6aef564cb2a4ab372cdd2810b9e8ac660a4528dc9dbba18637fe12320ffa453b

Analysis

max time kernel
98s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1eb51b14471a433903e02ce959ef4e60N.exe
Size

80KB
MD5

1eb51b14471a433903e02ce959ef4e60
SHA1

ab9c67ca3c27cf23a64a303fceb7713ffe8d02b3
SHA256

6aef564cb2a4ab372cdd2810b9e8ac660a4528dc9dbba18637fe12320ffa453b
SHA512

94b2c62d991b4178da2a41754c56a319cf2dfae4947837e150ba6c713b5ccfe0cae3e960f96c9071b68802b9ed938fa3f7b628dd9f0b8e82a6f3489f963bb52f
SSDEEP

1536:Kcn7TIcXFluuXZdr1qjW2LtEwfi+TjRC/6y:57luYZdc7ewf1TjYD

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1eb51b14471a433903e02ce959ef4e60N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe

Executes dropped EXE 64 IoCs

pid	Process
3708	Ojllan32.exe
2724	Olkhmi32.exe
4616	Ocdqjceo.exe
1296	Ojoign32.exe
3392	Olmeci32.exe
4196	Oddmdf32.exe
1124	Ogbipa32.exe
2500	Ojaelm32.exe
3440	Pmoahijl.exe
2120	Pdfjifjo.exe
3964	Pcijeb32.exe
4004	Pnonbk32.exe
2028	Pqmjog32.exe
4564	Pggbkagp.exe
224	Pjeoglgc.exe
1712	Pdkcde32.exe
1240	Pgioqq32.exe
1844	Pjhlml32.exe
620	Pqbdjfln.exe
1576	Pcppfaka.exe
4172	Pjjhbl32.exe
1480	Pqdqof32.exe
4312	Pcbmka32.exe
2892	Pjmehkqk.exe
2516	Qmkadgpo.exe
1544	Qdbiedpa.exe
3216	Qfcfml32.exe
4384	Qjoankoi.exe
3576	Qddfkd32.exe
4884	Qffbbldm.exe
4980	Anmjcieo.exe
1336	Aqkgpedc.exe
3412	Acjclpcf.exe
1424	Afhohlbj.exe
3984	Anogiicl.exe
2320	Ambgef32.exe
2220	Aclpap32.exe
2640	Agglboim.exe
764	Ajfhnjhq.exe
4900	Amddjegd.exe
732	Aqppkd32.exe
2980	Acnlgp32.exe
1144	Ajhddjfn.exe
1520	Amgapeea.exe
4500	Aeniabfd.exe
5044	Aglemn32.exe
2424	Afoeiklb.exe
3776	Aminee32.exe
4920	Aepefb32.exe
3356	Agoabn32.exe
3124	Bjmnoi32.exe
2568	Bnhjohkb.exe
3416	Bebblb32.exe
2236	Bganhm32.exe
4020	Bnkgeg32.exe
3264	Baicac32.exe
4868	Beeoaapl.exe
4880	Bgcknmop.exe
924	Bnmcjg32.exe
4804	Balpgb32.exe
4268	Bcjlcn32.exe
4356	Bfhhoi32.exe
4432	Bnpppgdj.exe
1064	Banllbdn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5416	5040	WerFault.exe	193

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 3708	3628	1eb51b14471a433903e02ce959ef4e60N.exe	84
PID 3628 wrote to memory of 3708	3628	1eb51b14471a433903e02ce959ef4e60N.exe	84
PID 3628 wrote to memory of 3708	3628	1eb51b14471a433903e02ce959ef4e60N.exe	84
PID 3708 wrote to memory of 2724	3708	Ojllan32.exe	85
PID 3708 wrote to memory of 2724	3708	Ojllan32.exe	85
PID 3708 wrote to memory of 2724	3708	Ojllan32.exe	85
PID 2724 wrote to memory of 4616	2724	Olkhmi32.exe	86
PID 2724 wrote to memory of 4616	2724	Olkhmi32.exe	86
PID 2724 wrote to memory of 4616	2724	Olkhmi32.exe	86
PID 4616 wrote to memory of 1296	4616	Ocdqjceo.exe	87
PID 4616 wrote to memory of 1296	4616	Ocdqjceo.exe	87
PID 4616 wrote to memory of 1296	4616	Ocdqjceo.exe	87
PID 1296 wrote to memory of 3392	1296	Ojoign32.exe	88
PID 1296 wrote to memory of 3392	1296	Ojoign32.exe	88
PID 1296 wrote to memory of 3392	1296	Ojoign32.exe	88
PID 3392 wrote to memory of 4196	3392	Olmeci32.exe	89
PID 3392 wrote to memory of 4196	3392	Olmeci32.exe	89
PID 3392 wrote to memory of 4196	3392	Olmeci32.exe	89
PID 4196 wrote to memory of 1124	4196	Oddmdf32.exe	90
PID 4196 wrote to memory of 1124	4196	Oddmdf32.exe	90
PID 4196 wrote to memory of 1124	4196	Oddmdf32.exe	90
PID 1124 wrote to memory of 2500	1124	Ogbipa32.exe	91
PID 1124 wrote to memory of 2500	1124	Ogbipa32.exe	91
PID 1124 wrote to memory of 2500	1124	Ogbipa32.exe	91
PID 2500 wrote to memory of 3440	2500	Ojaelm32.exe	92
PID 2500 wrote to memory of 3440	2500	Ojaelm32.exe	92
PID 2500 wrote to memory of 3440	2500	Ojaelm32.exe	92
PID 3440 wrote to memory of 2120	3440	Pmoahijl.exe	94
PID 3440 wrote to memory of 2120	3440	Pmoahijl.exe	94
PID 3440 wrote to memory of 2120	3440	Pmoahijl.exe	94
PID 2120 wrote to memory of 3964	2120	Pdfjifjo.exe	95
PID 2120 wrote to memory of 3964	2120	Pdfjifjo.exe	95
PID 2120 wrote to memory of 3964	2120	Pdfjifjo.exe	95
PID 3964 wrote to memory of 4004	3964	Pcijeb32.exe	96
PID 3964 wrote to memory of 4004	3964	Pcijeb32.exe	96
PID 3964 wrote to memory of 4004	3964	Pcijeb32.exe	96
PID 4004 wrote to memory of 2028	4004	Pnonbk32.exe	97
PID 4004 wrote to memory of 2028	4004	Pnonbk32.exe	97
PID 4004 wrote to memory of 2028	4004	Pnonbk32.exe	97
PID 2028 wrote to memory of 4564	2028	Pqmjog32.exe	98
PID 2028 wrote to memory of 4564	2028	Pqmjog32.exe	98
PID 2028 wrote to memory of 4564	2028	Pqmjog32.exe	98
PID 4564 wrote to memory of 224	4564	Pggbkagp.exe	99
PID 4564 wrote to memory of 224	4564	Pggbkagp.exe	99
PID 4564 wrote to memory of 224	4564	Pggbkagp.exe	99
PID 224 wrote to memory of 1712	224	Pjeoglgc.exe	101
PID 224 wrote to memory of 1712	224	Pjeoglgc.exe	101
PID 224 wrote to memory of 1712	224	Pjeoglgc.exe	101
PID 1712 wrote to memory of 1240	1712	Pdkcde32.exe	102
PID 1712 wrote to memory of 1240	1712	Pdkcde32.exe	102
PID 1712 wrote to memory of 1240	1712	Pdkcde32.exe	102
PID 1240 wrote to memory of 1844	1240	Pgioqq32.exe	103
PID 1240 wrote to memory of 1844	1240	Pgioqq32.exe	103
PID 1240 wrote to memory of 1844	1240	Pgioqq32.exe	103
PID 1844 wrote to memory of 620	1844	Pjhlml32.exe	104
PID 1844 wrote to memory of 620	1844	Pjhlml32.exe	104
PID 1844 wrote to memory of 620	1844	Pjhlml32.exe	104
PID 620 wrote to memory of 1576	620	Pqbdjfln.exe	105
PID 620 wrote to memory of 1576	620	Pqbdjfln.exe	105
PID 620 wrote to memory of 1576	620	Pqbdjfln.exe	105
PID 1576 wrote to memory of 4172	1576	Pcppfaka.exe	106
PID 1576 wrote to memory of 4172	1576	Pcppfaka.exe	106
PID 1576 wrote to memory of 4172	1576	Pcppfaka.exe	106
PID 4172 wrote to memory of 1480	4172	Pjjhbl32.exe	107

C:\Users\Admin\AppData\Local\Temp\1eb51b14471a433903e02ce959ef4e60N.exe
"C:\Users\Admin\AppData\Local\Temp\1eb51b14471a433903e02ce959ef4e60N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\SysWOW64\Ojllan32.exe
  C:\Windows\system32\Ojllan32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\Olkhmi32.exe
    C:\Windows\system32\Olkhmi32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\Ocdqjceo.exe
      C:\Windows\system32\Ocdqjceo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4616
    - - C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1296
      - C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:732
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        53⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        71⤵
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        80⤵
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        87⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        93⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5804
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:6112
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        104⤵
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 396
        107⤵
        Program crash
        
        PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5040 -ip 5040
1⤵
PID:5372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
80KB

MD5
8d092038e0e24306ef916b0427ec26db

SHA1
85809dd0783633c869ef3ccfff2668ab12ee3201

SHA256
4de4283120f3e325b36c2385ecd954820f04bc6ecca19140c43d022dbb85a116

SHA512
f799b615e55323c510b07607486146979f44663447b18952a70a9fd2b9fc65b0d0081bb4d52a8cc11c0c91e85c0fb8b6745a535e2203573ef9ede5d804b71aba

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
80KB

MD5
91b29669f521f4157683d355d679dfd7

SHA1
38db243f1aa06d164e5c753de54f293d68e801ab

SHA256
068e01c42b4e41f2cafcfccc25b649f2d3cf31b79298f86cef84a2052a34d9a8

SHA512
b8a3936fc83020c4c876a9a3581683c78b86000c720abf619357fb4ac83a8e90b84a9d87a47a25322071d495dce1ddbbb2cedcbbf545075ffbc55c76f2589879

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
80KB

MD5
83c2bcfd79651cd2c9ef4fa7d5fe91ec

SHA1
998ee8f270728ebfad6a0d9d150148e998a8ff72

SHA256
e8398b056e75e3852ce041365545e7bc4901620f3828795a22458887a5bfd00c

SHA512
c9a450626458e3c3ed331312ec7354282aa36a1e886314041b3862bde4536cff629577bf69b5e7951f960eac0c57c92d26c22edef178f2f19b8daed22783e363

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
80KB

MD5
455cd71ca089435a93ec1ada28a6f744

SHA1
a712b857d9c353188927996ef4910b3a081cb989

SHA256
c8db7d3de2e0be037493e5c1018f294a6ed6850fadf72b19e8471a2431485ffc

SHA512
3246eb558282e871030408def7c4a1f5a163c2d159f9d85d555d2045425bc092d08ca3296a124e2aa806c3ce265e9d02172abdbfd73879a9044946e0a65c1207

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
80KB

MD5
5f0c70ca72b87650b340c1515bd0e0ba

SHA1
5f28df72bab64a75de50ead702296dd4b8f9fcd7

SHA256
a0f7d7bdb4aaa076ac85c78a9c1d313b20d2bde4367f10168e21fb04e38077f3

SHA512
907432034b2d2315a38f9688dc6ccac342ec4039f8d976b99461ad339c7dcfaa87d755f5e4d3e12b84fda09dcfd4329e550547690e9822c29a5356ca7615c304

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
80KB

MD5
4010b48b3a26fcbc3756f3b165fe76ef

SHA1
702f4346fbbdbf65f2f6f1b5baca53b67758db79

SHA256
f61ef8bfbe7e71c63a8e945849a5036a77da9732adb0cb9a1ddb8ec86002ef4c

SHA512
a101b8b74ff00e7f9040609c563acad23920f8a6630f26d44d7bb6d0f127ae77c23a4cb7960bffe96595975e2c7154c227b34fbe94f27fee63b875dd8a625d71

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
80KB

MD5
59f71d13dbba1918deeb426592723bfe

SHA1
9eb16b538b6cd1a9d2fd93a5cc3d02671396d0d2

SHA256
9d45c3d45bbbfeecfb67323dbe4e1ca63e59f92275434180835f0a975f0e5c54

SHA512
40fcbae669518f94b5ccedbe7967aead5ae94aaa7f304e586c013489380d996b66dfd1f8cd2e03d5f9dd4421fb82b21f591e4f192003795cf50e23ba5e8c56c9

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
80KB

MD5
d5bc0159be3115e469ba77515a773c20

SHA1
9bf1347754317c26cc67811a4218963327ab7cbd

SHA256
ad160847e8dd981d27e548f5046d0ae26307d8f5930db5fa8898597e93ef2270

SHA512
84ff11cc714092684c949f23c145a27e159a7cb6a97ac42623cc1a3513bdfb47457a0172f465b94004bb521479c74a9402be35fce770023083e77cea6081df93

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
80KB

MD5
9b7c42a8ae9e8d014432d100875ab837

SHA1
186c2380b9a24a69374e70f0b411e3afcd99fd28

SHA256
d89ff060e042e9a464396e155ed4b053c0926d0ff67884009554d37dd700e5ea

SHA512
3ded248bea69134352f8d4a5a8e17ff6ec288d54cda9ddc1dc64febf993387e8edac96db0767ea42be72ffc8fcbcb04416ec8fa886f8d75969f01337951fd084

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
80KB

MD5
4bc502e0a0d63004a2b8817ae0c8853e

SHA1
95bed903b5fd90bc3f7eff9c0c3cc8fc620a4047

SHA256
021bd142d5f09fec55b661441366c107d3b4229e7a7ae896fef6807fd36fc0f4

SHA512
8e326e2733ff635ae7ec88c31a813e4b7ec554f17e231941cbb7844df7444d2378b2603308ebc6abc9e501e30782f6bfa589e7bcfb77f914a85f6402f856d413

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
80KB

MD5
5b1e55c5083871290d20134a3196dd3e

SHA1
5480ed093b53814cf9d6b17e5b6dfa178db805ca

SHA256
2c4d48f4e41786392199fe49f791f37e7ed4b3ab1380aeb8277367db574470e3

SHA512
60ed0b2057ead3d014e85dda5bc7a6a0ec71de4e8b25c1e4dc3019942579e05a432541d63a7fc4ed7017d9948af16d22dd7af78296226c8d2bda793d831e69a2

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
80KB

MD5
8f496e867e759822fd10067e1b5313ea

SHA1
cd51601763b9151c134ebfcb2bb7d3ac6903470b

SHA256
c0ac2d1026f65c56826382722cd3b9a4c0208e7642c1d0bfad38e84df901fb2e

SHA512
a8edad44293912c76ae5c32d75dbe9780c8346f138ec3f147cddb1865d2352c44131f8a583c8a4da2e6bdb37c63c0b25c051e71b4e8a769bb02b6b72fcca0bdc

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
80KB

MD5
396ebd1a602c634f33b3b5a6a685ffa6

SHA1
a6a3edc58509053450054f155f5c17f3667305e5

SHA256
46759fc701e358778682f3c2d7e1304805fcf441e5f8d1eb5e2b61590d9f6d1d

SHA512
5a48a44a81fba890362e748f20cc01b4bce9759a864ed328997648641b5f14e02123afb6c6e9d6b6f729b32265eab8aaf287c3ba4baa955c13310254b117be5d

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
80KB

MD5
4ed2d5f38be1a0c468a356366a8032eb

SHA1
9cff7a3da720deb3838df0117aa8d0c94e4bc745

SHA256
04494eec0e2d84dc6c5b2875059e95e02a28f45c4cad4f253902569f91dd1c94

SHA512
b0808ecca29e2eefffd6c82bf07046d03500e4c12ef1ed6654ab07c27dc730be3193f8f9cd68c8b8325c516c158c0a11dad7af111c88b03b0e13ceb84a39bca0

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
80KB

MD5
b3e3a98b191167ffe75baca871980460

SHA1
dc33e2a028696e1dcb66f3ccea18a8fa7aaf2337

SHA256
85a67874c77d5d5f99956839bd9f429746e172234c8ee276d8accc1d4e4b0106

SHA512
ce7d7849387223301618f3b442b8e7381e2bbb0be39d5691a237fb63b21aef894fa9cef6009a2d23de943526d020e6b96b024870ce1cdf8e1a3248708c15fa84

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
80KB

MD5
ff75a03a3217151acdc7ad1590c5e5a8

SHA1
0f91ecd7e58593dc3ffb1963862793ccda1e2285

SHA256
88bdfc73c07ca43c5b21b6ff8369c06a4440e493037c5d301c1728f9a4e71705

SHA512
398e2be2d65cc2ad85148647b561f4a276c4eef7b27b511359be0e48cb031b1adeb4f9cc1324d4402e2557ac50a8d034d3b2c9be3d7c9d7a097d4b4aff248af8

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
80KB

MD5
bae46964cacb73adddf06a6bcd7f06be

SHA1
c2c0dde07afc82f743caa1968760a4517f7b3655

SHA256
f7098206dbb0286b034c9c4147ee45bd02c2b1558337fecfe9bef6dffb2721d3

SHA512
8d1256f5f871ae70a55d36317cb5d9ec384f074a4f964fad82be3b0b10c93c5f7d937901f9f72fef073542ffce0986db7d0227e648eef037ecc26118c7814865

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
80KB

MD5
4cadb194fb77b89b8e37bde2d01decd3

SHA1
a89d834f30cecb60767f7683f768cb5bcf7b76bd

SHA256
5ab17fea2e187c421c59d98e451a84f87493bdfa2647ac86bb34a8a9b1be3bc6

SHA512
59ec6b8c93ccef61e0e233d2c0a69349541ae7248c5353a4b48e4c7bb1c4b339c1102b3866a28680a923a1656ac89ec4b7aa25dac6576effdbb72147f15270be

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
80KB

MD5
2abf33aae61c702ac11bc8401f321800

SHA1
5486c6ba3be1512c8af2dbbfb332a6515000567d

SHA256
11f238031193a4b0049b667d33b930f41b2f767d3d34541fd9bb635870b654e5

SHA512
04878ac4aca00dc7b04b5d346dd411f8714d46bc214ce788b7bc621eca697081f79a00db5410fb1bfb2358a319ae079ef4f69fa2537f4d1312431d4d925816ad

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
80KB

MD5
2d540afaaadb033b7361c823cb466455

SHA1
0734fac9a6f7418edbcaa03a8788482b3ef651c0

SHA256
489c015747a43039d80336f06ee948f751c177abf3d63e1b3a0f65827ad4ad3c

SHA512
03048e173f8c421277276ae715bc42790fbfd3264bf074503ad7fa48b41d7eb0bcf65ddc5e58dfff5f83910a9aedea13a429292b6ee6818a3eefdb045808712c

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
80KB

MD5
c691d0df819c5e22c0071c0a913b97f8

SHA1
cd626dac46ea6f456de75f57fc8cbf09ade5d7d6

SHA256
95740a422ea9f4d8a5351518522a43364eb9b43099b65094a956d0bb9600eec0

SHA512
1bf79182d8567f7ffe445e6424b06a5c484546d3434b041244384501d158943bf79f0a248518b768ced020ed2ba16b1b5558a4bdd453aa8f17ec031397238ed0

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
80KB

MD5
5ce871a015657e4d8255dadf62e49a52

SHA1
161f36a806c0395b7ef90bdd2c01050be7279f0e

SHA256
cb24ece6f0a23546197a10ad4f0ec47ca56c2041b1a509145d9f7c0d164d017e

SHA512
20a3b75b8ffa55851bcf0ece8d6ae4e4fc746a985942a08162991e2a006bd3ad907083101131dc976a810d147285f58e800685717e196b82cabc6fee82d17a81

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
80KB

MD5
4e10bad89d7307e63167d4df596c353a

SHA1
ea4d49fd9a0721065dd935c331b31e90ccbaeebd

SHA256
0c95f0bc665920da685df755949c4191ae9181c291312a446f32c92c2a8afa47

SHA512
2005e7d640e4f6887c370886feefcf4a2689d983b0e8ddde181c1b1774f117208d59ab3973c9020fac257401013e478acd8c08cbd446fdc1bfcb16d0aa11ce3e

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
80KB

MD5
87037acc5e20a9699255777cfa529c1d

SHA1
fe6daaae9f8d4d7950494f76ad8d56651e86c6f7

SHA256
89b692f055dc29921d5cb38bfcef5d7ff551c0507401add37567996656f1744c

SHA512
cbb378c11e876308f70c7ce94f57da0bdcec17714c3003c2b507b14e9a1aa5f11aadec1c2ef10fc7b35a57a798ab7092485b7185f7a2ef8dcfd1a2c43730ade0

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
80KB

MD5
5e61b003c866d8f3d11a8a8bc3f8d01a

SHA1
80960b6290b1b67ba3128f16ebc23e7ddb68b905

SHA256
8204cc3ef584a8e6b6191d8fa33e2597a4ba8d3dd6c944b996eb0bb2761d88aa

SHA512
051811747ac00814f8ec77ad75322c7d1c9db10c93f21c1b2cebfa724e7ead2cdc79cd6463ed260d28452d2e21a007f7eb1966e0aa880d54b701db6e65a5aa6c

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
80KB

MD5
b4a3f9f14ff814b4c9b2c45277311c70

SHA1
7eca36b7b8ca4d894b4d170e0ae1375043b62bae

SHA256
ef70e8c3e77e287ddb5dd49e9fcefe63279934848244ded774e8dfdd98aa8810

SHA512
3fe0c576186c1072628a674b87a2a1477b4076426461ef32baae0b5cbd39c39a54aaf4762886eb0466e340ac9cb14de4d271cb35328e0be64c4b8030c85c8f5b

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
80KB

MD5
20c0c6fade37c8313e39a479c02dd1a3

SHA1
7b3b55e11b34f4e8ca70f60f495198bec33b104b

SHA256
675ab687cbee1d373291cfdadc173bb9629fb7b7233bab434a5af52377113ac8

SHA512
c6b093439583b3122c06c8fa2d5e494ab861b119baebd6661bd6f5c35863ba621ec3d6c21ff1519b292406b59ad131acf3060f2679a679ab44520d907d08f2c6

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
80KB

MD5
8582eedcbe5f2cd049ceb7142d76d120

SHA1
97caa563e1ba7994e0d8a5b978e0bb1c51fd7ed0

SHA256
2c67ebc8d5b5a12e7e7d56419862507bb81f479760b91058d9bd5eb7912bc6bc

SHA512
a78eacc840ae69833b0226f3c0c9fa8873c5c2ad661316f580c05d57de2a10e0d70ee9422a79b5de2a61ea6e5944918e7d84a62e4bf2c374766e0ca4a7e7bced

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
80KB

MD5
80b989391a8fcb099008901cbd551007

SHA1
e64b35c5abda55ebe963a6bbf814841db50196fb

SHA256
454a01a0cfe03e2ae3750df9732f4c4861465d6f8672af353b0d023bb789a4d1

SHA512
81b12e0f6a775875e68847f2e8a9bd3174f955a00eb52994c93b2a88bbf750f53d9a60d76a57445d49e8f91d153ad4f74128fd0d543dddede4e1021fddd8f861

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
80KB

MD5
4b5eceb310f1d207365302485bd46d21

SHA1
6145c3f056487b314a6e62e17e88dab916c2e609

SHA256
e34141cea9fa38498d3906df418bd7cc898e3d29f6dae2c854c62c508a15cd6e

SHA512
1e8a5cc8985262cbc576314839600f7746398993898c9e06a93874d4cd2ecc73a040019f1f259ca5331d353dce90b13b0772cfef4c2840a10cbd977bcd240a65

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
80KB

MD5
e0ef9d4b088f6025de9abc23417bd851

SHA1
472c8c8e30d5cca64e24f64cb643b230b4c70151

SHA256
aa7e3e908128e347b56b031d9c2177923434ec2d0d95e2c6e1917c152ad98987

SHA512
7636758f2896b14cbe028c1e9024e5728c423616d7acdd7112f9effd3e92f6b578c4ba164f861a29cc2cea9d548cf5f61167a79fc1096409dc2c7052a02c6d62

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
80KB

MD5
26ab099d7cc20bb6e471c92a31bed167

SHA1
881f57aaff0e88db1d82d8c581e5e63351a7858e

SHA256
dd47e3cb700a7ed00812872a671135a53a80cab81555cf7b6be046fd399e9a81

SHA512
381dde6761e854d30a89211a5a3a53fce5497a7de799bf283847144afdf8cf5b67923d540e71ed35c26afea1342788eb085e12a9832efc829d1f894b3d5e7b64

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
80KB

MD5
24c0b4c6a85b047349612e1eeeab0216

SHA1
0b932c6f80fd32d2e70e9df2482b77036167e505

SHA256
546ce7e5a72c4979583020a5a3b2d67c5003ec06e9e6ae30a989ea983ded4a0f

SHA512
aa5f6a06ccc7adbd6fd8c6060d12480cd8d0a530f5b68e92aaa340406e0396de7e23cb50f16e1633ad37c908c7d6128a4ce757ade934f11c954455fbc789bd94

Download Submit
memory/224-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/620-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/732-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/764-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/924-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1064-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1124-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1124-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1144-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1240-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1296-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1296-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1336-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1424-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1480-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1544-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1576-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1712-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1744-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1760-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1792-514-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2120-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2220-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2320-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2488-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2592-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2640-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2724-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2724-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-556-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2892-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2908-550-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2972-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3352-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3356-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3392-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3392-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3412-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3416-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3440-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3616-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3628-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3708-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3708-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3776-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3928-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3964-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4004-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4020-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4196-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4196-591-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4268-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4384-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4616-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4616-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4724-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4900-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4920-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-538-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5160-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5204-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5268-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5312-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5384-593-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads