4131c71d93b2897b2eb786f4a8141e765b3ba261a7a51490e86332d592a79312

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca5b5d72518e82b19621a4062403fce0N.exe
Size

404KB
MD5

ca5b5d72518e82b19621a4062403fce0
SHA1

7c5f80d6c2a45dd44fb1582166f32a9bc34e0ea9
SHA256

4131c71d93b2897b2eb786f4a8141e765b3ba261a7a51490e86332d592a79312
SHA512

3ad58344fc0daee73ca989b1e19c4b6a4fcfd2b3f97dafebc46efbe12997a713279c070b5a77b4419837bccac1398e43f9b5a4f5df63ee8392536b426f497404
SSDEEP

6144:j6Rh9gxaO25TENm+3Mpui6yYPaIGckfru5xyDpui6yYPaIGckSU05836S5:yhmCawcMpV6yYP4rbpV6yYPg058KS

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdmaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnimnfpc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	ca5b5d72518e82b19621a4062403fce0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbpgggol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Naimccpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mencccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onpjghhn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgpeal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbpgggol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olonpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beejng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mencccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blmfea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocdmaj32.exe

Executes dropped EXE 59 IoCs

pid	Process
2140	Lbiqfied.exe
2628	Legmbd32.exe
2540	Mapjmehi.exe
3048	Mbpgggol.exe
992	Mencccop.exe
2892	Ngdifkpi.exe
2372	Naimccpo.exe
1836	Nlekia32.exe
1140	Nenobfak.exe
2416	Nhohda32.exe
1832	Ocdmaj32.exe
2288	Oaiibg32.exe
2708	Olonpp32.exe
1560	Onpjghhn.exe
540	Ocalkn32.exe
744	Pgpeal32.exe
1648	Pnimnfpc.exe
680	Piekcd32.exe
2328	Pkdgpo32.exe
3024	Pckoam32.exe
2960	Pmccjbaf.exe
2652	Qkhpkoen.exe
2680	Qodlkm32.exe
2644	Qqeicede.exe
1396	Qgoapp32.exe
2992	Anlfbi32.exe
2440	Aeenochi.exe
1568	Apoooa32.exe
2180	Ackkppma.exe
1192	Aigchgkh.exe
2008	Apalea32.exe
1876	Acmhepko.exe
824	Ajgpbj32.exe
2376	Apdhjq32.exe
2800	Abbeflpf.exe
2484	Bilmcf32.exe
1176	Bpfeppop.exe
2356	Bbdallnd.exe
2248	Biojif32.exe
2020	Blmfea32.exe
1500	Bbgnak32.exe
1644	Beejng32.exe
1988	Blobjaba.exe
328	Bonoflae.exe
1884	Balkchpi.exe
336	Bhfcpb32.exe
1520	Boplllob.exe
2536	Baohhgnf.exe
2840	Bdmddc32.exe
796	Bfkpqn32.exe
2148	Bmeimhdj.exe
2864	Cfnmfn32.exe
2568	Ckiigmcd.exe
1368	Cmgechbh.exe
644	Cdanpb32.exe
620	Cgpjlnhh.exe
2216	Cinfhigl.exe
2232	Cddjebgb.exe
2932	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2824	ca5b5d72518e82b19621a4062403fce0N.exe
2824	ca5b5d72518e82b19621a4062403fce0N.exe
2140	Lbiqfied.exe
2140	Lbiqfied.exe
2628	Legmbd32.exe
2628	Legmbd32.exe
2540	Mapjmehi.exe
2540	Mapjmehi.exe
3048	Mbpgggol.exe
3048	Mbpgggol.exe
992	Mencccop.exe
992	Mencccop.exe
2892	Ngdifkpi.exe
2892	Ngdifkpi.exe
2372	Naimccpo.exe
2372	Naimccpo.exe
1836	Nlekia32.exe
1836	Nlekia32.exe
1140	Nenobfak.exe
1140	Nenobfak.exe
2416	Nhohda32.exe
2416	Nhohda32.exe
1832	Ocdmaj32.exe
1832	Ocdmaj32.exe
2288	Oaiibg32.exe
2288	Oaiibg32.exe
2708	Olonpp32.exe
2708	Olonpp32.exe
1560	Onpjghhn.exe
1560	Onpjghhn.exe
540	Ocalkn32.exe
540	Ocalkn32.exe
744	Pgpeal32.exe
744	Pgpeal32.exe
1648	Pnimnfpc.exe
1648	Pnimnfpc.exe
680	Piekcd32.exe
680	Piekcd32.exe
2328	Pkdgpo32.exe
2328	Pkdgpo32.exe
3024	Pckoam32.exe
3024	Pckoam32.exe
2960	Pmccjbaf.exe
2960	Pmccjbaf.exe
2652	Qkhpkoen.exe
2652	Qkhpkoen.exe
2680	Qodlkm32.exe
2680	Qodlkm32.exe
2644	Qqeicede.exe
2644	Qqeicede.exe
1396	Qgoapp32.exe
1396	Qgoapp32.exe
2992	Anlfbi32.exe
2992	Anlfbi32.exe
2440	Aeenochi.exe
2440	Aeenochi.exe
1568	Apoooa32.exe
1568	Apoooa32.exe
2180	Ackkppma.exe
2180	Ackkppma.exe
1192	Aigchgkh.exe
1192	Aigchgkh.exe
2008	Apalea32.exe
2008	Apalea32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lgenio32.dll	Olonpp32.exe
File created	C:\Windows\SysWOW64\Abbeflpf.exe	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Hocjoqin.dll	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Fpahiebe.dll	Mapjmehi.exe
File created	C:\Windows\SysWOW64\Blkepk32.dll	Nhohda32.exe
File created	C:\Windows\SysWOW64\Aincgi32.dll	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Fbpljhnf.dll	Mencccop.exe
File created	C:\Windows\SysWOW64\Bbgnak32.exe	Blmfea32.exe
File created	C:\Windows\SysWOW64\Eoqbnm32.dll	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Hjojco32.dll	Qqeicede.exe
File created	C:\Windows\SysWOW64\Acmhepko.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Ehieciqq.dll	Blmfea32.exe
File created	C:\Windows\SysWOW64\Naimccpo.exe	Ngdifkpi.exe
File opened for modification	C:\Windows\SysWOW64\Nenobfak.exe	Nlekia32.exe
File created	C:\Windows\SysWOW64\Oaiibg32.exe	Ocdmaj32.exe
File created	C:\Windows\SysWOW64\Qgoapp32.exe	Qqeicede.exe
File created	C:\Windows\SysWOW64\Mmdgdp32.dll	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Beejng32.exe	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Bonoflae.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Ocalkn32.exe	Onpjghhn.exe
File opened for modification	C:\Windows\SysWOW64\Pgpeal32.exe	Ocalkn32.exe
File created	C:\Windows\SysWOW64\Imjcfnhk.dll	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Njelgo32.dll	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Hendhe32.dll	Mbpgggol.exe
File created	C:\Windows\SysWOW64\Eppddhlj.dll	Ngdifkpi.exe
File opened for modification	C:\Windows\SysWOW64\Ajgpbj32.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Ekdnehnn.dll	Biojif32.exe
File opened for modification	C:\Windows\SysWOW64\Nlekia32.exe	Naimccpo.exe
File created	C:\Windows\SysWOW64\Odmoin32.dll	Qgoapp32.exe
File opened for modification	C:\Windows\SysWOW64\Bbgnak32.exe	Blmfea32.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Mapjmehi.exe	Legmbd32.exe
File created	C:\Windows\SysWOW64\Oepbgcpb.dll	Onpjghhn.exe
File created	C:\Windows\SysWOW64\Lapefgai.dll	Pnimnfpc.exe
File created	C:\Windows\SysWOW64\Qqeicede.exe	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Apdhjq32.exe	Ajgpbj32.exe
File opened for modification	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Cinfhigl.exe	Cgpjlnhh.exe
File opened for modification	C:\Windows\SysWOW64\Cddjebgb.exe	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Ibddljof.dll	Lbiqfied.exe
File created	C:\Windows\SysWOW64\Nenobfak.exe	Nlekia32.exe
File opened for modification	C:\Windows\SysWOW64\Piekcd32.exe	Pnimnfpc.exe
File created	C:\Windows\SysWOW64\Aeenochi.exe	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Anlfbi32.exe	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Hpggbq32.dll	Ackkppma.exe
File opened for modification	C:\Windows\SysWOW64\Biojif32.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Gioicn32.dll	Apalea32.exe
File opened for modification	C:\Windows\SysWOW64\Cinfhigl.exe	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Bhdmagqq.dll	Cinfhigl.exe
File opened for modification	C:\Windows\SysWOW64\Mapjmehi.exe	Legmbd32.exe
File created	C:\Windows\SysWOW64\Ffjmmbcg.dll	Pkdgpo32.exe
File opened for modification	C:\Windows\SysWOW64\Pmccjbaf.exe	Pckoam32.exe
File opened for modification	C:\Windows\SysWOW64\Anlfbi32.exe	Qgoapp32.exe
File opened for modification	C:\Windows\SysWOW64\Ackkppma.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Pqncgcah.dll	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Nlekia32.exe	Naimccpo.exe
File created	C:\Windows\SysWOW64\Hcgdenbm.dll	Nenobfak.exe
File created	C:\Windows\SysWOW64\Pkdgpo32.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Qhiphb32.dll	Pmccjbaf.exe
File opened for modification	C:\Windows\SysWOW64\Beejng32.exe	Bbgnak32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1080	2932	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbpgggol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlekia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onpjghhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mencccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Legmbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenochi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdifkpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biojif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgpjlnhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mapjmehi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naimccpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaiibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olonpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbiqfied.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anlfbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdanpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpeal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnimnfpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenobfak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhohda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkdgpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgpbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdmaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocalkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddjebgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca5b5d72518e82b19621a4062403fce0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckoam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkepk32.dll"	Nhohda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll"	Pgpeal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmani32.dll"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	ca5b5d72518e82b19621a4062403fce0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehjml32.dll"	Nlekia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll"	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mbpgggol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apalea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Biojif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehieciqq.dll"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapefgai.dll"	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acmhepko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbappj32.dll"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhdqqjhl.dll"	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll"	Pckoam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nhohda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll"	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mbpgggol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olonpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Balkchpi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2140	2824	ca5b5d72518e82b19621a4062403fce0N.exe	30
PID 2824 wrote to memory of 2140	2824	ca5b5d72518e82b19621a4062403fce0N.exe	30
PID 2824 wrote to memory of 2140	2824	ca5b5d72518e82b19621a4062403fce0N.exe	30
PID 2824 wrote to memory of 2140	2824	ca5b5d72518e82b19621a4062403fce0N.exe	30
PID 2140 wrote to memory of 2628	2140	Lbiqfied.exe	31
PID 2140 wrote to memory of 2628	2140	Lbiqfied.exe	31
PID 2140 wrote to memory of 2628	2140	Lbiqfied.exe	31
PID 2140 wrote to memory of 2628	2140	Lbiqfied.exe	31
PID 2628 wrote to memory of 2540	2628	Legmbd32.exe	32
PID 2628 wrote to memory of 2540	2628	Legmbd32.exe	32
PID 2628 wrote to memory of 2540	2628	Legmbd32.exe	32
PID 2628 wrote to memory of 2540	2628	Legmbd32.exe	32
PID 2540 wrote to memory of 3048	2540	Mapjmehi.exe	33
PID 2540 wrote to memory of 3048	2540	Mapjmehi.exe	33
PID 2540 wrote to memory of 3048	2540	Mapjmehi.exe	33
PID 2540 wrote to memory of 3048	2540	Mapjmehi.exe	33
PID 3048 wrote to memory of 992	3048	Mbpgggol.exe	34
PID 3048 wrote to memory of 992	3048	Mbpgggol.exe	34
PID 3048 wrote to memory of 992	3048	Mbpgggol.exe	34
PID 3048 wrote to memory of 992	3048	Mbpgggol.exe	34
PID 992 wrote to memory of 2892	992	Mencccop.exe	35
PID 992 wrote to memory of 2892	992	Mencccop.exe	35
PID 992 wrote to memory of 2892	992	Mencccop.exe	35
PID 992 wrote to memory of 2892	992	Mencccop.exe	35
PID 2892 wrote to memory of 2372	2892	Ngdifkpi.exe	36
PID 2892 wrote to memory of 2372	2892	Ngdifkpi.exe	36
PID 2892 wrote to memory of 2372	2892	Ngdifkpi.exe	36
PID 2892 wrote to memory of 2372	2892	Ngdifkpi.exe	36
PID 2372 wrote to memory of 1836	2372	Naimccpo.exe	37
PID 2372 wrote to memory of 1836	2372	Naimccpo.exe	37
PID 2372 wrote to memory of 1836	2372	Naimccpo.exe	37
PID 2372 wrote to memory of 1836	2372	Naimccpo.exe	37
PID 1836 wrote to memory of 1140	1836	Nlekia32.exe	38
PID 1836 wrote to memory of 1140	1836	Nlekia32.exe	38
PID 1836 wrote to memory of 1140	1836	Nlekia32.exe	38
PID 1836 wrote to memory of 1140	1836	Nlekia32.exe	38
PID 1140 wrote to memory of 2416	1140	Nenobfak.exe	39
PID 1140 wrote to memory of 2416	1140	Nenobfak.exe	39
PID 1140 wrote to memory of 2416	1140	Nenobfak.exe	39
PID 1140 wrote to memory of 2416	1140	Nenobfak.exe	39
PID 2416 wrote to memory of 1832	2416	Nhohda32.exe	40
PID 2416 wrote to memory of 1832	2416	Nhohda32.exe	40
PID 2416 wrote to memory of 1832	2416	Nhohda32.exe	40
PID 2416 wrote to memory of 1832	2416	Nhohda32.exe	40
PID 1832 wrote to memory of 2288	1832	Ocdmaj32.exe	41
PID 1832 wrote to memory of 2288	1832	Ocdmaj32.exe	41
PID 1832 wrote to memory of 2288	1832	Ocdmaj32.exe	41
PID 1832 wrote to memory of 2288	1832	Ocdmaj32.exe	41
PID 2288 wrote to memory of 2708	2288	Oaiibg32.exe	42
PID 2288 wrote to memory of 2708	2288	Oaiibg32.exe	42
PID 2288 wrote to memory of 2708	2288	Oaiibg32.exe	42
PID 2288 wrote to memory of 2708	2288	Oaiibg32.exe	42
PID 2708 wrote to memory of 1560	2708	Olonpp32.exe	43
PID 2708 wrote to memory of 1560	2708	Olonpp32.exe	43
PID 2708 wrote to memory of 1560	2708	Olonpp32.exe	43
PID 2708 wrote to memory of 1560	2708	Olonpp32.exe	43
PID 1560 wrote to memory of 540	1560	Onpjghhn.exe	44
PID 1560 wrote to memory of 540	1560	Onpjghhn.exe	44
PID 1560 wrote to memory of 540	1560	Onpjghhn.exe	44
PID 1560 wrote to memory of 540	1560	Onpjghhn.exe	44
PID 540 wrote to memory of 744	540	Ocalkn32.exe	45
PID 540 wrote to memory of 744	540	Ocalkn32.exe	45
PID 540 wrote to memory of 744	540	Ocalkn32.exe	45
PID 540 wrote to memory of 744	540	Ocalkn32.exe	45

C:\Users\Admin\AppData\Local\Temp\ca5b5d72518e82b19621a4062403fce0N.exe
"C:\Users\Admin\AppData\Local\Temp\ca5b5d72518e82b19621a4062403fce0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\Lbiqfied.exe
  C:\Windows\system32\Lbiqfied.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\Legmbd32.exe
    C:\Windows\system32\Legmbd32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\Mapjmehi.exe
      C:\Windows\system32\Mapjmehi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\Mbpgggol.exe
        
        C:\Windows\system32\Mbpgggol.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
      - C:\Windows\SysWOW64\Mencccop.exe
        
        C:\Windows\system32\Mencccop.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\Ngdifkpi.exe
        
        C:\Windows\system32\Ngdifkpi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Naimccpo.exe
        
        C:\Windows\system32\Naimccpo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Nlekia32.exe
        
        C:\Windows\system32\Nlekia32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Nenobfak.exe
        
        C:\Windows\system32\Nenobfak.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Nhohda32.exe
        
        C:\Windows\system32\Nhohda32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Ocdmaj32.exe
        
        C:\Windows\system32\Ocdmaj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Oaiibg32.exe
        
        C:\Windows\system32\Oaiibg32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Olonpp32.exe
        
        C:\Windows\system32\Olonpp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Onpjghhn.exe
        
        C:\Windows\system32\Onpjghhn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Ocalkn32.exe
        
        C:\Windows\system32\Ocalkn32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Pgpeal32.exe
        
        C:\Windows\system32\Pgpeal32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Pnimnfpc.exe
        
        C:\Windows\system32\Pnimnfpc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Windows\SysWOW64\Pkdgpo32.exe
        
        C:\Windows\system32\Pkdgpo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Pckoam32.exe
        
        C:\Windows\system32\Pckoam32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:328
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Cdanpb32.exe
        
        C:\Windows\system32\Cdanpb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Cgpjlnhh.exe
        
        C:\Windows\system32\Cgpjlnhh.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Cddjebgb.exe
        
        C:\Windows\system32\Cddjebgb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 140
        61⤵
        Program crash
        
        PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
404KB

MD5
2becf6107813a79ad24d54f34d47f9d9

SHA1
f9d649cea4260e4498b978c647a10c946d4756ed

SHA256
04891fd1353d0ec2636f762923c15280cf25e5ed2ea5adfbefb04e6802294b78

SHA512
a1869dc224dd1a95d86f2fa8f1d8d7e86baaab9f0d0ffe6908ec2e84178b572a144bc1094d51ebbfa560969cb613c332444991e5c1e037e991ba2308b2babd79

Download Submit
C:\Windows\SysWOW64\Ackkppma.exe

Filesize
404KB

MD5
fad6e01af5aa4c7c48ca2aea3b41621c

SHA1
83f80c4d2765261e39fab55d96028520df6ea5e2

SHA256
7c60ca8ca176a4c87c7adae7602d71e187687f01c23aefa3cbc5332a4f5017c5

SHA512
252cfd74c62a64f8c463e5f5e0efe489e9d6fd85d98f084108c102c2d231ad5b1771f2b03c2df6b81706901a7c9eafab14d40a61a4cdb9b8032b8803e3643eb4

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
404KB

MD5
698d01a5ee1361eeaa9b70b34eb8da56

SHA1
a1bfe4392674ce93c7e39118763fb46ff771db9c

SHA256
3a4486e7ea2414cefbd1c3ee7c0395d52939c242c96c2553b3495ce0c1e893de

SHA512
99b2f9148eec3ab02df02709bb13e356236e5f4bc89c41ec7008c288d5497a2c5b5aefacdd1f3c19c79d86ba340faf2331fc61f1c17e5fa31db0bfd7f799c678

Download Submit
C:\Windows\SysWOW64\Aeenochi.exe

Filesize
404KB

MD5
d08f493729185551a4d89cfe0349c26b

SHA1
d21ddbeef70aa2e8fc968ba6bbe24651329127c4

SHA256
f44a036fd6c7fbf29d041573ffe692201af461273d000b1114675c98aa63c8c4

SHA512
65038425fd51cd1dc2a84cc4a5bba0227fe2418e4dc6ab87dd6e1ee1bd94dc9c328cda7cc46307265660dfeb85994316eb3ac01476594fe43eaeb9ed2e9272ca

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
404KB

MD5
d58bacc059de7ada9d5368d0b0508a92

SHA1
5f3ae5dec469481ab3c49070e49ffdc2d0c6abf2

SHA256
2fad5593f8cd61fe2cd4656c9309d93f38f54a341c0085bf18a37cf2dae26cda

SHA512
82835432b39028f386fa21b406f9501b24802b6469b0af634554d97aef259e454399a4920a7ac84c4c12c030b5d4608f2ed3747bddf031039f6457e45485ac43

Download Submit
C:\Windows\SysWOW64\Ajgpbj32.exe

Filesize
404KB

MD5
25998622b4814928a2ddc79698dfb7f1

SHA1
9cbb3a3e9bfef20492b87597167a11c7f9e2ab52

SHA256
244a457a65b5c579467f33c12e0eab6f718eadf6a534ce2da5dc9d8b0a54d58a

SHA512
9bae53c5da813f7f6db2ed480f860cd03b17fc968bb2f8b6cf1bdca63e445b85f6f3d0553f3cc712e34aeacd812ea27336f6bef966111e4b94bc4cea640a3eb8

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
404KB

MD5
7325e24a5b983b38e16c67fd4b4a0bf8

SHA1
2962d9b96e2f6a54a7758508b5e1a56c94fd19d6

SHA256
244c31f712ac93ccb03e687927eba1e888e830da410d1f6f62e24cc1b6a1146c

SHA512
06f1305f0b56914f7e3e54d6c8ab07b9e1cc629d72ebcddb0bd17ae359d65531cf161b2b2c4b372476106e528f4782c49b33238486b48152ec1eba1bb7e68bc5

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
404KB

MD5
567a5482acd5e4f63dead750f1db093e

SHA1
7691a4f77f3d6e541c85c8ccdb744d340b310062

SHA256
06b91c3538a1d4c31eefccc80667ff8589c0ce5947957e65ad39c2cd79442324

SHA512
61e8fc3ce8e1f131c2d3d1dff5d6aa8436c9c8dcab3d9d93a2bb16b706efe1ce35db398dc5c1681024cf8407a2020e4627e62dcba5a42ebebe8db06cb3ad3f9e

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
404KB

MD5
36c43a02b0c8f440c17aba7efb9bf121

SHA1
0c89008bcc18317775f22cc4670285e507b23959

SHA256
d117ae98b9073d40f4c4228b4532217082a4c7e6fa9d1409ea767e56a1fb6e77

SHA512
50af1321e868316f4bea5cbc43d092356312c1fc1b493df72092aea6e7430e73ab1e981d261ebd55ceb665151d8f1737b141a1d7e626c4e69474b162567e27d3

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
404KB

MD5
5d9bab2b42f491ab777f5b7e843826e9

SHA1
354e2f900d5c10b35b6fa5851fed264252b9e018

SHA256
9d136684508408b6f3f270a8660ced4ae42f5604ea4fe7b61a1f9a15f1c8ed92

SHA512
8ac69b04ddaebeff58d9af88a31f47728974731e9a8a67b4ad484ad7d446ac5f9544834d1a1729c5bfece63c2de3942f13cfcc788a53109228a34b78e3ffd543

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
404KB

MD5
65ff49eb3d69c1b5091787a76bbcbe1b

SHA1
565322b20bee553563514ce84470155ef4582b9f

SHA256
95d8cb5b0c11a18e090299df01536503ac2cb8cf95db883e9565931f6e73ac90

SHA512
a2a3edd2a4fd73c51a1d7cf0318c97292b99c6208bd6dee0369bd348211f51dbfe4763007b9536a44893f6f291d8e8a2c7f30d6eaf31628fbfaf14d6baf425bb

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
404KB

MD5
a56da86030b0fd461b4996b0fe6e4b53

SHA1
f8fc609c32f56f40281bf8c341f467b97c20b319

SHA256
2ac68347cdf9dae51d1f1d4941349602ef7d07227e96174f9e3d32f40658a6cc

SHA512
d37ef069d5a770f12f3b0afbea9a7575745a9f6df9a0fbbf39e7a92fea37c3445b5250f9b11712cd29cd28725ca2b21dcd8ef37d06d0634b575ff16008db570c

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
404KB

MD5
b2c18ef5b9b1bb8e538cef986957c176

SHA1
ee3e19ce148d504175e574fde970aa72852140c8

SHA256
fb6b17ac221dd22c3feacdc9cc9cf7342d5bad722be089e4a4d758c5ae3dab5f

SHA512
c43569b75a66e655bf095ae2e22b87f723da599933a73cd8afa912021147a390f78886327d303d333207fe128434e0b12accad85d59bc0050777c9f1b716524c

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
404KB

MD5
3fd7f0e54f9736f72e346606e89a83f2

SHA1
618fcd92ea8fc940b3a3466f39458fc5cb32e516

SHA256
67a74d156d4a92f7c0c8478602e5988aeb30f86ae85dc8275884043f1cbf2875

SHA512
edcfda91c7550f8ea829fef46f3e94646f127ca2b2fb25cc38959d23062c403120fd44d5f71000eaed4b32ebcd07419fa537da42b12a4b355e4d08325edd3ba2

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
404KB

MD5
a3238aa8ff4b5777809efc8ad97b5def

SHA1
6d0ea30eb10462851e345874ad0e37a9392f4ba4

SHA256
1acffd28ae2746e9a1ee7e1574d84920aa8eba9b74dfbceb980884dbad25822b

SHA512
75e44cea94267ed012da5cba8bb7a17d0e7aec97ad54cce3c05da3356884d4733d44cf3eb91a315af47454df9d4b8ee39665ef62d60219ed9aa3a0a5d8793784

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
404KB

MD5
c99b38a6cc9f568fe63e0c36917e7418

SHA1
6473fb74eb41cea8f8b4265e578909d209c98666

SHA256
1458b94a7bc5e5ca08bf5a1c86d17c6e20736d3f4ed05a1ccbe01164d998857b

SHA512
1b7e2c98b14e8abe616583a63e34ff21c6c569ee000c994cc8ca1c97ead09fdfd88c3184070b993e2c65c5feccd2327ef9830aa2d409078ef194e0944559a77e

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
404KB

MD5
c95776d96030554de85dec3aaf8d8fa0

SHA1
e809110f214a2776cca2fa846a78ec48b3cecc65

SHA256
d8e511d5e526ab7bd68d97bc98fdebddf46ba9e273c641be009acf386170080e

SHA512
bc7b48a87625dc416c4fe14fbb578591b09f5967a5d2a644680bcc3ae6eb09b63340dc1c029769c09203e82db91d0db695c73d0d458b171158ade45874a6652d

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
404KB

MD5
852fce2492a95b90b9165423d793bb5a

SHA1
c7f00d32a888521c6e149699f5031614bebea97c

SHA256
68a0558231999bf5fcdd29b0284d060c43331b8b525bfa2b7306a8cbbdac7a12

SHA512
39ca9ea3448cd5c60fae610fd87798fde66a98fe6626077647acf612e029aaef881dd8ad81d0f058087a18234e03f94360ca160b90a9c615e4d5c41dc0c66314

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
404KB

MD5
b01b00ca789f9e6014d97a5013dc0315

SHA1
a9ebfbb18cebbf637cf8b045d81a77950fa1ce40

SHA256
4ea6d3afc88f11415782b7a6fa6db08ecbb47867b1c754e3c770246292e4f9c8

SHA512
23c50d8eefed8a0e6bed7585fd6c61f6bfc0de0a556626968532c0ba92cc73bac210ef121ff6517e4bf55b6a7b55415f6b3600bcf399cdda1016d55bc12f42e7

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
404KB

MD5
b7b03820d8f2bf113fe131ac0660a4bc

SHA1
163d31ea817120d34c88df37e4e4920803084813

SHA256
fb1a3a15ba5f0a0fa3df062454e008981967878688c8d79bdb28ee9a7741d7bd

SHA512
813a011eb262e464b9d97fb0586f3600b7acedae66a3c8dbf257881b922712752e62f09cc7f607608fb111ea81a88b5c24fa4d581ee12da01274b98a098e64aa

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
404KB

MD5
498fc7b6c6ba7550e437d0ab6aad183b

SHA1
7b030c737a9acfafa571edc7297e9d5b9618170f

SHA256
2f7fe6dd95298ee3ab33275877ab7cd25b27042595fd151d3ecc0d90e9b29e2f

SHA512
5b7d1e45c49bfa2d778509792e7228fa8b9de8ade4008e1a5654fc6cb4a80732136b6d09e511d072ecada6b974a462b6d0e61cd8256d14a21754b0c1aac62cc3

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
404KB

MD5
eb0c25eab98d3a7402656297b313f714

SHA1
696e36e83a415c3a842b086a895ca1ade9261988

SHA256
fe84ff5929c379f3890f3dfe670272ae6e4c19c43b6e710a301997c4053d5255

SHA512
76533e5005df80a4870a0484f93d47ec2c0a6219a1c27895f4ff60773eda90b7bf0af633794e096bf8ab155e16d62240bf83c17005b0630838f5aeb4d985c818

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
404KB

MD5
54909e37e3a37844409b096b1aec2a89

SHA1
d3298b41c34dac9abba20e8728c604bd4d343b45

SHA256
c5f334ddf5a913f8cfbe7712ae2d17d7d15b1f93c75846846ca5631a3061efe9

SHA512
51315f63d322690e783108642eceba7b19fb6da9e09d877639d974f78bc7af43933a88b9f130c1a434d5de50812d85d97379416f5a68218f71a3aef27b7dd3a4

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
404KB

MD5
350ec6e55f8388dfa8a01ea9bb025f40

SHA1
c09e7ed40f81e8883a1c8bbdc2bb6ca83bf55a63

SHA256
c0fc5e6e4c6fb2adf6b24a86a9961643d27dc368b40d6875c62a3e40ffb746b5

SHA512
fac2ae0e7f1828408ae41c2f587d66fe7d1b6a8d7ced5ab7e4ad6e2934e690ebe2de97c493f3809192f42dc73f88b029faa8dfcd22e7ba26aa7be4e236ee7a98

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
404KB

MD5
21e3b753f646243baf458633baf69acf

SHA1
8d68f7c630d53fcf0da74265024434d9fd4e8e41

SHA256
25fe4c186459977d4a5f7c59869796deb0e06f4226643126ccdc1c5e5d27e35a

SHA512
db919fb2dfffe369654130fa4c2543a3bf68e51eec8b8c76ff8b4d5786473123a51da55db40b86594576f24ff4b46846b06476fd647b0360d0d4e6f30c0c9949

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
404KB

MD5
729dd6a02bbbe89899a1f2e86cb1a41e

SHA1
a26395061b559a5df1009b9d0e74ae57b068005f

SHA256
837332f0dce504672c36c14c4da930b997e9977272fad0655e4aa0e90b05d4e7

SHA512
77353d9d4c265eed12eee04e6f3c4190e46909a3210f06b9cd23dcc0a4f0de86943d612c5b43ccb1e4bf782e56030b27baae49a5cc76240432c37b2a4e7d6197

Download Submit
C:\Windows\SysWOW64\Cdanpb32.exe

Filesize
404KB

MD5
9693897eae129ccfc7af71b1419beef3

SHA1
20e566bc062f63248b7313ed77fc4667b056b639

SHA256
15a4219b760809c5b94a77004128c1deed7e63a51f996fa67b5cc894dd2d9196

SHA512
d3c1e423d71dd4a59f1557cdd2a834640cc4915f97e47317947a4b9edfcbe02daa7965c9ec202c41b7fb8803d6ab4fc3826fd7bc17292a5835dec728a716ff71

Download Submit
C:\Windows\SysWOW64\Cddjebgb.exe

Filesize
404KB

MD5
53879360310660f7b82c02921d86e121

SHA1
858ad8a997eb17e978c0fec08d627b7e88225f4a

SHA256
29dcb523b98429291e76a836375891bc06ec43315016ce0e86158d2bf194f79f

SHA512
822f4b2b4fbf80c03449271657c6cea49ef1329dce183dcde80034348c6204c27fd9a4035abaae08707e1f780a69ff3dbf9483d5aec972d90cf00c15a0b37243

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
404KB

MD5
b35f41a071cc9cfab568e95ceabe0e86

SHA1
f8d69c347bd17df9eef910cb485d622f0087545b

SHA256
46ad3eb615044b2fb2d9f786d26920f04a692db472b3a138ca9154e24bfc349a

SHA512
cfca09358f7170377237eb215a102482fcd8f5187384665ebb5c1af563fc17d5f7ed1dd985605af89ede67836d284d55a88f1c0ed6c69d17d0cd17ded517877a

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
404KB

MD5
fab258e7cf3026474e77238b7936d45d

SHA1
4e31d9a2647fc2ffa0c73d26078750a96cc1a708

SHA256
999589a3826fe2568eee24f451198e3ef6f2f524a836850dd8902c6148ca9be5

SHA512
7804e0d7953a21c23f02595d7c6db8104bf8e047390056843828c18a8b5b8f06f193b3382f3b1db3cbaa5a8fa24be6fe9380a15f182b655b6c9bfde015b4f498

Download Submit
C:\Windows\SysWOW64\Cgpjlnhh.exe

Filesize
404KB

MD5
864dff6713e7267dad4f007571620a82

SHA1
e4f3c9f7b29c2c815817dbeceb1bc824d21e0e2a

SHA256
e611b4f729db34181446aadc5a3a1eb0547d10396b15f1691758b6997231df81

SHA512
12fae64b85acd0b891c6a9909a910c0e65c86a15322eb6e6559845e1f9932d4a55338170527e39c22449dfa7213cf02d951688202707b4fb29ef1b6ac41d9c11

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
404KB

MD5
eeecbfb6f039cca2589a4496c0c3feca

SHA1
dca421c92b9587adf1ed2647d041ebb65c1d6a03

SHA256
b2390da6b197fbf61ea4a80c0b721a9595becdd008d4c0cdd36d90ae372a5a53

SHA512
b6b7afd9bd7f6ab2e52c16a42fcb5ef8e2ceb42b22b1727b0fd827dbb56b5dcdc7c6d566be56e2b0f7de291a7bbfb25e555165a7058b0cfdee47ff914f03a3eb

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
404KB

MD5
6f2a7e62a3eafe10abac87a1a85d14ea

SHA1
2d653dfd1aa32e8309492668eef50fe0c30c17fd

SHA256
7f5ce1f37ba06dabce54a481ec43f567f0558f964d03aebc7b25ea6bda86baef

SHA512
761c6550d2ce780acbfabf2b54a59ab92a16dbfa94c92b945e2504d1e96087b74c9921b91aaac85b98ed37aee3d9d9fc8da37565a1737e18f14789765d0f7d8b

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
404KB

MD5
0c70f97823125142bbb670d9dbb0dbfc

SHA1
66d086ad5db60770a1d7d6f44c21d127e4abece3

SHA256
ea4f52763dddcde3dc8b8de51cb4466b774b475ff6d582f1fea0c0d39b226359

SHA512
8f588dc6aa106102b23c8f4c200545c35a1b6d747d417fe72bfcb60358a1d1b1320b865d5cdcaec131fe8a32de4de5fe51b9f1ddd81d0424d84efd19738f806d

Download Submit
C:\Windows\SysWOW64\Hendhe32.dll

Filesize
7KB

MD5
1b682cd53d555a360ab7523b0be80dac

SHA1
e3264530079a8eb9502d8ce828026cfcefb8b37b

SHA256
484522912c4b32f259d439ed1d58918e28a660c4664389d0707efe5200ab643e

SHA512
14ebb4c4114a9e83c4be9457054ae2e9561556e4508cfe7cf27dd3e10cf3e2420524dd0f605cad9f492c633367e183896b2665418ef07ead23a04af9f473987f

Download Submit
C:\Windows\SysWOW64\Mbpgggol.exe

Filesize
404KB

MD5
64dc13fe30d5e4fd8882251e5cfde47f

SHA1
f121b2b98690ade02bfeaf1f7f9a161466551b38

SHA256
fb3b0f18f2abb9515b88408befb2642734efe91734cb556b995c19e184eee005

SHA512
be7e327b12a3737a932ee8b362f38c42a62bc33844903048fb570d2bacb3e9a0b01d672898da085d5b9e72560fd8ce53c25229c62b8cbc7754897eb159ac5b5a

Download Submit
C:\Windows\SysWOW64\Mencccop.exe

Filesize
404KB

MD5
12d25b9ca82115143342f436b424d439

SHA1
d1ef6729f7ee8c9f63f1ee28279cbb4316576d58

SHA256
e76f1d2351945ab160b400cbb30faefe2ea8265a0eabb64e82183a8960ddf5b1

SHA512
57ee120d2ccf959046406511ff3dd5bd0d1863cfc8fa54b8c5f937ba8a4a6ad57c141865a6fc0916ebae3324031ee12e76d31e09ca2003af402abf680d1bd672

Download Submit
C:\Windows\SysWOW64\Oaiibg32.exe

Filesize
404KB

MD5
46a913925eac33da3357491b0c160384

SHA1
180c0de0009272580e3eb6fd8c7f24d1c01a37a8

SHA256
d79d02322c1123b765e4bff4942930f4d3c7238dbcce353af95f350fcfbbdb79

SHA512
3ac59038ce85e9ce38cb05a7ffcef2d115379b7a2f954006572040d98ea5695706ae20e7859ec669ce303edbcf6ea76ee36b2b2be6f1d920d6d34d080218df5e

Download Submit
C:\Windows\SysWOW64\Ocdmaj32.exe

Filesize
404KB

MD5
0e747a01fb36db686fff29f1379ffe83

SHA1
35de800229a1884209e5f38307bf42a36efff64d

SHA256
fe1c12dab83f481d827340bad61aaa7763ff7e5ecf25001ebd5acae18bc1a22e

SHA512
5e98ec325dc41a1bf6296d4f2ca7320e31bd0bd3c5e1b5ec21e1acc2de6b54de531207110512fa8069ef0689d82cf16c6f08fe011df69a7d67670d478569632c

Download Submit
C:\Windows\SysWOW64\Olonpp32.exe

Filesize
404KB

MD5
10c0b06682afe6b0742eaf216aa36807

SHA1
00844d9617c72f5f1507857730b96a5bf9b02d02

SHA256
bbdc4fe45e4d1f82c53b1aef95aec2f0ea0cc3e144a94d04822fac33935de31b

SHA512
fd2cd3620406c3ec60f9ddf6bafefc57e52201e3f5c60e5e2ae0bfd421dd8dd3cca8d5f1a7fe5b298e6fde239efaf90469c6019f89e60187781dc7b2b3543860

Download Submit
C:\Windows\SysWOW64\Pckoam32.exe

Filesize
404KB

MD5
85e60815972f03a0ea7ccddf36829c0b

SHA1
ec47383d8c10571cfa51d1c795aee58200813111

SHA256
3f588adac82f7cae42c6200ae3fe6e738a144065837a319f1e2700efa280634f

SHA512
ccdbe20f2c7be800192ae4bd0247098f00a460a5e48fb4a63bf3bcbb0c6d167f0a12a0bb6aaae2acfb41a0c6287a0558b3336975c8be4e8a0119661abcc93bc6

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
404KB

MD5
b6d32148430e60b3b69e11f98af0ad27

SHA1
30fc2103f3a6e75709627efeaa6d99963e9ee79c

SHA256
4048f11a1a98b95c78787dcab7fb4e39d6afbcb6c558bd86ca78719e497076f9

SHA512
f2aa015508db3e47865e72150734f6c098fbc82b5d8ca04dc054fce6840fdbe4cdd78ea37834fcaa8dadbc335987f80ff9ec21c422044308f9b754c2b1d527c5

Download Submit
C:\Windows\SysWOW64\Pkdgpo32.exe

Filesize
404KB

MD5
a1e76ba0b030375d5205743c909a9f57

SHA1
e87a37d5a4223863036f3a283af62c4f3e0d223a

SHA256
232f5057174a2233a29468435afdbdcbf354c00f26588f297a5e5fca3ea685fa

SHA512
9d03035279634af7f27cd1217a60986278d8c7efcba0457785a74fdf2ebb5f07a2fc4ecaffc54940f803bcb4b94d2c39c413c3004688914b5cf3ea7ac36f64b2

Download Submit
C:\Windows\SysWOW64\Pmccjbaf.exe

Filesize
404KB

MD5
a118f13ef935f54f21c35adaa7dc8d68

SHA1
d06fb9463b38df4163a163239ad2cb60a7454802

SHA256
84af19d8f90c8908ea46953c845f3f95717465133a75e7d7f899d228de1b5e63

SHA512
2e1b8a6b7d69866f28413b87e914da3368b578850d6fe210a01debdd8b8b519e662d538dbf25f729758fffcfaeda2b3293a8601e70a8c3865d24f1e3b8fd1ba0

Download Submit
C:\Windows\SysWOW64\Pnimnfpc.exe

Filesize
404KB

MD5
04a62cc07ecb43fad6aefb7c5db89e7e

SHA1
b8904e99e7ccfbd890add0e433a07fe9e2d93c0a

SHA256
3be0eaf198b273caa9a825956fb8108ba2795a6e08b56aaa45d252fe18d579c1

SHA512
68870abf325c2794c7821008aea4f1bb4d010e30f278557128a3b697ce57bbdcd2e4cc13bcddebeee23a10a5f19950421cf45be2c2336da426e766eb8464a3fd

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
404KB

MD5
3ed4abce1406c28fc958970114c8edeb

SHA1
b17b1391c36a41b1a558f224d2e43b7b28fdb7e4

SHA256
ffda17a5a9d0e290a9bb146383b148dc7fa56cbb95777b26192b9d4293cbd89f

SHA512
0edddb48ab40efcc870ef1e0d6c799f5c926621d060c61e5488e6c6892b0875ba4927019d54f8e04c8a504bb28358ace820fb822e08890cf7769a97dda25d69a

Download Submit
C:\Windows\SysWOW64\Qkhpkoen.exe

Filesize
404KB

MD5
576ffd9fd71f9ca3876a9c43ea70e1ab

SHA1
911a88d703d51dc1e54c88059b10ea21a127c1bb

SHA256
a1cf071b59d7a940ee388a5dc1a68275ec2570c30ed1f9dcee92053514e7c4f5

SHA512
53a67dddb2530a3d2fe2eb75b3c6adbe7646910647874a669ab39338566537fb0c61fd09d4b5d9b21afb117af0dd86dcffef4cf9ad1d86a25c50179b5ce4bb93

Download Submit
C:\Windows\SysWOW64\Qodlkm32.exe

Filesize
404KB

MD5
2b85e369418c8831ba3988e57f801577

SHA1
7e87455fb0ea9e24ea0d9e50f13e9f2b084e8e3f

SHA256
dfddeb6997e341b80c0e9448bf0bc64b368cd6fc3f4364f8325e55aa1f6e7547

SHA512
ef865f25fd9fa6b449e29d7eadcabe714139bb169620513543ea9cdba00ec205041ffcd9c942700c8bb51a035ec794a32ee92b5ce8d116f374d3fa753e1f8a76

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
404KB

MD5
d49c780519d0187ee236159fadc72cc1

SHA1
94c37d028e49c3aa0cabc384dfbccfdd16993909

SHA256
72d017fba409fe0440e5c0751b36a2cd848ed079d776fa3b63396c23a3f0b69d

SHA512
baf1fa586611cc7cd604b4da59568b3898d179c5c2bc3d625e990d96ab7ec1ea4db976837d938f8c9a196b6eb6d8a4b19549ae062f7a996959def1a8e562663a

Download Submit
\Windows\SysWOW64\Lbiqfied.exe

Filesize
404KB

MD5
1ab2405299c8a31c8b95d6b5750a7f6b

SHA1
61f2c07d7e88fab4deb37b372b0bbbfc849e8950

SHA256
202ee55642c737b8f2b406b9ea9853aa9bae0c58ed56e058f25488c6de9c7439

SHA512
46b111a7404fc589840c6aec8fc5ad7029779d9b2e50e2c927fd53170907b2eff9e38bc8c8fa7f86783b343126f8c3074e4e1e3de0d0a229342f2bb15376ecd5

Download Submit
\Windows\SysWOW64\Legmbd32.exe

Filesize
404KB

MD5
61cdab80481c5e11d8f4f2764bbf76fe

SHA1
ce904fc76e479a504659d92b48b627839b380696

SHA256
3a18bb1351d68f521b0715b69933e75db5adf59c3e748ff3900785fb90a0a4e4

SHA512
9bbc287a69eeec9b494c46bad5140f9c1f2b50f65014c16a4ec7b25e91fe9d25a99128345581491118f96c7998df633d8c64e5d8507860f23f0a2ccb43473e39

Download Submit
\Windows\SysWOW64\Mapjmehi.exe

Filesize
404KB

MD5
880a358bd08731c60900d58a75a5e8cf

SHA1
c179879001a5d5a4b64ef3e6a48b5d7b022c904b

SHA256
56f50dc8d472802abad1e78203bc508b53cffc02719c5b559900e26ac0753502

SHA512
1fd614b10fe7e3adc72a75ce7a0ec56cf6a5f8aface2bc569b394d7c9febc55502cd115032bdb5491aef20eb1a81b57a25d478528f523c7ffba2bb4a45d309d9

Download Submit
\Windows\SysWOW64\Naimccpo.exe

Filesize
404KB

MD5
f904ab969cac2bb7db80099bdf47d858

SHA1
2d952dd0a459bef34d0add2ac0e6583a3ad079ed

SHA256
2fd1550875cd95b23965438453c0eb5e96b505998c418c1cbf21352c714a770b

SHA512
7453605594343f11a5a2c2f16aafbd9c96552ace57dbd3b534a8ce60380b7163b1e4be66bc9fd1dd6e363e6c2cceaa161e563c9f92e8eced0f824b46ddae0b55

Download Submit
\Windows\SysWOW64\Nenobfak.exe

Filesize
404KB

MD5
046bafdfc02ebebc454736ba08b05eb0

SHA1
0f301ef5fba50a025a2e985a1049c54ed219354c

SHA256
85b66a4c5abb97fb3a8b49e46ac0de18ae4288296b8faf27303d949ad2292423

SHA512
c05b9bc20680699aa866e9a8721d7727bab01cab4483dff42724d6707adfa95593e474f1d64499ddfba233c261dbe9a9ba267aea06994a2256fdf9b2947182e8

Download Submit
\Windows\SysWOW64\Ngdifkpi.exe

Filesize
404KB

MD5
4e54c0de919dd3229be10fd99d4fae8a

SHA1
5e4f00799174f4ab6b3e95bfd724709beb92ef1e

SHA256
0628150c8fdc748910eb2defec693002c9ddc4a5da657d1bc978f94800af9c38

SHA512
1433d74b50741b68efbd41c663ab3f33670488bd7709063b0334aee215b6de2ee63d7fdfa8c73e13a8cf8bab49ffb88855088034d36c1e8a0535a0cf5ea10e31

Download Submit
\Windows\SysWOW64\Nhohda32.exe

Filesize
404KB

MD5
2c5db46d92abe2bcdf5eedef79f90668

SHA1
6f8ca6060d6f8ed0656588e31dc30aefae02bcb1

SHA256
3187fa172e7bfdcac08fa929f12860b9e085f1a78c485cd83fd8c33b15f0e481

SHA512
79ed7592f615299e5409239e3f7a69bd951a010090cc4eeeaa73aa1ca1272c2a863239e6b5526691bab2ed5609b2b73060e37038bc22397cd645757351b64938

Download Submit
\Windows\SysWOW64\Nlekia32.exe

Filesize
404KB

MD5
d277a8dbff1e39e36c7ae5c794ff2a2d

SHA1
b0ec2a634d0847a12a8829e164d98b86243d5da2

SHA256
0de8e6dde7cc210503b3dcd704c1ff8e74c42c0a22947e768043db0486fee1b6

SHA512
6b7bae67dfbb1b0f7d45b92bba2ea280fb3efbc6d03c0686e877f4c71e19ed0d303081078579ed539ab92a320e5780c3b396f269b63708d8ec6e1dd4b0a104b7

Download Submit
\Windows\SysWOW64\Ocalkn32.exe

Filesize
404KB

MD5
bf8d53839fa5bbfd23f549cad86d21e8

SHA1
e15fcb97f75e767a0744b98ab9e188c41cad6385

SHA256
3e58012bd6c485d0ce2369b93605f603507bbd9ad6a683ca19d61242c9f90a1f

SHA512
ad51ec8c0d69ac77b4bae43cf65dca245fea347c90a2ca353d9fcde83da386bdc9e1bb260fa75423b743ccb86b84e6f8b740a7d9276a1d7adc91a583fe650a49

Download Submit
\Windows\SysWOW64\Onpjghhn.exe

Filesize
404KB

MD5
c7034602d102d67e6503f7c8281a95f2

SHA1
3a5b13d612163d1f830ae90d4b7a4cabaea09851

SHA256
ab03d5339a398f302fb0faa07727e0a070f87eef3d6c1bfa419c08aa44ca7590

SHA512
538fe1f61381f36028fea8e52c524ef8594807bcd5c3cd6a6664de6caf18a426efce1b7fdc9aea59c457ab02a917c1fd56cd63a002fc82e1ce62dd7b25834cbe

Download Submit
\Windows\SysWOW64\Pgpeal32.exe

Filesize
404KB

MD5
2de53dd03e9217a5de3f47f1483f5465

SHA1
a900bb124edaa8924fbcdf32cfea66f69a1bd63b

SHA256
6b883aba7da3b83a995ee0fa182fb38bb2ad27fbf4cb9bc6e38f4d1057555899

SHA512
5ca6c8cf1147dc00f8562e086e92995bd590b3c9099b7f4813b383550d3f7587b5dd72b83b8f354508699428283633a7fd79447448423f83741e05004645671f

Download Submit
memory/540-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-245-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/540-296-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/680-280-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/680-281-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/680-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/680-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/744-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/992-85-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/992-141-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/992-133-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/992-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/992-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/992-86-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1140-155-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1140-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-143-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1140-212-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1140-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1396-360-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1396-361-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1560-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-225-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1560-229-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1560-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-266-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1648-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-243-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1832-182-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1832-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-26-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2140-25-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2288-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-197-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2328-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-337-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2328-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-297-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2372-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-113-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2372-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2416-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2416-167-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2416-226-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2416-227-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2416-166-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2440-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-382-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2540-42-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-61-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2540-55-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2628-105-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2628-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-40-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2628-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-348-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2644-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-383-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2644-347-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2652-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2652-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-332-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2680-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-209-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2708-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-259-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2708-260-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2824-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-12-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2824-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-71-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2892-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2892-103-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2892-93-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2892-102-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2892-157-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2960-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-312-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/2992-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2992-372-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3024-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3024-350-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3024-305-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3024-349-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3024-300-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3048-62-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads