c5a020e94dfed2f3c354dc09ec1857bfb9e85568fc5285ad4948fc67fa064317

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae7a0904d7867762bfcfb392fb855680N.exe
Size

56KB
MD5

ae7a0904d7867762bfcfb392fb855680
SHA1

32e114a0449b0146b08476b07b33856ea12ffb2a
SHA256

c5a020e94dfed2f3c354dc09ec1857bfb9e85568fc5285ad4948fc67fa064317
SHA512

14844f138e297ab8af511bf8afe0b9f62346c38b3a28c30149a4aa69ab06735688470483baf6ff16b76a4e9d5701047967e7f22354facc5f0fb6f1cfebc46d40
SSDEEP

1536:lNBmpWg98K6sk2aQ2TdxNntrE/YZMjHW:/Bm4g9oskzQCdxNa//2

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe

Executes dropped EXE 64 IoCs

pid	Process
2652	Ocpgod32.exe
1080	Ofnckp32.exe
452	Oneklm32.exe
1892	Opdghh32.exe
4836	Ognpebpj.exe
4608	Ojllan32.exe
3800	Oqfdnhfk.exe
2756	Ogpmjb32.exe
4968	Ojoign32.exe
4912	Oqhacgdh.exe
2920	Ogbipa32.exe
2204	Pnlaml32.exe
2820	Pmoahijl.exe
2552	Pjcbbmif.exe
1048	Pmannhhj.exe
1720	Pclgkb32.exe
3980	Pnakhkol.exe
1396	Pdkcde32.exe
4180	Pgioqq32.exe
2512	Pflplnlg.exe
2968	Qnjnnj32.exe
3896	Qddfkd32.exe
3500	Qgcbgo32.exe
2508	Qffbbldm.exe
4476	Anmjcieo.exe
2312	Aqkgpedc.exe
1152	Adgbpc32.exe
4428	Acjclpcf.exe
556	Ageolo32.exe
4936	Ajckij32.exe
2452	Anogiicl.exe
1924	Ambgef32.exe
5016	Aqncedbp.exe
4500	Aclpap32.exe
972	Agglboim.exe
3168	Afjlnk32.exe
4588	Ajfhnjhq.exe
4876	Amddjegd.exe
4844	Aqppkd32.exe
2900	Aeklkchg.exe
4984	Acnlgp32.exe
748	Agjhgngj.exe
4432	Afmhck32.exe
2628	Andqdh32.exe
512	Aabmqd32.exe
3956	Aeniabfd.exe
4884	Aglemn32.exe
2972	Aminee32.exe
3068	Aepefb32.exe
3692	Agoabn32.exe
3224	Bjmnoi32.exe
4848	Bmkjkd32.exe
1644	Bcebhoii.exe
2572	Bganhm32.exe
4168	Bnkgeg32.exe
2212	Baicac32.exe
4972	Bchomn32.exe
3196	Bffkij32.exe
4256	Balpgb32.exe
5092	Bcjlcn32.exe
3508	Bnpppgdj.exe
4084	Banllbdn.exe
920	Bclhhnca.exe
3724	Bjfaeh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cfbkeh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6132	6036	WerFault.exe	194

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae7a0904d7867762bfcfb392fb855680N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ae7a0904d7867762bfcfb392fb855680N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 2652	1472	ae7a0904d7867762bfcfb392fb855680N.exe	83
PID 1472 wrote to memory of 2652	1472	ae7a0904d7867762bfcfb392fb855680N.exe	83
PID 1472 wrote to memory of 2652	1472	ae7a0904d7867762bfcfb392fb855680N.exe	83
PID 2652 wrote to memory of 1080	2652	Ocpgod32.exe	84
PID 2652 wrote to memory of 1080	2652	Ocpgod32.exe	84
PID 2652 wrote to memory of 1080	2652	Ocpgod32.exe	84
PID 1080 wrote to memory of 452	1080	Ofnckp32.exe	86
PID 1080 wrote to memory of 452	1080	Ofnckp32.exe	86
PID 1080 wrote to memory of 452	1080	Ofnckp32.exe	86
PID 452 wrote to memory of 1892	452	Oneklm32.exe	87
PID 452 wrote to memory of 1892	452	Oneklm32.exe	87
PID 452 wrote to memory of 1892	452	Oneklm32.exe	87
PID 1892 wrote to memory of 4836	1892	Opdghh32.exe	88
PID 1892 wrote to memory of 4836	1892	Opdghh32.exe	88
PID 1892 wrote to memory of 4836	1892	Opdghh32.exe	88
PID 4836 wrote to memory of 4608	4836	Ognpebpj.exe	89
PID 4836 wrote to memory of 4608	4836	Ognpebpj.exe	89
PID 4836 wrote to memory of 4608	4836	Ognpebpj.exe	89
PID 4608 wrote to memory of 3800	4608	Ojllan32.exe	90
PID 4608 wrote to memory of 3800	4608	Ojllan32.exe	90
PID 4608 wrote to memory of 3800	4608	Ojllan32.exe	90
PID 3800 wrote to memory of 2756	3800	Oqfdnhfk.exe	91
PID 3800 wrote to memory of 2756	3800	Oqfdnhfk.exe	91
PID 3800 wrote to memory of 2756	3800	Oqfdnhfk.exe	91
PID 2756 wrote to memory of 4968	2756	Ogpmjb32.exe	93
PID 2756 wrote to memory of 4968	2756	Ogpmjb32.exe	93
PID 2756 wrote to memory of 4968	2756	Ogpmjb32.exe	93
PID 4968 wrote to memory of 4912	4968	Ojoign32.exe	94
PID 4968 wrote to memory of 4912	4968	Ojoign32.exe	94
PID 4968 wrote to memory of 4912	4968	Ojoign32.exe	94
PID 4912 wrote to memory of 2920	4912	Oqhacgdh.exe	95
PID 4912 wrote to memory of 2920	4912	Oqhacgdh.exe	95
PID 4912 wrote to memory of 2920	4912	Oqhacgdh.exe	95
PID 2920 wrote to memory of 2204	2920	Ogbipa32.exe	96
PID 2920 wrote to memory of 2204	2920	Ogbipa32.exe	96
PID 2920 wrote to memory of 2204	2920	Ogbipa32.exe	96
PID 2204 wrote to memory of 2820	2204	Pnlaml32.exe	97
PID 2204 wrote to memory of 2820	2204	Pnlaml32.exe	97
PID 2204 wrote to memory of 2820	2204	Pnlaml32.exe	97
PID 2820 wrote to memory of 2552	2820	Pmoahijl.exe	98
PID 2820 wrote to memory of 2552	2820	Pmoahijl.exe	98
PID 2820 wrote to memory of 2552	2820	Pmoahijl.exe	98
PID 2552 wrote to memory of 1048	2552	Pjcbbmif.exe	99
PID 2552 wrote to memory of 1048	2552	Pjcbbmif.exe	99
PID 2552 wrote to memory of 1048	2552	Pjcbbmif.exe	99
PID 1048 wrote to memory of 1720	1048	Pmannhhj.exe	101
PID 1048 wrote to memory of 1720	1048	Pmannhhj.exe	101
PID 1048 wrote to memory of 1720	1048	Pmannhhj.exe	101
PID 1720 wrote to memory of 3980	1720	Pclgkb32.exe	102
PID 1720 wrote to memory of 3980	1720	Pclgkb32.exe	102
PID 1720 wrote to memory of 3980	1720	Pclgkb32.exe	102
PID 3980 wrote to memory of 1396	3980	Pnakhkol.exe	103
PID 3980 wrote to memory of 1396	3980	Pnakhkol.exe	103
PID 3980 wrote to memory of 1396	3980	Pnakhkol.exe	103
PID 1396 wrote to memory of 4180	1396	Pdkcde32.exe	104
PID 1396 wrote to memory of 4180	1396	Pdkcde32.exe	104
PID 1396 wrote to memory of 4180	1396	Pdkcde32.exe	104
PID 4180 wrote to memory of 2512	4180	Pgioqq32.exe	105
PID 4180 wrote to memory of 2512	4180	Pgioqq32.exe	105
PID 4180 wrote to memory of 2512	4180	Pgioqq32.exe	105
PID 2512 wrote to memory of 2968	2512	Pflplnlg.exe	106
PID 2512 wrote to memory of 2968	2512	Pflplnlg.exe	106
PID 2512 wrote to memory of 2968	2512	Pflplnlg.exe	106
PID 2968 wrote to memory of 3896	2968	Qnjnnj32.exe	107

C:\Users\Admin\AppData\Local\Temp\ae7a0904d7867762bfcfb392fb855680N.exe
"C:\Users\Admin\AppData\Local\Temp\ae7a0904d7867762bfcfb392fb855680N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\SysWOW64\Ocpgod32.exe
  C:\Windows\system32\Ocpgod32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\Ofnckp32.exe
    C:\Windows\system32\Ofnckp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\SysWOW64\Oneklm32.exe
      C:\Windows\system32\Oneklm32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1892
      - C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        49⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        52⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        58⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1520
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4996
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1388
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        73⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        76⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        81⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        88⤵
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        89⤵
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        98⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        99⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        106⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        107⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:6036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6036 -s 396
        111⤵
        Program crash
        
        PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6036 -ip 6036
1⤵
PID:6108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
56KB

MD5
521abfb49490686a98b5eee12a300cef

SHA1
e41b43d7ae5787ba18bee0e34a37a18aa8001c92

SHA256
b693d33ccaaa6349e381af4af581055d63942c367f05d3957d4b5e2422c0fac8

SHA512
90adc128f3f08d73044ae723c8cb9be8e1b307f1125fa0cf55ee4044e46648aa6e5776168d652371389e917763883020fc6a9382bc87ba51ea5c288c3e48d27d

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
56KB

MD5
e5feda227764249175e53e5164d37f7c

SHA1
eb73bc03e2b03e603f72c41057e69119918c4b5b

SHA256
3915af6a1bfae325bec15a025540960e3912247e772e14bca7cf0ac07b8fcaac

SHA512
e36c4e8ce9ad6ebd17a72347f783b932acd2a715bab825c7b2db9facfa58c05ede8e5efc12235c9a4eeeaf6a6433069802764fd2291e83cecb1b83ab9c523b8b

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
56KB

MD5
84727d711a8b6a33baaf5d701f0ebf45

SHA1
08c3b7175570319b0c0f55268a4d6d8c29698ea6

SHA256
6ad302ed27ea9dda557af39d336285ae76019718b306f2fc172b5a010e5822e0

SHA512
31a863a68db9aee8d6e5c6a5719af3e95116e35f3cef5ae4377663b82e53632b3b829af6bd5f9c3e038271bd99afedf1b5782b9ec9ce9e3ad1cf2ba2abdca69b

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
56KB

MD5
1271558b4684bd2b075074d26510c2e0

SHA1
39cf43cfaa6eb9d205bda66d1f862ab4612f6b76

SHA256
d70e6d03382378783209bfddede4a3a0d26353b4e6bd2020667a955f1a3ec64d

SHA512
ab8c0ace10d5d252e882856294cf0a5497bcafb9b1f001913300c64c5a65f4abc39624f730ec318fac00d3343a772ba0c278fac0119f9dd49fb75f83f588d1bd

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
56KB

MD5
b3692700075007a1582a70434b700ab8

SHA1
01ba9214ff04ad5b8622934eb26167c98ccb8da8

SHA256
a177adad9e40b6c0ab78515c841294711328322142990d8639aec1e346e080ef

SHA512
d618c6f2f93613566454ede68ce75e3ca8d0770f148dd1ef8fc70c9aa8c6a799d155e6efd25ee216b3152b0310989ed3ba3d9c8e4fd0c2eaddfb19fd4f35dab0

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
56KB

MD5
bda6dae5547510cddcc859a8dd12a22b

SHA1
10d2e529e05c57f2f52e420cce70e87ee3c4850f

SHA256
dfd7490b8eec6533dfc010a2c994bfca387b4a1753763519baaac2c03f7a4bb3

SHA512
e9127a9f57979fced01bdca44430105b248753d25939227c00dd332e296caabeace01b8a36d1c743dbefed8432bb4c23b502ba9e639d66a96747ef48132f9f9f

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
56KB

MD5
2dd69e95c8eb24a618435c4221932d6d

SHA1
4d42fa91161f9944b5bb593b188f35c7b29cc6b2

SHA256
a9578b826662bbd75ccdd62b2c30ba6465da22f824cc145cdebcf6fda3edee9e

SHA512
aa25b8fd383eab2b3c98cb87d5c6b264ab6f546d5b5733e4cfaaa75a995d9b54797b723cd9e533fa7216918a42a8fd20e7965afb277c4d99b7147d65ce5c57d3

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
56KB

MD5
1f0f667a50b91ff6a1a80199aba389c4

SHA1
bdc4262e5724d1ea9fc162930373d6ea2da8a28b

SHA256
30729ee44fb802a64bc4686f8192c6af68a202fc7b802036e80a2fa7d411ebaa

SHA512
6a425ede76291b27bf5f8e1e294b7d9c758903dba9112d4506f12332487d30aae1edd3f2695ea5502c8ae9a6f6bf411bcaf916a666713d896504c922568c7416

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
56KB

MD5
bdf6c37fc8524ae3e6922e9bfd5e7f60

SHA1
152e622c517a3fa54d1b2653aa33987a0c09df73

SHA256
47f01dbec343cddb862956375af3f62aa37b9ef0b43c8c2a9facd0279aa6809b

SHA512
cab5408e097ab3b38e860aa1fc429e95a5aa3bbe1be7a5dbedea7fc04f895b65cecb88fd0686a897622114101969e25facf291fb3dc948c8bdf9aa4901942909

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
56KB

MD5
e5940fa1397190acc1bf25f42f04e88e

SHA1
79896381af9b0c96f4108a608e5d0fedb80bdf9f

SHA256
6eba3219e35eb7cdeca0c5351e26a1e2c42c9be131f1146704acea3201b6ff0a

SHA512
19e895ca5179ebc915374775ff7e24ed93523ec484398a2c4f518ec8204ff4e733bfeb889082bd3137cd8a375979fe78a8665c13f5c393ea7b6a32c4b6cfd265

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
56KB

MD5
b34f55629582a4293315397ae2dc2e82

SHA1
49f7879851e34cbd75dfe5d8acfdd5b684025140

SHA256
2a20893428a63a2101919ffe2f96823016db0f801cd8b53bab600467938a9efd

SHA512
413d19d7e08a08ea99f694c91aa17f238a4fe7e02c0d9dbc4c8fd4d39e92d39831d0fa794fd445b091a9777cabc5bab5df8c0075ff6b96a59df0ed9d0d248de9

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
56KB

MD5
c811372a0991bc074e25c17a6fd7352c

SHA1
6acb558f6da4c3b41357110e8665b9ee7b3dfda5

SHA256
ed49fdc322d98d458ee4bd2bc29e14e739cecf3c9a51e96168b335c6e21938b3

SHA512
4286d1036289d977fa71d61c936cfadc92c5d027a544bebc1b1f24d4a0e26dfea7f8ee03e69c1f92b5a1042d837be920c8d3d87601e0f649f48f46b70eafbb6f

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
56KB

MD5
3fe9ae944ae60b28c612f2f8967e9932

SHA1
f16f1fa76f258a517f99f93a0c28bc9409fdf769

SHA256
92f650d747e7d0dbc1e92607a03abf4fbf2015fe5f2672a9a8efeecd18cc56ba

SHA512
0f09daac1a5a221302f88d1692bc2ab8f3072963aa96f22772276df172a3d03125dfc7e9fa91093bd37277fb5b661d64aa9c0280d9f028db413a239442839a3e

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
56KB

MD5
a3ca6c2f0e9daed2d258d4a64159247b

SHA1
fa7c51e4487f91c5fe9bc026ebd6cd208ebb89c0

SHA256
6904452a8b641ff394b25e2f24a17fb6f953ca70998ec9e23c312ac28fc1b41a

SHA512
ce2090e666477ffbfc41a3091cea14a0190db083f42ec113c207419eea21246231739922c705a47937df50cb5e9680a276dc033d663f82ab0a86f5a0ed028b75

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
56KB

MD5
a6e67f5a65a423a8be1f187067f788be

SHA1
5d796602b3c91414ca86e88a1d01ad0ec6c89189

SHA256
631e616e20f18abadbf56f7c0196e40e7f191f69c34cd09c2c19b586670b02cb

SHA512
7e6ccb40e314264baf4e8307d20d507f1ac2ab4123b9392d863872985c7624ad352e47b94753a6a1af6efd5d35c9944d0bc8ebede68a669a433e1a3ebc6f3452

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
56KB

MD5
bb165b07cb70787fb226add129fdc669

SHA1
24b4d34740b5348eeb69cc48c90b0d8fef615421

SHA256
dc868caabcd4540ec57c9a408257e67476860c3afa8c44676cde4d161a7e9304

SHA512
93ef4a390b6016f543fb03a4df9e6dd3304163d5cbc72b3f95d098e271862418c3574c24660dfd0d9f54eaf319169361c01e2b382b8b934e6fe3ef0115ea4588

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
56KB

MD5
c061ac0d68de7347173b05c79f1d91f0

SHA1
92e70346dc2ed46e38e8b1ca937d85e6160e1b43

SHA256
258c388403bea88adeb77cfdb93875e77d2056bc27b4c74470257a65d2522095

SHA512
defec4443dbd99a7169d2d61a0f2d452e9871d0955b41e5facbe9c137291de15eb6780f0930b96d5129dba2090eb23a051273bc54062b4e03a66f8d30e212e3f

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
56KB

MD5
f3e2b8c30f2dda5d733f8a6d543edef2

SHA1
03b81208fbef45a56202b86c5255ac38ecdcccef

SHA256
9747a60772375132d9c5d510924f72ec8a673557267242c29a3df6fd572df062

SHA512
bd9555c1a71f0af023153c6f6325a71e3fa7ae2828f9b91142a636f70bae1f4dd010b4855f4cfb82455e75c71cc1074a5abdadc2f1be69e720fca091c7134814

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
56KB

MD5
34365c0627a8c784196be56dc3c4ae42

SHA1
581e3a88cef9e3300580c176d61587cccf67f228

SHA256
5f0b3f1527d54208d2223c5f6feecd178d47c4cff33725d108752c27a968e6dd

SHA512
9707f4e350ee9e0fd97f107a0a8e392cf7f4f24a59c16601c26cc7f855aa58d91c513e961705fed9549425ae752763b8fe4118a06c938b9536efabd8f9fb0520

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
56KB

MD5
e7ea829f3b5daf6842de04d6b5b558f5

SHA1
0bf68c016f9b00dcf214605903ba237af4f84436

SHA256
5b4f6d2c756d48048ce94d06d874e5409dbc62db17fd2b7768c1e224dba764ce

SHA512
ca50c8c59b270f58838df64b88e0d9995e8f327f1349254171eb8d87bd2ee2ecaff601ccff75d33638d3a1a9295b00619bf3af3f98c121889795cf84d320f569

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
56KB

MD5
6ba805a28d27155603970c3e79aa884a

SHA1
4f4ec73303de4a9bc213b3a52af3744cfeb99139

SHA256
4779550369544354593111e2250a9e985b53f134e122f430bfdf9280c37c923c

SHA512
d8cd23f7c72d9c8c7cba87cf94999e84ba4d1c80b9a16dfe73c48ee7bf40e2a80c86ced52ba0737bab2c1f7a7e5bdbca2785fa1c757795eaad4241bae037f86a

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
56KB

MD5
76e9b6f38a79b241149e5c94ce8c49b3

SHA1
f031c74571b4caf0b2b4e02d569d49e449b355a2

SHA256
4bb0ede31fc54a9acc3fb3ee70d4d3950d138d5fd82502f119af104755f3374a

SHA512
524742cb447c9f0b2509c8083e8f4c16a03233277116a434571842d462039688234fa0301cffb455ebcf071977381efa3f449b7f5b334416847b9d07e9f6fa71

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
56KB

MD5
59b9fc757dd2746289f79cb31989382f

SHA1
20258d21cb3fa9e1cf646332256efc575eae6397

SHA256
2004e636985516dcc1fdbaec8b6b78139c6b25a38627719f745807295b812f66

SHA512
6bc6f431a7bc9a38557bed8f0533e89b3c8a0cd14c556a3427917de934d03058783f350a63fe30dcdf4b7513a4955c0fc080ab0ff2345e36001dc2f6dee68a80

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
56KB

MD5
f148194867d82d4612483c0690b4d278

SHA1
8f9a7bf49d476324a5da2055360ac0d205809a39

SHA256
5fdebc8186517b0294591d46c6ea013784edaeba9499b4c4f4f9de3ea6c4ae63

SHA512
3f192a09a722e9d1e4dfcc98c1e63d142387d92cee38738b341183dcd0580b65bd9abd7f369dc7980cf95d3f9f014760260cb7cf707dc8a9453248595de99b6c

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
56KB

MD5
b4f1401325a678def6dc0fcc1dac1f05

SHA1
bce2436634b7a406913c88f8c1322f68cf7ce0d0

SHA256
77e04302fa9c6c6f2b03b0091f74ccb3e56fdabeee7862f0bd74150ede44f176

SHA512
91eadc471f9517fbf4a1bda6c46bb70d771ae65ac5db1c3c34307830070b9da383ef3cfb1d290787a96ac7a511774277e6b95f7806cd96ad62b7529b668b4892

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
56KB

MD5
8f3c553d83f38d33da627288f6c70a5f

SHA1
f5c115e9ab117e2b360726df7bc3a9eca01a625a

SHA256
02dd029d140141d602204aff050a44721291c177b57635e21e87d35c11ee7f60

SHA512
229c2a816b5bbf9a1690a8527e74149c15ddcad0553cf155842d3a54d78c49ca18406069c8f79537e85b97e85372015741b571b807e85045c72a969aebe4b5c1

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
56KB

MD5
b2a211876148497304a808601cd64834

SHA1
36e9b4e545f5ae3cde4720d091fc4443db0f56d2

SHA256
4d0b351b69dd7c07618218e9062f6b8cd9c76c58b1632565ad4c4adcfd5c418c

SHA512
bdf68bc2a0d2dd561987822ac909e5112812e7fc8e48141f776f8b1c90956a4a798706b087a2ab51f73bf18745833161572e72e73a6dcb34ab5aff9455a00f7a

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
56KB

MD5
a8495cace619aacae1b5a15fddb9830e

SHA1
13aaa98424586200747a5c09c03590402ca0c91a

SHA256
20def28eba8f57dfca47e8081c69ff41f8cedd7ec39d81c14d48a140c31479bb

SHA512
0f569682a3a65384f906b1bd9b0cc03eee65ffd848038cb2983bf4b82ff704b4ed6d41bc97f7f5d16f42836f8ffc7b520f416b8ae6666f7e708961773ce0518c

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
56KB

MD5
68f1c91e0b2eef770d7d6ee1ff553e3c

SHA1
9ed376c97de8e014db315db37504a05dd1a88417

SHA256
4aa4d6572aa757bcddc05401dd7c6c071504cc024da583099441ac4f96d4d2a5

SHA512
6078b2e81133ab2686de1e42d9e538eae062a3d8809d95b7ada469df81258b9be6b02e1ad54cebe0ef637adae3c321fccf3e2ca9baa26963bed1157cb7ecb573

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
56KB

MD5
2bfbb497c4372704c083e52339c889ce

SHA1
8f033626682fd63af20c0af0a34f4550b01fe5bf

SHA256
978a7f4561c6695f1961fbff25151f81ef203ab92326b865ad93536fe64e05b7

SHA512
83c05dd72016e0da96120fff3eca084c6deaf045efabc030c494858dc2828b2232ff2fe1525478e2491411b6bddad81efae8de65a700b48873953b710299686e

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
56KB

MD5
10e9d122c5017d29eff59d88ab573b6d

SHA1
77d8851c9723c346eb7697db462090d6f8a02499

SHA256
ca6363079f3d3ca1b2457662b9259c36221809ae817b85a34c261aef028faf69

SHA512
f859cb030bc13b0498507cb63c108dc4bf6f1cbde50c804d9e214addcb36d871ea93db04ae10bb0950972053ffeeade1710cd6d90f3fb6e32ee11c2d041406a7

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
56KB

MD5
ebac08f7793ead29c2d8b587bd6e5605

SHA1
3acf889e24fa4f2dfca30382d6f97af9d429987b

SHA256
a90c129fce6189544818151a1a596154ac358622491073f56b8a5edd3df168ec

SHA512
8d2d7b400afeeaf9f61cf15a697d01ddd943cbe180041570675b4d641829010713ad6efcec5ac402b54f912782dcf7d4801810480bfb9f34c7a193c423714941

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
56KB

MD5
f9be6db4f648e1d6ca2a60269c32b1d9

SHA1
3059aa30392409feb5ce6a0f9dc5699fdf294862

SHA256
bfdd609baa78a542dd6d732761dd72c386bb1600e10eac0d5848394ff3650597

SHA512
fb48e68ac4c48c10256df682a0db8bf77b8353ad79fd7d0358536fbd081d5c82a45b2b88650fe820137b2a4f4078a9e0635ceb215830b6e6af0cab82f437f15c

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
56KB

MD5
01bf4daa7886376288038e35cd9f0134

SHA1
66eb6993ddc47b3bf0e9905451e1af158012ea57

SHA256
52f475c601eb7b201463718a5b76731e34ee8adb0b66896af78d2d92bff9b766

SHA512
ed8bdc497d77d201ad2ef52d1e8378747b6bc9c79857db89aea98cb269c47c7feb667f3915d1b1213ebc107cee119807fe53617ac72bbba47eec06353278f2bf

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
56KB

MD5
af33edcb15b89fce53f01794a2f6a2f2

SHA1
30a9a522cfa47392190601c4d2e0add1ccf853c5

SHA256
9ae05870bb3be35554c5d57dc311d78054bf8279c10d8c3c04244e4823b69e36

SHA512
3a0350cb6bb7f95eec73144709c0eb78fbf17d7855f63b694eff616ab62045c87ed5b2ae2062812388442a6a94a677c51c2a606e00a08e2b3022787cdbdd78e7

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
56KB

MD5
98415ae6b8f64877f57f6ce4c183e6cc

SHA1
958d7b6f49cae4e0b99c7e06b5e43dd50119b072

SHA256
3d0c50b061547695a610dda36fc2dc995038ceedf8b93d5941578db55a008445

SHA512
edc4d8a1aba3d5d4124aaf55a5cc332b4dda6b85547c779277cf01792922d41069e35aea185461e807262a4a25c3b598b99ff7f341f3f55a273e92f097734d95

Download Submit
memory/452-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1472-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3800-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3800-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4084-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4168-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4180-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4180-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5904-803-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads