjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edfqclni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpedghl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elaego32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eigbfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgchjhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfbdje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpcghl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjpnjheg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pikaqppk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deimaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiefqc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glongpao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjkdoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgcbmha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgokcja.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcojbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elaego32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kciblh32.dll"	Eenckc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fofhdidp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnodjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijfeqbn.dll"	Pnodjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppgfciee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didlinpd.dll"	Akhndf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfiofefm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edfqclni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eiefqc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hqjfgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifgooikk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcfenn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmphdjpq.dll"	Hcfenn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmdalo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhehmkqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cccgni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqalkike.dll"	Eigbfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgcpnon.dll"	Elaego32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihckdmko.dll"	Gdophn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gomjckqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gheola32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	aaf018e1e1432c44e740bd437b6cf2799875963beea65d49f6aeeacedfaebcf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	aaf018e1e1432c44e740bd437b6cf2799875963beea65d49f6aeeacedfaebcf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfbdje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfbmd32.dll"	Dnmhogjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchfbild.dll"	Alncgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnmhogjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pikaqppk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgcojpej.dll"	Dcojbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hqemlbqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odgchjhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eenckc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifgooikk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fagqed32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdophn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaiijgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfiofefm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdalo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nejbpm32.dll"	Apgcbmha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bohoogbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oidldm32.dll"	Dmgokcja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Happkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcghhg32.dll"	Pmdalo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkfgnldd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hqemlbqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akfaof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alncgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljccajl.dll"	Bfpkfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjfjjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoood32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnodjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pikaqppk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjfhad32.dll"	Ppgfciee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbajcaio.dll"	Happkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgbkhnja.dll"	Hjkdoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgpeimhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgqmmiph.dll"	Hnimeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eigbfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpcghl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkkdedfm.dll"	Fofhdidp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okipcb32.dll"	Gaiijgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Happkf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2248	2388	aaf018e1e1432c44e740bd437b6cf2799875963beea65d49f6aeeacedfaebcf2.exe	29
PID 2388 wrote to memory of 2248	2388	aaf018e1e1432c44e740bd437b6cf2799875963beea65d49f6aeeacedfaebcf2.exe	29
PID 2388 wrote to memory of 2248	2388	aaf018e1e1432c44e740bd437b6cf2799875963beea65d49f6aeeacedfaebcf2.exe	29
PID 2388 wrote to memory of 2248	2388	aaf018e1e1432c44e740bd437b6cf2799875963beea65d49f6aeeacedfaebcf2.exe	29
PID 2248 wrote to memory of 2856	2248	Oinbglkm.exe	30
PID 2248 wrote to memory of 2856	2248	Oinbglkm.exe	30
PID 2248 wrote to memory of 2856	2248	Oinbglkm.exe	30
PID 2248 wrote to memory of 2856	2248	Oinbglkm.exe	30
PID 2856 wrote to memory of 2352	2856	Ojoood32.exe	31
PID 2856 wrote to memory of 2352	2856	Ojoood32.exe	31
PID 2856 wrote to memory of 2352	2856	Ojoood32.exe	31
PID 2856 wrote to memory of 2352	2856	Ojoood32.exe	31
PID 2352 wrote to memory of 2800	2352	Odgchjhl.exe	32
PID 2352 wrote to memory of 2800	2352	Odgchjhl.exe	32
PID 2352 wrote to memory of 2800	2352	Odgchjhl.exe	32
PID 2352 wrote to memory of 2800	2352	Odgchjhl.exe	32
PID 2800 wrote to memory of 2700	2800	Pnodjb32.exe	33
PID 2800 wrote to memory of 2700	2800	Pnodjb32.exe	33
PID 2800 wrote to memory of 2700	2800	Pnodjb32.exe	33
PID 2800 wrote to memory of 2700	2800	Pnodjb32.exe	33
PID 2700 wrote to memory of 2620	2700	Pmdalo32.exe	34
PID 2700 wrote to memory of 2620	2700	Pmdalo32.exe	34
PID 2700 wrote to memory of 2620	2700	Pmdalo32.exe	34
PID 2700 wrote to memory of 2620	2700	Pmdalo32.exe	34
PID 2620 wrote to memory of 2084	2620	Pikaqppk.exe	35
PID 2620 wrote to memory of 2084	2620	Pikaqppk.exe	35
PID 2620 wrote to memory of 2084	2620	Pikaqppk.exe	35
PID 2620 wrote to memory of 2084	2620	Pikaqppk.exe	35
PID 2084 wrote to memory of 1692	2084	Ppgfciee.exe	36
PID 2084 wrote to memory of 1692	2084	Ppgfciee.exe	36
PID 2084 wrote to memory of 1692	2084	Ppgfciee.exe	36
PID 2084 wrote to memory of 1692	2084	Ppgfciee.exe	36
PID 1692 wrote to memory of 2920	1692	Qhehmkqn.exe	37
PID 1692 wrote to memory of 2920	1692	Qhehmkqn.exe	37
PID 1692 wrote to memory of 2920	1692	Qhehmkqn.exe	37
PID 1692 wrote to memory of 2920	1692	Qhehmkqn.exe	37
PID 2920 wrote to memory of 2956	2920	Qbkljd32.exe	38
PID 2920 wrote to memory of 2956	2920	Qbkljd32.exe	38
PID 2920 wrote to memory of 2956	2920	Qbkljd32.exe	38
PID 2920 wrote to memory of 2956	2920	Qbkljd32.exe	38
PID 2956 wrote to memory of 1084	2956	Akfaof32.exe	39
PID 2956 wrote to memory of 1084	2956	Akfaof32.exe	39
PID 2956 wrote to memory of 1084	2956	Akfaof32.exe	39
PID 2956 wrote to memory of 1084	2956	Akfaof32.exe	39
PID 1084 wrote to memory of 796	1084	Akhndf32.exe	40
PID 1084 wrote to memory of 796	1084	Akhndf32.exe	40
PID 1084 wrote to memory of 796	1084	Akhndf32.exe	40
PID 1084 wrote to memory of 796	1084	Akhndf32.exe	40
PID 796 wrote to memory of 1912	796	Apgcbmha.exe	41
PID 796 wrote to memory of 1912	796	Apgcbmha.exe	41
PID 796 wrote to memory of 1912	796	Apgcbmha.exe	41
PID 796 wrote to memory of 1912	796	Apgcbmha.exe	41
PID 1912 wrote to memory of 2564	1912	Alncgn32.exe	42
PID 1912 wrote to memory of 2564	1912	Alncgn32.exe	42
PID 1912 wrote to memory of 2564	1912	Alncgn32.exe	42
PID 1912 wrote to memory of 2564	1912	Alncgn32.exe	42
PID 2564 wrote to memory of 2052	2564	Bfieec32.exe	43
PID 2564 wrote to memory of 2052	2564	Bfieec32.exe	43
PID 2564 wrote to memory of 2052	2564	Bfieec32.exe	43
PID 2564 wrote to memory of 2052	2564	Bfieec32.exe	43
PID 2052 wrote to memory of 2024	2052	Bcobdgoj.exe	44
PID 2052 wrote to memory of 2024	2052	Bcobdgoj.exe	44
PID 2052 wrote to memory of 2024	2052	Bcobdgoj.exe	44
PID 2052 wrote to memory of 2024	2052	Bcobdgoj.exe	44

C:\Users\Admin\AppData\Local\Temp\aaf018e1e1432c44e740bd437b6cf2799875963beea65d49f6aeeacedfaebcf2.exe
"C:\Users\Admin\AppData\Local\Temp\aaf018e1e1432c44e740bd437b6cf2799875963beea65d49f6aeeacedfaebcf2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\SysWOW64\Oinbglkm.exe
  C:\Windows\system32\Oinbglkm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\Ojoood32.exe
    C:\Windows\system32\Ojoood32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\Odgchjhl.exe
      C:\Windows\system32\Odgchjhl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\SysWOW64\Pnodjb32.exe
        
        C:\Windows\system32\Pnodjb32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Windows\SysWOW64\Pmdalo32.exe
        
        C:\Windows\system32\Pmdalo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Pikaqppk.exe
        
        C:\Windows\system32\Pikaqppk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Ppgfciee.exe
        
        C:\Windows\system32\Ppgfciee.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Qhehmkqn.exe
        
        C:\Windows\system32\Qhehmkqn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Qbkljd32.exe
        
        C:\Windows\system32\Qbkljd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Akfaof32.exe
        
        C:\Windows\system32\Akfaof32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Akhndf32.exe
        
        C:\Windows\system32\Akhndf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Apgcbmha.exe
        
        C:\Windows\system32\Apgcbmha.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Alncgn32.exe
        
        C:\Windows\system32\Alncgn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Bfieec32.exe
        
        C:\Windows\system32\Bfieec32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Bcobdgoj.exe
        
        C:\Windows\system32\Bcobdgoj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Bfpkfb32.exe
        
        C:\Windows\system32\Bfpkfb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Bohoogbk.exe
        
        C:\Windows\system32\Bohoogbk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Ccjehkek.exe
        
        C:\Windows\system32\Ccjehkek.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\Cjfjjd32.exe
        
        C:\Windows\system32\Cjfjjd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Cfpgee32.exe
        
        C:\Windows\system32\Cfpgee32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Cccgni32.exe
        
        C:\Windows\system32\Cccgni32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Dfbdje32.exe
        
        C:\Windows\system32\Dfbdje32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Dnmhogjo.exe
        
        C:\Windows\system32\Dnmhogjo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Dnpedghl.exe
        
        C:\Windows\system32\Dnpedghl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\Deimaa32.exe
        
        C:\Windows\system32\Deimaa32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\Dcojbm32.exe
        
        C:\Windows\system32\Dcojbm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Dmgokcja.exe
        
        C:\Windows\system32\Dmgokcja.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Edfqclni.exe
        
        C:\Windows\system32\Edfqclni.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Elaego32.exe
        
        C:\Windows\system32\Elaego32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Eiefqc32.exe
        
        C:\Windows\system32\Eiefqc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Eigbfb32.exe
        
        C:\Windows\system32\Eigbfb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Eenckc32.exe
        
        C:\Windows\system32\Eenckc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Fpcghl32.exe
        
        C:\Windows\system32\Fpcghl32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Fofhdidp.exe
        
        C:\Windows\system32\Fofhdidp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Fagqed32.exe
        
        C:\Windows\system32\Fagqed32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Gdophn32.exe
        
        C:\Windows\system32\Gdophn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Gphmbolk.exe
        
        C:\Windows\system32\Gphmbolk.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\Gaiijgbi.exe
        
        C:\Windows\system32\Gaiijgbi.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Glongpao.exe
        
        C:\Windows\system32\Glongpao.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Gomjckqc.exe
        
        C:\Windows\system32\Gomjckqc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Gheola32.exe
        
        C:\Windows\system32\Gheola32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Hfiofefm.exe
        
        C:\Windows\system32\Hfiofefm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Hkfgnldd.exe
        
        C:\Windows\system32\Hkfgnldd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Happkf32.exe
        
        C:\Windows\system32\Happkf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Hhjhgpcn.exe
        
        C:\Windows\system32\Hhjhgpcn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Hjkdoh32.exe
        
        C:\Windows\system32\Hjkdoh32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Hqemlbqi.exe
        
        C:\Windows\system32\Hqemlbqi.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Hgpeimhf.exe
        
        C:\Windows\system32\Hgpeimhf.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Hnimeg32.exe
        
        C:\Windows\system32\Hnimeg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Hcfenn32.exe
        
        C:\Windows\system32\Hcfenn32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Hjpnjheg.exe
        
        C:\Windows\system32\Hjpnjheg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Hqjfgb32.exe
        
        C:\Windows\system32\Hqjfgb32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Ifgooikk.exe
        
        C:\Windows\system32\Ifgooikk.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Iqmcmaja.exe
        
        C:\Windows\system32\Iqmcmaja.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 140
        56⤵
        Program crash
        
        PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bohoogbk.exe

Filesize
56KB

MD5
cf9750e7116514fb686badaa5615dda6

SHA1
6ebea2881a147a63aaa8e9e7e1541a2bd60844ba

SHA256
cfa1c99e10f95740a70ee724de9e92e7908cf8ff29fb45953e5c46ec73ab6e6e

SHA512
5f33f6af8fdd0875bd159dd9b88317cdf8f192b4eb702804c4feef1dfc3f505fcc295fe7171e1af5df67589bf0aae8f8c3a5d227f8bbcf0bc328b6447d140405

Download Submit
C:\Windows\SysWOW64\Cccgni32.exe

Filesize
56KB

MD5
61c5e8a4eb0ebbae33b314a1ec1d4f0a

SHA1
a346a12fd573639d3d9d8fd394e84103458283ee

SHA256
099ed2246bcbfed696c1542eb913aafdca5e8fa05dcd0c20a700e9b487d1faea

SHA512
c2ced8817b93b591951660b5c184ca7a362015891ab59fed2131dc9751aa02152e367b7ced73f89d2e35af7581c7fce840b984610016fa1f67ec1a4c9b0d387b

Download Submit
C:\Windows\SysWOW64\Ccjehkek.exe

Filesize
56KB

MD5
39102a8d7689e362c8f110b91568d85b

SHA1
ed8b101e573c20b780ccf83ca8785215cad05a39

SHA256
7190455757825bb918fd5943c632411ea27e8875e361cf8a21bde0787da85f31

SHA512
3ed40875af2c347f8781f466179689c843d2d164aaa550e69dbe5677553f22a188509740b0ba3b3f80a7f46b4186a27da431f50c40b69621311ab7cdb93b37d5

Download Submit
C:\Windows\SysWOW64\Cfpgee32.exe

Filesize
56KB

MD5
7cbde2c8932012880cac4d8e0b3bf252

SHA1
04aa53bcad1e61b893f96f5eebef667ae6627610

SHA256
ddc0d069cc1108c4973905a76dffc515438011a269fb2a94608e385a47fbe28a

SHA512
90324e0a8cfcf8bd7a33f8147407cb37a6e20499cb1264162a610ecbc41eab72eda6173915722ee3561e2815d88107eb68faf595c2b89e022e82f1b8e0b54d34

Download Submit
C:\Windows\SysWOW64\Cjfjjd32.exe

Filesize
56KB

MD5
2193be23fd1fb1d72f2d1fbefec0c2ab

SHA1
f5aff0eb0c59dd564ae60996ec3026557d485ab3

SHA256
fc1715a2760fa1beb3c3ff0de06ee66a80ade5045ac4ad38df2cac804eef8ab0

SHA512
4d649531f20ad7482599b9c0e099208fb0f675e8e3732ac2025a6f64f7dc036c8e2167840051cc0d54c871570ff5ea570e698b8ffd7ff8720d9e6e72d0542c94

Download Submit
C:\Windows\SysWOW64\Dcojbm32.exe

Filesize
56KB

MD5
13c2ec94c5411c80d0faf844783fa809

SHA1
5553760b6a603245daee73197e57cf1d89367a81

SHA256
8ff7868596107a5102e6ea449699518be0642aca306630110ed7bde4d4f2fac3

SHA512
3027d62e095818240e72449c003debed46a5756ba16840313a2ebc7e5686d2bc5598793d0a4e219d5249cc817ec7b88e8b85126ba195db4a5082f34b165f4aad

Download Submit
C:\Windows\SysWOW64\Deimaa32.exe

Filesize
56KB

MD5
4c07e524cf58d8887bc06de266c4fbe7

SHA1
84e0058aa2cb045fd445a458531855151070cb5a

SHA256
51bbc65f56d475638910a5b172a0aac334afddef77fd1ad2d34225b22fd46360

SHA512
1ab1ce6eb72bf997cf133f69e9dabdb87dba91e35a27d33e016e138efca82ca781dcfc9857da9c7a52c8f8a84894918660bb787f7896e68bfe8a3b12b8a0de41

Download Submit
C:\Windows\SysWOW64\Dfbdje32.exe

Filesize
56KB

MD5
5b683342b28628086af14a3b7b9afd93

SHA1
127b5390ed886563cf74937803e960c1e100aa2d

SHA256
aaabdf1cf1966430ab295cf329a93c7aec62fecf3962c595cd61dac7f08a9b12

SHA512
bd32d0b390728baa76eebbf356d0b2103386f36c70d6563122f5b9dff93059264a156b23159e78dadcef797b1df5b9a648f9595de5951915a0b07269c9b92c17

Download Submit
C:\Windows\SysWOW64\Dmgokcja.exe

Filesize
56KB

MD5
11bbf5012064f4508c00cc2625ede350

SHA1
111f7cb48eeb47b31c6359931377a25596aa82dc

SHA256
8a959349a8dab4e736c96fd20e16190d719922c8084eefacb1fea54e69d87fe4

SHA512
ee3241d16ef07260537edb0567de28b265eedd3bc6476a5d275bf6d1ab864e2bb802e61b4d06fca3c598b8087b6e4b8bd4f11d89c335de42fcc03dfe406ddc5f

Download Submit
C:\Windows\SysWOW64\Dnmhogjo.exe

Filesize
56KB

MD5
44e75e83526fa293ea2d7663737e5534

SHA1
aca89eb3bf52503682c263a0c3036cd9df26013f

SHA256
d4663d672bdd88ba80ab6dd91088a93e61e05f42ed47d4c4b6b3f6ed88477540

SHA512
52d6753b08a2731ee6488949dba7b30e110bc2a36667aacddf2c9b0558a8d8b376c3e7d56159e7f6880e9f8f490b6eb4852fc3155db7bff98358eeb45ceda653

Download Submit
C:\Windows\SysWOW64\Dnpedghl.exe

Filesize
56KB

MD5
671d76c857194de40b0ce2997bf54766

SHA1
730a4db2c31d4aba2eae4cd787d0682604a5d7c4

SHA256
c6c0744f5c4bc49c5e43e2650d2434271d1df225e9d32237e778ed6d4f6f6f5d

SHA512
0ac3dd29823d6c60add647af488670ef66f90301e3f382e9445e97da5f12c9d0d0f443dc2a726f659d3164b71c8cd26fe90ec130c38ad05e19cd89c7486c9fac

Download Submit
C:\Windows\SysWOW64\Edfqclni.exe

Filesize
56KB

MD5
b33d918980fc3cddf63de7998bdbdbe5

SHA1
614ba7dc445e2409925555d5067e6cdd75936a6b

SHA256
de839920f8a138c8613da16143279df25bf05da63e47a2676189268c82275165

SHA512
ecb342d774b9aff63fa9bd9b425c582780094002179ae6a668df6f07c9c11b8c2dc6e21ccc63ba8d0c2d944430b55c436cd41723396395c41418582901064b87

Download Submit
C:\Windows\SysWOW64\Eenckc32.exe

Filesize
56KB

MD5
47970077656701d9f151af818e4c8192

SHA1
35711b24b0dd42288d977f2675f9fc9e5ad47d93

SHA256
353edfce081bd26b9c7f3ea29bc42e64b35d272603b9301aa7adda20c4a95ccc

SHA512
5c87b5abcf963e7848c4a302f79c15d6b8a43870343c468ea2128dfe74d77bd0769a9d8ace3f71a82cd838111a1c92a180a0ee3c9acd1a5bb7e758c801490a37

Download Submit
C:\Windows\SysWOW64\Eiefqc32.exe

Filesize
56KB

MD5
213f6788a089b7db650cde51da437a6f

SHA1
2a9a710704ca14a6bcb4d59af98a7f3c3180d30d

SHA256
46b2d1f7fc13e4676159d5d35adaabaa38febc8f9ac17a3c71eb86f74da3e98f

SHA512
24b9f802af25bc079bb946b9de3fa4e42eb362014aaaf52c135f7b627fcf3870fa916fa832415dadd4df52f3f2786640c6b5f5e1feb96f25b30a091c2ab39d20

Download Submit
C:\Windows\SysWOW64\Eigbfb32.exe

Filesize
56KB

MD5
a86b07b9cc9a45f25024d0912b2b4a34

SHA1
e322044fdb30d8575547ddc9fed0c0971626559c

SHA256
c53d72676aae7a3dad126d7425d2f92973218f5fbe4dd813e2cff36c1970f984

SHA512
2e819f5299fe486667a530c646a741818cebdccafd922ff04ad8263f7257092cc46a55efbc9e09edb2a2ba9a2a66ca5c597e8b83b477e9d93414901a8c29786f

Download Submit
C:\Windows\SysWOW64\Elaego32.exe

Filesize
56KB

MD5
8e89ec61a6e7948b6f4f59458e51c53f

SHA1
c7c3d3073793f033b102d6c6a358875c17cf7318

SHA256
175a64667168a3d5b15db4b03fadc57b66a02e9bdc8a0de22ca81e53429b8ef6

SHA512
4ef477a95bc541d75acc8427587b5d31922e73f57404e7affbce14608f86f5a222df8c4a78083dbc56c524ddf082e6242f579caf72de0519f4e59c9d67ba4d77

Download Submit
C:\Windows\SysWOW64\Fagqed32.exe

Filesize
56KB

MD5
3fe7090a8e2cc55adffc8d2abbce28ce

SHA1
e08f54f1b9b63e109783efde3c9a15c8ba8b80b2

SHA256
78853e8fbc1b0383010e5f12ad602f0734d9201c027a3e2f00dc9b2dd0361e21

SHA512
0a3b98fc2b6007cc50dae9b4f4ec1dce4b8aacc2d0afed6fde4926a073b1c627b0b9cc5f8165620759bb4c25e22f50dc3006a939aa229642a4e94a9209716629

Download Submit
C:\Windows\SysWOW64\Fofhdidp.exe

Filesize
56KB

MD5
c110ce0aec87718ae446091cc18a7638

SHA1
956d291db9a031207a2999e642ada9869ffa0869

SHA256
5ddb7f0f6b887d4304cc9b2f5a002129b9a573975212b3545ec05275314588d9

SHA512
70b84a7419ee931ea6535363525709e19a8defc6d5281a808379c8d39b98c2108f2c9d45534c8383680843b615ccedb42a20212fc5d6c017edc56611351ba855

Download Submit
C:\Windows\SysWOW64\Fpcghl32.exe

Filesize
56KB

MD5
4c9dc190c3299f5065cc542a6ee2d477

SHA1
5875ef48329ddb6efba3ef62b8e35c014e11a032

SHA256
37e48f051285729506d6a7b8fe615a35faf4b8ba1490350e356e3b1bd2de8689

SHA512
a2bfa8354c36c18d964d2899cc336d7ed3c8c9ef908e90c81ff6f972f80504810139505894afc608006b953ae281c1d1094fbc1bee0044db81a5cf754cf02be7

Download Submit
C:\Windows\SysWOW64\Gaiijgbi.exe

Filesize
56KB

MD5
03ddaf7ba8c4ef3cf18415fcc42dba9c

SHA1
5c668c94946e3e5f4993e2cad91513404b958ced

SHA256
4fcd127f96deb0e5600810a23a555982b38206d23ecbd9c51da74b74b1ea1218

SHA512
5da0680f4bc46423650207c61dfe7ce9033abcf6c11bdadec7ebe9b2205a70d8d8e6ebed68ca8d391c12f795a561c51b6e1d80aebcec364ab5319fed21713441

Download Submit
C:\Windows\SysWOW64\Gdophn32.exe

Filesize
56KB

MD5
0b680827d0c887ded51c3f86d7c339e1

SHA1
fd813262672e6b9f3f0f3ad6925583da7c4fb7ca

SHA256
4b7d62561ea01647bf9eaef9471487e285f966f76cb2130c0c3983a92235e58c

SHA512
3b375cd8eebc1a2636e86f90443af36eb72997d0b0e9eede36bd3bda5e56cc3904c89a52a04cc0537e50219fe9c1a1c6a1dcedd86a71444a76389e0e973ebe29

Download Submit
C:\Windows\SysWOW64\Gheola32.exe

Filesize
56KB

MD5
4765c56582e17b00158f88b4f20cc56a

SHA1
bd4ba4cad82dff902ca923e96d1da0ce7853a898

SHA256
5efd22ab1baa239f94322028b424c3b2660eb161bb6c6e522f85a8a65efa4a58

SHA512
4b48297a16f248a7701c0a6368ec17e6bf97065f21d2af553735ef20c921779f017465a4e9995e00b9b76ca8f2be90d269a52fd16253eea2b4a0713c5f9d4435

Download Submit
C:\Windows\SysWOW64\Glongpao.exe

Filesize
56KB

MD5
0f46d37374ea4b3c561ba8d9d09ff64b

SHA1
d7b89f764148cb9cdd2d1cdf781f8411b3181cd2

SHA256
537230fff408532cee1ff22ef7f3464fc9ec974caae3a7af7c15223b7f746916

SHA512
33e62c42ded73e2b8eb0160d89126fdda37b7c93908995c9e2123a91e2fe59f4384a4a9d6fd597b5f977fe51186ea42a5c59a6de2185b30739177509e2f9439f

Download Submit
C:\Windows\SysWOW64\Gomjckqc.exe

Filesize
56KB

MD5
fcd72de1418bdaba481045b73ece7dff

SHA1
74edb672fd549856c2212097387f614af271e9b1

SHA256
dc041e9c80261e3eadd805779485bc24adc5285c1bbcc4a94280992d0bab93d0

SHA512
6a598c2e4cd64457dba77860fa9e37c64c155732ef737b7df2fc2dfa0192c1019040db009b2b65a21dc50658d823cd5dd85446d5d22e6892ebbcb5ab57042cbb

Download Submit
C:\Windows\SysWOW64\Gphmbolk.exe

Filesize
56KB

MD5
96b77a43a2adf89bf8eb3d3b0d971fde

SHA1
f442f2f87b8cb39eb6ab5df4f398ca7a258be541

SHA256
22c98388f6ce8eea6291a226c9b7271a7cbe9ba6d603afc0719e49c7d97d0804

SHA512
b5d5262997d5baafbb29bd3cdd69af162eff5e674ff2de0c3db05ebc9c94472316a17783eae96e7ba35ce8346bb94f2c75c4c57524a243bec9818628ab6cc8a2

Download Submit
C:\Windows\SysWOW64\Happkf32.exe

Filesize
56KB

MD5
afd13c4cc84e6a0aa2114a72cb0b2e73

SHA1
9e8b62a5661fa6dcab918bfdd1b4fc03cc10f242

SHA256
b8edd675d2bcbbe9b46a931506bc9c69b894db497a667b8ebcc7b421d6372ed7

SHA512
7a9e2003d6d74646a24366f4ccc3acf8c4b258ad8ed4618e4857b4a6c34f522d3537c1cb4906f11ff905c9851c7b118d85d621c98165872ec61eb45746deb85a

Download Submit
C:\Windows\SysWOW64\Hcfenn32.exe

Filesize
56KB

MD5
30402e25b6faf68b9bf0dbc58646fb2d

SHA1
ebe8e19162a5e366329dc2ddadee4c6889624925

SHA256
c61890ee9b8acf7e036fc2ba70c5a354eeccba6154e7168868bf7475043779ad

SHA512
4c1e173515c9959c5ff536fd18d9376b914bc9ef3d8c960b22a2fea99d919918ef5b3af9e03803c907aad9ddfc50ae4b9d4d15e32ca1d27e863d3aa615acf205

Download Submit
C:\Windows\SysWOW64\Hfiofefm.exe

Filesize
56KB

MD5
8ad1b6e4479230daf7e19b608e34e057

SHA1
6532d25db6af1e88fbb2338876be2894b8a17276

SHA256
f515877b5e369f52269c2d40b33a8bd0a0bdc0cf763a32ba981a78de15b5fd4f

SHA512
236dc1afbb5b0a94de62bfc2ed7dc0e341c5c9064f24448741108fcc989dd692e47e3e297820ea1942504295b2fc9dc046e684701cb9a66a29e829a2d73c6a00

Download Submit
C:\Windows\SysWOW64\Hgpeimhf.exe

Filesize
56KB

MD5
4b3065e1ea6cc9b7854d3b9735ba5fb5

SHA1
675f8363dbea3ecc6fc3d720312013f3866e3b34

SHA256
737355aa900305ba3953db1df4eef0b6bd0439e1f0db7b7c934dfa2f963efaac

SHA512
a3d04f0c6e954aeea17a12ed2dae7064e6e527acdffe214e2933d96517a7b315671abf396f6bfd231510bc2653ff5e82061b8c4f837ece8cc2e9bac42c32f700

Download Submit
C:\Windows\SysWOW64\Hhjhgpcn.exe

Filesize
56KB

MD5
590a9fec02abc3260d41c7fff928c6f1

SHA1
15dd2487acc39f69a01a8915d21db93f56f03d9b

SHA256
535dcd5c1e16e1a25c0157cb41557f583ded711a173550b4d0cad14dd4b62ed5

SHA512
ab9ff1c7c5a753131f227402ca19721403ed43d02f6e9fe22cfd969c7787e2777bcf48787f1f96a3f744524d4e8968394ff224024c190b5aa3f146c89359c9f3

Download Submit
C:\Windows\SysWOW64\Hjkdoh32.exe

Filesize
56KB

MD5
2e2e7ec2d7f79d16df9b56c593b1604d

SHA1
280b0e56b783088b7ad70801d1aa37623946211c

SHA256
969e4633ec465bf2f32f0d1b6e1457b08a70b11edfcd68392bfd2d364adbd505

SHA512
bada2afbde179627b83581d538159e07aeacc485c251d111fbdb74e0b515c3af9e70508eeaab4f6b60140a65de555ebebf5ac664cb49bc301c5dd57e6bf21617

Download Submit
C:\Windows\SysWOW64\Hjpnjheg.exe

Filesize
56KB

MD5
9b37bae924ad0841382869245d1384bc

SHA1
cce392912d36fa2eb9c403359541a709d137fa16

SHA256
19dd23b1a956b9802729c2a96b8927a371c0e83ad27bfd4f42ca9bf610ac864b

SHA512
1a5aed2f65f0cd9aa559912e8ff459d333c4baa7ae7a546a7288bba7f38e2d218e9050c6cec8e3e0a227ee3d871185cf922acf244576414b99239a094a464129

Download Submit
C:\Windows\SysWOW64\Hkfgnldd.exe

Filesize
56KB

MD5
53b81cb4301a569496eecadaad02ec35

SHA1
3698d74bcb028d50f5f51d45eb58c95d40ff47fe

SHA256
1ee7172f6c5007f593d250acefaf943d0af3a219904a6ef9a8c3c9e54ad1d1b0

SHA512
040122cbdb16cdde258f602c93b81b5bdc87e041f60c2ee2a533e6b7298de3b3d237cb2e7678fc6468a1d06653297d67daf03dbe80e2cd2aaf1f4f1ff03878f6

Download Submit
C:\Windows\SysWOW64\Hnimeg32.exe

Filesize
56KB

MD5
d8f7df3692173ed41a518fa8d00e4d9a

SHA1
4c20e94eb3f5317dcac45b97fc9b505d6a201a3a

SHA256
b79ce1369d04d5c9b8e964e5aa0ce095022546173ed1bd8cdf03166ed38544fa

SHA512
4b9bede936b6ddfbbe7e9ddeed99e2afe136adbb5db54bfd4eb207dbdf97fcc246900310361f92fd3423342ad0e254d60a7ca1cf1a861ce0909a24318c4bc57a

Download Submit
C:\Windows\SysWOW64\Hqemlbqi.exe

Filesize
56KB

MD5
8760edef39290474683b58bd01687b6e

SHA1
28b5ed343a89a7e633177b19af13c0263741b9e2

SHA256
a5f58ed994cdcba7a1bd32b8e88d61434fad162fdda42396ba2efd0bcdd01e68

SHA512
8ab4336c3eb1aff7c7f045367aa0051ccf7bb1cdcffad03db715aab1acbe60460c220d72c85ad51f26b33c2ca2f9f09546f854afcae19c4f122ba4fe73925b38

Download Submit
C:\Windows\SysWOW64\Hqjfgb32.exe

Filesize
56KB

MD5
d6c4cfca170856dc124c4d898fe8aba0

SHA1
f581d102b0ed9bcf6c0ab5a35fe10683882f57a9

SHA256
026b48620c149ef7e1d763540e3df809239181c8475b1fbdcf0b48cf168c8fce

SHA512
a18a8f166fe3c706615171d61567ad59e5b3b51ed964603760aad7f1e34c488f0670c3afff95bb0ecc7887eb9c9e9fb1c75bc224e53270614263c9aaf861dc74

Download Submit
C:\Windows\SysWOW64\Ifgooikk.exe

Filesize
56KB

MD5
1b434ed6974b667a21b7f1a0a93e5166

SHA1
a8bdd1b79a4edd52d36db0c4bd154fa90ed42565

SHA256
2538ce7487b86fd72d74b3334b369308266827683bddc8eee54c9d7a29d6b32c

SHA512
8a857bd8ca453afd4ca121eac4e49f66aef8a2d60cc0a5945e2e99cc69de42141347464450d570e48a8d1c94715887d20816c1e05f578f9091b1e5637b874de5

Download Submit
C:\Windows\SysWOW64\Iqmcmaja.exe

Filesize
56KB

MD5
d8a9152abb45ee1ae48ee58b7f576b02

SHA1
4a3e44dc039adb4697b6b5e2d35e3addcb6a1b8c

SHA256
2c7854dfa21dff12bc2cae0dff5771ec724329cf573961c23bd8d6a5da5eb174

SHA512
1939f7d25dabc6b65b44f112753cc9d584422256a27eb9583406f4fd2dab1da11891c86a22458f232d1ac29462c1d8a3eb12651bb6a992de1befe9b5e4dc7695

Download Submit
C:\Windows\SysWOW64\Odgchjhl.exe

Filesize
56KB

MD5
b55764399b8c2e3574bef85c39321341

SHA1
caedfb2efb881af8a97d7c533f175cc3bcc03897

SHA256
e369e3c9743653eb12a01c693e297e4f9a185ec340027e421b3485eeb6987f64

SHA512
4012c810af887f55e7052c75d4ad6807e837f65989ebca734529222230ddf24cae758a574a1f7952d1bab8c74474597783e18841da011b8273b32dbf9d6771bc

Download Submit
C:\Windows\SysWOW64\Oinbglkm.exe

Filesize
56KB

MD5
3f1f1f5a2a97f9b293ec573eff499ee2

SHA1
e7695074c3c06bffe042a026a985c17c01c42fcc

SHA256
e3d10aba016978a9462568116bf2cd28f14b356f260dc5776b7be58523e071ca

SHA512
d29e24728c22d2c510cdb86d2430bb213416994fc12f356b18bd62087f60a6e779bf0f5c63fd3f99a72a4791b1def65c9bb1c98e3f4d2ef29fa6416be81ae5bb

Download Submit
C:\Windows\SysWOW64\Pmdalo32.exe

Filesize
56KB

MD5
d9e614275e175b0e117888e8bfd572d5

SHA1
3e8bde4caf8586ce24642a02d3d4a16b0ae2c661

SHA256
1104a5726bfdf0472abec7905a23def9d0ecc9da4d140b17f72551d80e83bfe3

SHA512
6cd172fea3f9288585c2a804c7888e66d385116d6ce163432cef1befbc488c16ef4d827c7ce1e5fd30ec468cf55b5777b8bd8ee9b23aeb23f8b78a517937ea7d

Download Submit
C:\Windows\SysWOW64\Qbkljd32.exe

Filesize
56KB

MD5
5588bb8f287810c207ca31115c686329

SHA1
e7eb32d35035255e77723bd2c0f2d2042fc001ec

SHA256
5a8a264ccb6b33f1aadfc3c922db25f6cbc83d00be423cd1d3b3e013aa0daf1c

SHA512
6d6b32b738ced9c4f885bf177da84a5d02381dffd669f8a78eb2fe37b77c27953b8d4b4d4693cb53ca2b8b1136e03cbab7efb5281f07a1fb849236ae8d5346b1

Download Submit
C:\Windows\SysWOW64\Qhehmkqn.exe

Filesize
56KB

MD5
ceaafe1c3951cd30494107fc42a7d2c8

SHA1
09f3200a5bd2755faa2f855f4094ebad6708eacc

SHA256
12b78e27df9c8d45c81b56ad7793241a3a038536f3f6811ec2314a51a87950da

SHA512
d3ac9fbaa153652f87f7aa82de47db35d0235fcdc0426ff39f55925638b966f03e28713f7ca91b3de1efea7c8be620e10d892ca571731bf19efaada3d1552874

Download Submit
\Windows\SysWOW64\Akfaof32.exe

Filesize
56KB

MD5
e3260ba1178395f789e24c563ebdef36

SHA1
bcfb38a0880aecc1aec9df5af9ade8b013fd14dd

SHA256
95911891fbe35cdaf6e6e70871b328a1f619f5797f634e70288aa5972f32f1d8

SHA512
1731f28da69c205c5a72ba12c40ea78e1ee36cdf7c8e9a2dac3a304c7ba56dac2263255ccc9600c15a50bd6db3358a40664ab9759790ee7133746792b94c3381

Download Submit
\Windows\SysWOW64\Akhndf32.exe

Filesize
56KB

MD5
0c968ea609e7df96a52b9500c26cac05

SHA1
ca6083be8b43494324465ef89ccc7147fe133e01

SHA256
1f221e5bc366b17a68a3cec9a8eff8a5922818c01cd210b6bffd51aa7936a083

SHA512
a2de79b8176bb0e32bd019a16272e74cf1905ed4882c33883b561834c07cca0721307f6427c50bf9f63f80fe3ef6235d1d855b1d2b981463de9fb3ae625d1e1f

Download Submit
\Windows\SysWOW64\Alncgn32.exe

Filesize
56KB

MD5
c3b720f2a1bf611b09e24942f1f2bab5

SHA1
2d96fa4040eef74f49339e5dbec88926e81db794

SHA256
5c61ebb8ca8e11def68e6af74c7b8cbd053f64a2d70068de257eb02dbf8265f9

SHA512
5016162556a597ce5bb065f820cd8d0a4bf25fada5d9c1ef6545f93619d939a251f0842b6d30a8d1bc6a2e9fd771db8b4a3dc45192cc88d27c3f050926e9496e

Download Submit
\Windows\SysWOW64\Apgcbmha.exe

Filesize
56KB

MD5
f51f317c8acf9dd17c9767227456f3a3

SHA1
2dcd439581586eb9f946b10d5932acbc80e36b4a

SHA256
57ffa66a804cdf8d084948692b1bd7e1c5c57605c954fe638122a934ca39077f

SHA512
9e0e2e7703df704f5c2700240afeea2f267d16b8f1d70ab4aef0f835cd41ee87548117abaf56a7721c6c9d7953c5fc201cae09c07112ae3a152eba246c4a730b

Download Submit
\Windows\SysWOW64\Bcobdgoj.exe

Filesize
56KB

MD5
f86d1740c5a3d775cda843300240b28a

SHA1
6ad26c50aea05a458ad430a0117734553988a6f6

SHA256
296adccdce54a630f61b53c2ed04afc7cecb4542aa8f308904c2eb3ac8ef78d2

SHA512
5a99cc8581821b58b1e4b30d9b7448e67169333a2187bd87983099b546d66c1b998b40daf1469b6c7eb3ceb38926116748727e790debc6f72f7e235ef3e4313d

Download Submit
\Windows\SysWOW64\Bfieec32.exe

Filesize
56KB

MD5
03cac7a00aed24e3bfdbcfa1c70dd96e

SHA1
af37ed9faf7404f155b595ceb3051157363eb17a

SHA256
db8feb28701d139421003fb338bedf3e228ec1bb3b3cbc728e26944975fd30bf

SHA512
61c336c61aa7d4e31a648f9cacb031a21875c902bac61aa3747508bad2f772c56a47c0f087276981932a4f670f056cc5496574e9fdc12a6113b53bbe290ff4c4

Download Submit
\Windows\SysWOW64\Bfpkfb32.exe

Filesize
56KB

MD5
8d84521c12a7c1ce774c0b78738cc891

SHA1
3d3fcdf145e107f626871deac5ba57ea4c7a83af

SHA256
7076fc7c411d82ba02b44ed45efb47da11db0ffb4d55127c7935e7f570bbff97

SHA512
b949009716b9573c70b5756eed2744730c7ab59ffe485453b3cf4358faed5c8c16dc0990f3d4be93ebde858e32f3f4ac5f4e31683588f7b78cfb02535309c95f

Download Submit
\Windows\SysWOW64\Ojoood32.exe

Filesize
56KB

MD5
db7d3f5aaf243d964d3be672ef94882e

SHA1
f86c73cea337d5267bb901873c666eeea30bd140

SHA256
9681c79f3cc6c530c461cfff1623d7df2848545cac54f80246008fff4f40a278

SHA512
19e65fb6c04d2cb8d8279b9803b0a93bc1270a0bdf9949ae382c4a290a3257508596151546c0dc118bb9c46c3411d963b76de52d976de17c994010af643ce9df

Download Submit
\Windows\SysWOW64\Pikaqppk.exe

Filesize
56KB

MD5
6d1bfabb08b9106cc461b3828922aa32

SHA1
cdea21f0580f02df6144280a912a1cdc7e021498

SHA256
92c1ce5b85f257d6e207a1778761e9d9ba0e27328d0253fb258b83fc0519250a

SHA512
3f0efbe651ac5670ae50a0966aca88edf8535572b5db22b6576e430a70c899a55f11c4b696b9033d1b4088e8a0d6699fc60cb8fef9c279f5ca6b1795dba063e6

Download Submit
\Windows\SysWOW64\Pnodjb32.exe

Filesize
56KB

MD5
1ae336446f093e9e7ffa09601f7b01a7

SHA1
79877fbe795ba40d82e6a45b3c39c370e4889c30

SHA256
491b551e110c633bad15e3c6bedd760150a8a580a0e22be459ca70f55895abb5

SHA512
88c2b5fa2f441760a4f830fb105173157321285466f16848f9f88ca21d334dcf8dc84869c283f6df44853b09e122f58bb90280d50fae5f82e70b62978e03948f

Download Submit
\Windows\SysWOW64\Ppgfciee.exe

Filesize
56KB

MD5
ea4e511c188c6e9a5f6659d49af3ca7e

SHA1
d6fd543323990062b4ff7634008a494515472250

SHA256
d2a0df5ff74415fde678f0d1fc6df805e9e9462d56c7fd47a2c52ffa9a6ff61f

SHA512
905222298e59f80a24cb8fa875bca432ddd92a7d54499ee52d69c122a23a3b515e93218a919790864b1485975fbe75b12325ae97bcc4d19f7479db6c2ac058da

Download Submit
memory/336-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/796-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/796-192-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/796-244-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/796-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-171-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1084-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-239-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1084-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-289-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1588-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-385-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1596-344-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1596-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-337-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1692-191-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1692-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-266-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1716-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-257-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1912-209-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1912-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-203-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2024-253-0x0000000001B80000-0x0000000001BB4000-memory.dmp

Filesize
208KB

Download
memory/2024-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-242-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2052-281-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2052-280-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2052-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-241-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2084-110-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2084-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-366-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2108-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-21-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2352-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-100-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2352-48-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2388-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-68-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2388-18-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2388-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-17-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2400-355-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2400-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-318-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2488-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-309-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2488-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-265-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2564-270-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2564-227-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2564-224-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2604-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-386-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2604-387-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2620-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-98-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2620-160-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2620-157-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2632-395-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2632-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-80-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2700-85-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2700-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-354-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2740-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-69-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2800-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-371-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2920-138-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2920-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-202-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2920-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-159-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2956-158-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2956-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-211-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/3028-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads