0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b

Analysis

max time kernel
136s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 18:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe
Size

59KB
MD5

cd665f756c5e3cc88723fb39a951f093
SHA1

5c7532bc9552b5b8183ed75943c53e9c48814221
SHA256

0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b
SHA512

cff8b0f88efa83829e284399b231d1ca8ca81600feb6a9822a8c41cccda7f380d1cd8813d17780c243a5e6ea24bd9117a5cc834cf482fff4ec884604589a938e
SSDEEP

768:Hzabc8fOoUzpBh3IVxeobaNXyFHRNnB5hdAEJZ/1H5zr5nf1fZMEBFELvkVgFR:H2bc8fOokHUxQSljdlB9FNCyVs

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbpjfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgqie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cifdjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aehbmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bblcfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clpgkcdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpnpqakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abjfqpji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciknefmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bedbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfcoblfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdlhgpag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhfknjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cidgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Albkieqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beoimjce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjompqc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oloipmfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aecialmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmddihfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bedbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Debnjgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkholi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aimhmkgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blnjecfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffkhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obidcdfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcpika32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abcppq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abemep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acdioc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bldgoeog.exe

Executes dropped EXE 64 IoCs

pid	Process
4372	Ookhfigk.exe
264	Obidcdfo.exe
4064	Oloipmfd.exe
4916	Ofgmib32.exe
3500	Omaeem32.exe
2052	Obnnnc32.exe
672	Ohhfknjf.exe
404	Ooangh32.exe
2768	Oflfdbip.exe
2340	Pkholi32.exe
3440	Pcpgmf32.exe
5016	Pfncia32.exe
1924	Pilpfm32.exe
3600	Pkklbh32.exe
224	Pbddobla.exe
3292	Piolkm32.exe
3144	Pkmhgh32.exe
4444	Pfbmdabh.exe
2544	Pmmeak32.exe
4116	Pokanf32.exe
1508	Pfeijqqe.exe
4964	Pehjfm32.exe
1568	Pkabbgol.exe
1492	Qfgfpp32.exe
812	Qifbll32.exe
4740	Qppkhfec.exe
4656	Qfjcep32.exe
1524	Qmckbjdl.exe
1636	Qcncodki.exe
3648	Aeopfl32.exe
3416	Apddce32.exe
2028	Abcppq32.exe
2540	Aimhmkgn.exe
2676	Apgqie32.exe
2976	Abemep32.exe
4060	Aecialmb.exe
3852	Amkabind.exe
3660	Acdioc32.exe
4836	Afceko32.exe
4968	Aiabhj32.exe
3256	Alpnde32.exe
1228	Abjfqpji.exe
2920	Aehbmk32.exe
1464	Albkieqj.exe
540	Bblcfo32.exe
704	Bifkcioc.exe
1468	Bldgoeog.exe
3004	Bboplo32.exe
1900	Bemlhj32.exe
3236	Bmddihfj.exe
3932	Blgddd32.exe
2876	Bbalaoda.exe
2020	Bmfqngcg.exe
3232	Bcpika32.exe
3936	Beaecjab.exe
4844	Bbefln32.exe
3132	Bedbhi32.exe
4808	Blnjecfl.exe
1484	Cdebfago.exe
1212	Cfcoblfb.exe
4112	Clpgkcdj.exe
4132	Cdgolq32.exe
1012	Cffkhl32.exe
348	Cidgdg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dpllbp32.exe
File created	C:\Windows\SysWOW64\Ihbdmc32.dll	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Fldqdebb.dll	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Aecialmb.exe	Abemep32.exe
File created	C:\Windows\SysWOW64\Eobepglo.dll	Aiabhj32.exe
File created	C:\Windows\SysWOW64\Cfmidc32.dll	Blnjecfl.exe
File opened for modification	C:\Windows\SysWOW64\Alpnde32.exe	Aiabhj32.exe
File created	C:\Windows\SysWOW64\Doklblnq.dll	Alpnde32.exe
File created	C:\Windows\SysWOW64\Mmhpkebp.dll	Bldgoeog.exe
File created	C:\Windows\SysWOW64\Amkejmgc.dll	Cifdjg32.exe
File created	C:\Windows\SysWOW64\Dpllbp32.exe	Defheg32.exe
File opened for modification	C:\Windows\SysWOW64\Pfncia32.exe	Pcpgmf32.exe
File opened for modification	C:\Windows\SysWOW64\Pilpfm32.exe	Pfncia32.exe
File created	C:\Windows\SysWOW64\Pehjfm32.exe	Pfeijqqe.exe
File created	C:\Windows\SysWOW64\Mbgjlq32.dll	Bemlhj32.exe
File created	C:\Windows\SysWOW64\Kcgmiidl.dll	Cfhhml32.exe
File created	C:\Windows\SysWOW64\Apgqie32.exe	Aimhmkgn.exe
File opened for modification	C:\Windows\SysWOW64\Aehbmk32.exe	Abjfqpji.exe
File opened for modification	C:\Windows\SysWOW64\Ooangh32.exe	Ohhfknjf.exe
File created	C:\Windows\SysWOW64\Pkmhgh32.exe	Piolkm32.exe
File created	C:\Windows\SysWOW64\Aecialmb.exe	Abemep32.exe
File created	C:\Windows\SysWOW64\Beaecjab.exe	Bcpika32.exe
File opened for modification	C:\Windows\SysWOW64\Obnnnc32.exe	Omaeem32.exe
File opened for modification	C:\Windows\SysWOW64\Qfgfpp32.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Bemlhj32.exe	Bboplo32.exe
File created	C:\Windows\SysWOW64\Ipekmlhg.dll	Bedbhi32.exe
File created	C:\Windows\SysWOW64\Clpgkcdj.exe	Cfcoblfb.exe
File created	C:\Windows\SysWOW64\Oenlmopg.dll	Ohhfknjf.exe
File opened for modification	C:\Windows\SysWOW64\Qifbll32.exe	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Alpnde32.exe	Aiabhj32.exe
File created	C:\Windows\SysWOW64\Aehbmk32.exe	Abjfqpji.exe
File created	C:\Windows\SysWOW64\Bedbhi32.exe	Bbefln32.exe
File opened for modification	C:\Windows\SysWOW64\Pkholi32.exe	Oflfdbip.exe
File created	C:\Windows\SysWOW64\Pfeijqqe.exe	Pokanf32.exe
File opened for modification	C:\Windows\SysWOW64\Acdioc32.exe	Amkabind.exe
File opened for modification	C:\Windows\SysWOW64\Bblcfo32.exe	Albkieqj.exe
File created	C:\Windows\SysWOW64\Omaeem32.exe	Ofgmib32.exe
File opened for modification	C:\Windows\SysWOW64\Pkmhgh32.exe	Piolkm32.exe
File created	C:\Windows\SysWOW64\Dqjhif32.dll	Abcppq32.exe
File opened for modification	C:\Windows\SysWOW64\Abjfqpji.exe	Alpnde32.exe
File created	C:\Windows\SysWOW64\Hfdgep32.dll	Obidcdfo.exe
File created	C:\Windows\SysWOW64\Bgcboj32.dll	Pfbmdabh.exe
File created	C:\Windows\SysWOW64\Clijablo.exe	Ciknefmk.exe
File created	C:\Windows\SysWOW64\Oloipmfd.exe	Obidcdfo.exe
File created	C:\Windows\SysWOW64\Oahmla32.dll	Aecialmb.exe
File created	C:\Windows\SysWOW64\Cifdjg32.exe	Cfhhml32.exe
File created	C:\Windows\SysWOW64\Qecnjaee.dll	Cdlhgpag.exe
File created	C:\Windows\SysWOW64\Dmifkecb.exe	Debnjgcp.exe
File opened for modification	C:\Windows\SysWOW64\Dpjompqc.exe	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Obnnnc32.exe	Omaeem32.exe
File created	C:\Windows\SysWOW64\Daliqjnc.dll	Pfeijqqe.exe
File opened for modification	C:\Windows\SysWOW64\Bemlhj32.exe	Bboplo32.exe
File created	C:\Windows\SysWOW64\Dbhlikpf.exe	Dpjompqc.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dpllbp32.exe
File created	C:\Windows\SysWOW64\Qfjcep32.exe	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Qmckbjdl.exe	Qfjcep32.exe
File created	C:\Windows\SysWOW64\Acdioc32.exe	Amkabind.exe
File opened for modification	C:\Windows\SysWOW64\Cdebfago.exe	Blnjecfl.exe
File opened for modification	C:\Windows\SysWOW64\Cmbpjfij.exe	Cifdjg32.exe
File created	C:\Windows\SysWOW64\Oflfdbip.exe	Ooangh32.exe
File created	C:\Windows\SysWOW64\Qfgfpp32.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Aimhmkgn.exe	Abcppq32.exe
File created	C:\Windows\SysWOW64\Cffkhl32.exe	Cdgolq32.exe
File created	C:\Windows\SysWOW64\Pfdnkk32.dll	Cfjeckpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5964	5872	WerFault.exe	178

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiabhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beoimjce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfcoblfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdgolq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpllbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amkabind.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alpnde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlhgpag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bifkcioc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bboplo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdebfago.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmifkecb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooangh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimhmkgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acdioc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bedbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blnjecfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciiaogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfeijqqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qifbll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbalaoda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjcep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Debnjgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abemep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beaecjab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbpjfij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clgmkbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbaehl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnnnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkklbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfgfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afceko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmfqngcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbefln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfjeckpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbcbnlcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjompqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcncodki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clpgkcdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfncia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjfqpji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aehbmk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cifdjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfakcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhlikpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obidcdfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pilpfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgqie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cidgdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Albkieqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omaeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abemep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daliqjnc.dll"	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldqdebb.dll"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipekmlhg.dll"	Bedbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhopqko.dll"	Beoimjce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpjompqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfppnk32.dll"	Qfjcep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjokai32.dll"	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmccbngq.dll"	Aimhmkgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbefln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaepkejo.dll"	Clgmkbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmcle32.dll"	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blgddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blgddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bedbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obidcdfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmddihfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcdeb32.dll"	Blgddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdebfago.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebeaf32.dll"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aehbmk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijflc32.dll"	Pkholi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qifbll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bifkcioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhpkebp.dll"	Bldgoeog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amkabind.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blnjecfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgmiidl.dll"	Cfhhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amkejmgc.dll"	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bifkcioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbelak32.dll"	Ciknefmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipiefce.dll"	Albkieqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmfqngcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladlqj32.dll"	Cmbpjfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhinoa32.dll"	Qppkhfec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkpjjj32.dll"	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpjompqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doklblnq.dll"	Alpnde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffkhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmole32.dll"	Pbddobla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apddce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clpgkcdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbikenl.dll"	Ooangh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aecialmb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 4372	1500	0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe	90
PID 1500 wrote to memory of 4372	1500	0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe	90
PID 1500 wrote to memory of 4372	1500	0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe	90
PID 4372 wrote to memory of 264	4372	Ookhfigk.exe	91
PID 4372 wrote to memory of 264	4372	Ookhfigk.exe	91
PID 4372 wrote to memory of 264	4372	Ookhfigk.exe	91
PID 264 wrote to memory of 4064	264	Obidcdfo.exe	92
PID 264 wrote to memory of 4064	264	Obidcdfo.exe	92
PID 264 wrote to memory of 4064	264	Obidcdfo.exe	92
PID 4064 wrote to memory of 4916	4064	Oloipmfd.exe	94
PID 4064 wrote to memory of 4916	4064	Oloipmfd.exe	94
PID 4064 wrote to memory of 4916	4064	Oloipmfd.exe	94
PID 4916 wrote to memory of 3500	4916	Ofgmib32.exe	95
PID 4916 wrote to memory of 3500	4916	Ofgmib32.exe	95
PID 4916 wrote to memory of 3500	4916	Ofgmib32.exe	95
PID 3500 wrote to memory of 2052	3500	Omaeem32.exe	96
PID 3500 wrote to memory of 2052	3500	Omaeem32.exe	96
PID 3500 wrote to memory of 2052	3500	Omaeem32.exe	96
PID 2052 wrote to memory of 672	2052	Obnnnc32.exe	98
PID 2052 wrote to memory of 672	2052	Obnnnc32.exe	98
PID 2052 wrote to memory of 672	2052	Obnnnc32.exe	98
PID 672 wrote to memory of 404	672	Ohhfknjf.exe	99
PID 672 wrote to memory of 404	672	Ohhfknjf.exe	99
PID 672 wrote to memory of 404	672	Ohhfknjf.exe	99
PID 404 wrote to memory of 2768	404	Ooangh32.exe	100
PID 404 wrote to memory of 2768	404	Ooangh32.exe	100
PID 404 wrote to memory of 2768	404	Ooangh32.exe	100
PID 2768 wrote to memory of 2340	2768	Oflfdbip.exe	101
PID 2768 wrote to memory of 2340	2768	Oflfdbip.exe	101
PID 2768 wrote to memory of 2340	2768	Oflfdbip.exe	101
PID 2340 wrote to memory of 3440	2340	Pkholi32.exe	103
PID 2340 wrote to memory of 3440	2340	Pkholi32.exe	103
PID 2340 wrote to memory of 3440	2340	Pkholi32.exe	103
PID 3440 wrote to memory of 5016	3440	Pcpgmf32.exe	104
PID 3440 wrote to memory of 5016	3440	Pcpgmf32.exe	104
PID 3440 wrote to memory of 5016	3440	Pcpgmf32.exe	104
PID 5016 wrote to memory of 1924	5016	Pfncia32.exe	105
PID 5016 wrote to memory of 1924	5016	Pfncia32.exe	105
PID 5016 wrote to memory of 1924	5016	Pfncia32.exe	105
PID 1924 wrote to memory of 3600	1924	Pilpfm32.exe	106
PID 1924 wrote to memory of 3600	1924	Pilpfm32.exe	106
PID 1924 wrote to memory of 3600	1924	Pilpfm32.exe	106
PID 3600 wrote to memory of 224	3600	Pkklbh32.exe	107
PID 3600 wrote to memory of 224	3600	Pkklbh32.exe	107
PID 3600 wrote to memory of 224	3600	Pkklbh32.exe	107
PID 224 wrote to memory of 3292	224	Pbddobla.exe	108
PID 224 wrote to memory of 3292	224	Pbddobla.exe	108
PID 224 wrote to memory of 3292	224	Pbddobla.exe	108
PID 3292 wrote to memory of 3144	3292	Piolkm32.exe	109
PID 3292 wrote to memory of 3144	3292	Piolkm32.exe	109
PID 3292 wrote to memory of 3144	3292	Piolkm32.exe	109
PID 3144 wrote to memory of 4444	3144	Pkmhgh32.exe	110
PID 3144 wrote to memory of 4444	3144	Pkmhgh32.exe	110
PID 3144 wrote to memory of 4444	3144	Pkmhgh32.exe	110
PID 4444 wrote to memory of 2544	4444	Pfbmdabh.exe	111
PID 4444 wrote to memory of 2544	4444	Pfbmdabh.exe	111
PID 4444 wrote to memory of 2544	4444	Pfbmdabh.exe	111
PID 2544 wrote to memory of 4116	2544	Pmmeak32.exe	112
PID 2544 wrote to memory of 4116	2544	Pmmeak32.exe	112
PID 2544 wrote to memory of 4116	2544	Pmmeak32.exe	112
PID 4116 wrote to memory of 1508	4116	Pokanf32.exe	113
PID 4116 wrote to memory of 1508	4116	Pokanf32.exe	113
PID 4116 wrote to memory of 1508	4116	Pokanf32.exe	113
PID 1508 wrote to memory of 4964	1508	Pfeijqqe.exe	114

C:\Users\Admin\AppData\Local\Temp\0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe
"C:\Users\Admin\AppData\Local\Temp\0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\SysWOW64\Ookhfigk.exe
  C:\Windows\system32\Ookhfigk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\Obidcdfo.exe
    C:\Windows\system32\Obidcdfo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\Windows\SysWOW64\Oloipmfd.exe
      C:\Windows\system32\Oloipmfd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4064
    - - C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4916
      - C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Abemep32.exe
        
        C:\Windows\system32\Abemep32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Aecialmb.exe
        
        C:\Windows\system32\Aecialmb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Amkabind.exe
        
        C:\Windows\system32\Amkabind.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Acdioc32.exe
        
        C:\Windows\system32\Acdioc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\Afceko32.exe
        
        C:\Windows\system32\Afceko32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\Alpnde32.exe
        
        C:\Windows\system32\Alpnde32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Abjfqpji.exe
        
        C:\Windows\system32\Abjfqpji.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Aehbmk32.exe
        
        C:\Windows\system32\Aehbmk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Albkieqj.exe
        
        C:\Windows\system32\Albkieqj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Bblcfo32.exe
        
        C:\Windows\system32\Bblcfo32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Bifkcioc.exe
        
        C:\Windows\system32\Bifkcioc.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Bldgoeog.exe
        
        C:\Windows\system32\Bldgoeog.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Bboplo32.exe
        
        C:\Windows\system32\Bboplo32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1900
        
        C:\Windows\SysWOW64\Bmddihfj.exe
        
        C:\Windows\system32\Bmddihfj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Blgddd32.exe
        
        C:\Windows\system32\Blgddd32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Bbalaoda.exe
        
        C:\Windows\system32\Bbalaoda.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\Beoimjce.exe
        
        C:\Windows\system32\Beoimjce.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Bmfqngcg.exe
        
        C:\Windows\system32\Bmfqngcg.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Bcpika32.exe
        
        C:\Windows\system32\Bcpika32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3232
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\Bbefln32.exe
        
        C:\Windows\system32\Bbefln32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Bedbhi32.exe
        
        C:\Windows\system32\Bedbhi32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Blnjecfl.exe
        
        C:\Windows\system32\Blnjecfl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Cfcoblfb.exe
        
        C:\Windows\system32\Cfcoblfb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Cdgolq32.exe
        
        C:\Windows\system32\Cdgolq32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\Cffkhl32.exe
        
        C:\Windows\system32\Cffkhl32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\Cpnpqakp.exe
        
        C:\Windows\system32\Cpnpqakp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1940
        
        C:\Windows\SysWOW64\Cfhhml32.exe
        
        C:\Windows\system32\Cfhhml32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Cifdjg32.exe
        
        C:\Windows\system32\Cifdjg32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Cmbpjfij.exe
        
        C:\Windows\system32\Cmbpjfij.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Clgmkbna.exe
        
        C:\Windows\system32\Clgmkbna.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Dbcbnlcl.exe
        
        C:\Windows\system32\Dbcbnlcl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Dmifkecb.exe
        
        C:\Windows\system32\Dmifkecb.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5872 -s 400
        88⤵
        Program crash
        
        PID:5964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5872 -ip 5872
1⤵
PID:5940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4060,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:8
1⤵
PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abcppq32.exe

Filesize
59KB

MD5
6ef62c20b580c32cb6dc420ec0fe5815

SHA1
b68330443ccf96b198b55c74ff1517b0f6e842da

SHA256
e5be7925b8f0d7b03e0b50751d483b292cde6af69754b2dd238f92794772c59e

SHA512
893a749d3fb6874d147ff51ac876914e07ddac6a1e0c1ff5b38d947add9e3991c8f5729847b4f94adfa6cc7504bad22f45b41c74ae36edaec5027ccfb2bd4885

Download Submit
C:\Windows\SysWOW64\Acdioc32.exe

Filesize
59KB

MD5
0522698f6c9a678f003d2e372d57ab8c

SHA1
1e1443540ad80156495146b5453b07c832bfa2fc

SHA256
4ef5f41c9084711272515261414acff8d56be71e6fc46ec755c4bc1327be9c87

SHA512
0c9c1aa12ab3c9b9d97698fb1d38ea82aff549c4c168e873b7e5b496714832086698c2f50d4485c32763e1c7c61de751f7a140cf0f8e437203cd2cb2408f91be

Download Submit
C:\Windows\SysWOW64\Aeopfl32.exe

Filesize
59KB

MD5
d6dc6ea8fd602f9df87dce4d2e20686f

SHA1
da55b53d3deb3bb377e564cbe26e34491d5ef195

SHA256
dde3f65ec4036c36e5afcf4c1f93af178a3e1df6d6214c239449d78595015329

SHA512
45499595ad969299a63766925cd1208bef6da1c422f3fbe271fb4476b5dd94b4adedd3e525ddfb95d25531938114b0f2b4c20ac3f7848d8f591345606229459a

Download Submit
C:\Windows\SysWOW64\Aimhmkgn.exe

Filesize
59KB

MD5
1fe63520455622cb6a781dbdb7dc5134

SHA1
44e88c1fbf65316dc5a4ac235d8575379ae318e6

SHA256
f4f3afbeb13abdf052f2cc9c809507a00e385e61330e90e67e6540fdf393bc31

SHA512
b73ab6e4c9593b1597980eee03a5c9dac3730d8f9b32905ac09002a1377b86d4887e7fdd15215af56bc5926de925f969f2a3063a4f99e55bb1369e15984e72f7

Download Submit
C:\Windows\SysWOW64\Apddce32.exe

Filesize
59KB

MD5
63aa423c7f1a46d346b13504c5d99d1a

SHA1
be68f95078f255e28dc6b369cad60e06005e93c6

SHA256
e3cdbc5a20ae608d39558d17850b84ca4d225bbb3aceef68695cc1cffff4b168

SHA512
6d350ee8875b80c9da7cc0118566d53ce2477355e587511a22f638f9344e53d2ae3fac777ad69d87c3a5fe43ef643ea8f85fdbc855ffc1951f9b33d17154d553

Download Submit
C:\Windows\SysWOW64\Bedbhi32.exe

Filesize
59KB

MD5
920c50e8a0920518ecd9ccf34869ec64

SHA1
699dbd75e96e17feb7568c89ca919fd57bc91936

SHA256
0ce7a40b00c39ee27adefff4eb4676506ae4b0ada8ccbef0f1e83d4f1f5f1350

SHA512
3fb42399858b7db6d1f36429a5e3d017b9916e47aed3b9bb893b382ad0a9bf5541053a2510e90a8f4e29c6754ed161d3bfeabba8f15a72cec350fc2c3b5478e8

Download Submit
C:\Windows\SysWOW64\Obidcdfo.exe

Filesize
59KB

MD5
4ecf2c8ddbd8f266e5f3ac9b724e207b

SHA1
540aecb6d85ca1a65d9497af23954e13c58d251e

SHA256
48da303a4fd9c2721b756fe70ede3e272f19187bdb63f1af67feb1ed27bb327c

SHA512
95499ac44d503798dc0772cf4c62a84f5296eb1ae5270f6767c8e9cf5ce4a92fb71739610913fadb3e52fd200cb81bf9ca9ba52c0a000dd0b12f9d8271a14fdb

Download Submit
C:\Windows\SysWOW64\Obnnnc32.exe

Filesize
59KB

MD5
abf547b8e65cdd0e84e7ba9d76aa6ff6

SHA1
f1227a32e5da1f559a91ebd231dd52a8c35bb397

SHA256
6cf66a9ea3337b6c2031c0f8488f8cf5006ba3baf89f124fc302d0b4f27e1db6

SHA512
0a8dfe16354c55e535d97c1e7d4476fef9d3edc75aa52bd9a45684471967170ab68480ec3e8607fc2ea978f55386c553cb9f2101008422c311b69b412cf719e9

Download Submit
C:\Windows\SysWOW64\Ofgmib32.exe

Filesize
59KB

MD5
5b7493ac8c159e09aed4d85912aec95d

SHA1
83b909befa880ed6f5066cd5cba97b8e83ea188d

SHA256
73758d064a7e03c1d4ddc722523413ce153a7749db135f53296b1616902d184a

SHA512
5e18e416f3c7302d0c255df077499c17c0e1d1f3722f551f71f5806c202ffcc5f4e642e2de52fbaae92fb3bbfe59844bed08cfad18ffc9fd78827763a73d7fba

Download Submit
C:\Windows\SysWOW64\Oflfdbip.exe

Filesize
59KB

MD5
58428dec05d41dd3d9ba3ddcbe35bf4d

SHA1
353c6ed3759bd2976441b8cd47abcf108ededb3f

SHA256
06d24ba357f00ec97053a67cb06ecf3330946f342ed925bcbcfa08b58cb792c3

SHA512
ce2ce047fcdf917446714baf4aff59776f3abaa2707be74d3564f8a467a747e750898f4ad599c5a2c4fb308ca22a8d070cdb25ced028f4542bffd6e6b0d3b597

Download Submit
C:\Windows\SysWOW64\Ohhfknjf.exe

Filesize
59KB

MD5
0ee8f4dfc11159d138f6f689b8dd59fc

SHA1
7126ec06029832bc6bbb480fc36b899132a6d9b2

SHA256
253ac6daedf326a65fd90aa10ba784e36a7485cc1a6cd4ec86db2a8b5bdfc64b

SHA512
0c0259cca21ff22691ea5a1e87e5991df4727c4c2be7e1fe10fe4588409e843319bb15dd7b2aec17fdd7781d35f94165f69d31bd6c8d2b1dfa77e285d73ae0e2

Download Submit
C:\Windows\SysWOW64\Oloipmfd.exe

Filesize
59KB

MD5
77178273d6c13a6d322e7ddbdb6ee2c2

SHA1
bd0a0329a6128c2a18ae8edcce8aba15c53d1fe8

SHA256
d4cc342ea0eacf151429c15afb9d240a292e28820d334171faf64648bf0c7831

SHA512
b923a51fed8497bb8bee7673cc7598aa6ee2c0548d6260c5a55af110724f3bbb6df1ddfe205a359d32f118f883dfe7151cccf48ca52ac32eacbe63e346a6398c

Download Submit
C:\Windows\SysWOW64\Omaeem32.exe

Filesize
59KB

MD5
889d85a4a174a78ce7ad37adf7ff1b1d

SHA1
89bf70bd0015ddc81a063256b4535e308c3e0cde

SHA256
7420e26ac5e6d9d30481407d9c9fa19fa74674cb9bb9587f034854f704eea7a6

SHA512
f0279ac1dd64ff684fdf35714a29793b859d081dafd0c30a06c90173758dfe42f616da2b1125726ea7455300e0d810fe8eef44c12d2f29620e2e10ee73f18773

Download Submit
C:\Windows\SysWOW64\Ooangh32.exe

Filesize
59KB

MD5
e6253e72c7eb41c56286ce0deb9078ec

SHA1
e57a6bea1bcd3c9cad321d6e5e4f31eedd2a0127

SHA256
0042e4b87b4307862289fbca03645d27b8f57e5bf356846268a2d6256f989759

SHA512
835b364d83b6ef7926991bbcc7008872decc5bcbda93f6028d520744cdc2293074cf943b0c215a51f1359f9fd3c685035dcb1565fc68dc86a8f7396dfa0a5ba7

Download Submit
C:\Windows\SysWOW64\Ookhfigk.exe

Filesize
59KB

MD5
58068e556297c792e85eb2783bda87e8

SHA1
b19524b9a8d548447a8c53fb88a4e5900435f0b5

SHA256
93cda660ddaade8b58c95af36151e91f7e9181523670a1033e6eb537b458d61e

SHA512
c36ce8d6b1d5f82d208ce65ac465228eb1837a53d7223a016be831fa0c26e774596219364f68380ed5cdde3f43cd56bb60ef24c8ff9c812e8e3d36b71eacb28c

Download Submit
C:\Windows\SysWOW64\Pbddobla.exe

Filesize
59KB

MD5
c338a674d90501c1ca4f2d0c04b24eb6

SHA1
ce5d30a16288cfaf80cfb55c49b1b0f98fd81cb6

SHA256
ceeeb85558b52b7a512af91e8c6f90689f6675cec97a9e0a0f49d9aeb18b9e04

SHA512
62884131d6e08752dfa4528974b05b4a1ac550a760ed68c8049b964652aa00e793864e71b07dab9a21b4df54b3ea68f3a35fa44cff31b499210e40f32540f9ac

Download Submit
C:\Windows\SysWOW64\Pcpgmf32.exe

Filesize
59KB

MD5
f945f848149dff197cbc5f539c1bb731

SHA1
5d392a6e0fd1d7019bca488adbdd36379965d52f

SHA256
c0d9cc83c15c0be56acda8091ad9d3482b48a385ab4c6e5b2ac5e4323ee499be

SHA512
00ffbe750808cbb7bbbbf99b11e8465794c21292781d74b766b45a558cf99896ddb901e4dda660021633c18a61ef67ffe9a3d614b62c57ba460deb35226496a5

Download Submit
C:\Windows\SysWOW64\Pehjfm32.exe

Filesize
59KB

MD5
f86dfb0eea03ce796c59009a174fb6d1

SHA1
84a1d745d0aad19b8e908667847ebb1e34bb94eb

SHA256
6ebb5da2d512bbdbb2be7c073af5b4f7af05705f8cd589f8eedf6a590be2652c

SHA512
041981fbb25ea30aa2d682146a7f58a5bbfa62af27b9332f394405a9d54c7ebb039cb2b80d25eff41654d99118e9d9553c487965a065ab7404ebb95e782dbc63

Download Submit
C:\Windows\SysWOW64\Pfbmdabh.exe

Filesize
59KB

MD5
c6f746f1d44ee6e545a7b482fcf6ab06

SHA1
b585946cecf7fdfe3db864ceae1318f8447d9c13

SHA256
dcc8ef35593a082961473a52f0d54597e688f4a001f0529f3d7847a0baca67cf

SHA512
8c4d80f69446d6466624523afb811abb78085931cb703895147cdab2886509587fbb8fc52e9f5f1e52a490e0de134b78b83f5495ad85293d6ac80e6871cd79f9

Download Submit
C:\Windows\SysWOW64\Pfeijqqe.exe

Filesize
59KB

MD5
9685f0377b8d95a113b2d52cac1192f4

SHA1
4dc8ae6059899726093a9adefe742a3274da7ec2

SHA256
9e7f66ef004e66719bc535273bb0fb839b07f1a7fed1c6d73d8122a57326a082

SHA512
72bab45e1a370a672c05931d8a7d1a5f410d1c18381e3ae6b6bbe3a1cdd87ff3114657964b3f3fe7f62bae9e6a2a78eed2d20151236094b9f566ab28d7872064

Download Submit
C:\Windows\SysWOW64\Pfncia32.exe

Filesize
59KB

MD5
93eb7bc90c350abecd3bc890d0cf564d

SHA1
3c4235232efae38a2c8e88399d4740278345497e

SHA256
47e6e3305b14e8eb8d5e6a68a3df0785148118e5d3dd3b0b6892924485840804

SHA512
2ff1931d135ca661e4616bd79b432ec95d25a63e15dbf48fa86bd91fb292016f5fffb694939329c4edc952f7180bc7d3a2fc917e773b88ad88fbec1f3427b55b

Download Submit
C:\Windows\SysWOW64\Pilpfm32.exe

Filesize
59KB

MD5
96efc5798d69b7f7a0a2224f3361ee3c

SHA1
6a20429a044914efabafd4cb955edad73504135a

SHA256
6638f4a7d0fe2fdf09d61329a3d6000fa90380d27ec9e56a279e12a23c009a7b

SHA512
770a42da815a5c3167776355e1ddc2007a490371c8879be632b8ec8546a41f636a22661715bc242269eb59521f84c7bb554ab2d5657c029484b0c033921e4ece

Download Submit
C:\Windows\SysWOW64\Piolkm32.exe

Filesize
59KB

MD5
3079bbed550afc36b0daeb782d224104

SHA1
edd6c96e91c623f3f708238dfd48e02fd67fd5a8

SHA256
de5790ccee54ca43684aff7102e435014dc942217c4b8c5cb9abc919a31d07b3

SHA512
c842895ad145c046c9cbde0089b8b830dd0d2936fe35780ce03ea601f8240bc659edbce4c56d71d0210708e7474af2dbf0d0db82897e2b0c7b28c0b527e44bc2

Download Submit
C:\Windows\SysWOW64\Pkabbgol.exe

Filesize
59KB

MD5
dff92763ef46fbbeda339b17d436b0bc

SHA1
e1a660b0ea7520d2107316a9735e91863d1e76e6

SHA256
0eb1597832eb08a0726a46adda3e1a148338d9189e99ceca114e3a0c03578e33

SHA512
406ff7229415a46d6d42a13eba622b98abe5790f35d3ca4f9aff43e9507cd69b1fd92d8032f7e9f1a2fa0889252c2dcd8f259eb53967c1d82ffc3a34799fe7ee

Download Submit
C:\Windows\SysWOW64\Pkholi32.exe

Filesize
59KB

MD5
dfe49cec1ffcc7b77b4381df7197f343

SHA1
a45c0332df17227a0ec0c0b466fd7eb420f19cfd

SHA256
4686215aa8d3f81eac1a937544751286bdcbe97b47c0bcd9f8c8163800bf927a

SHA512
caeb60925eda578ef1563c9f850bd423b065208884f2545e530163e876cfc7325afbc2332efc5a437a6413af8627d044a39371501a602128d4cd5f1028af839f

Download Submit
C:\Windows\SysWOW64\Pkklbh32.exe

Filesize
59KB

MD5
9101746a6f78dcafbac2447ce7c87d5c

SHA1
c07b184781ca8aaf2e58ede2216847c0c33179aa

SHA256
ccda4dc98238903d164fef0e985e00245093e45f014ae321c7e5226960813578

SHA512
a1a0c5e977074fe7504fa2a4c9e5475b5d6077780ca0a6ad3b395243b12e0f381dc94f2786ee6eadf1561452729edd56a1e0a93bb7a629807c0916117d74478c

Download Submit
C:\Windows\SysWOW64\Pkmhgh32.exe

Filesize
59KB

MD5
01d8648c2d776462557e5925594b873a

SHA1
b285cbf66962ec9ef447c9430e9bf8938f59e881

SHA256
eae52ab5345e7a616b2728053c0dc69e610fc78d0118534f2922c7fca4133be3

SHA512
99c5d970a3c5c122f298f2358df156a962dd2b3dcd200327b154095ace005ef4bb93a1db6d6d4179caec38511ba8c83fc6df2aad11bf2c54b7aec2acfb0e9ae4

Download Submit
C:\Windows\SysWOW64\Pmmeak32.exe

Filesize
59KB

MD5
b5ead82e764287977118aae9395bd34e

SHA1
2a21b67eab24762c4d6dfbc016752996174a9757

SHA256
e398ad892d621bee3ed96ffc0575f0e2950dd64548b577d75a9a893e62acfd45

SHA512
6ffb0220b3176803a09dc334077e5b437c5210a2f8be554faf179bb0d8d8deefa588dcb63c4b6f7234e6dfefeb2322d61741e426f54bc22d136c94014025eebe

Download Submit
C:\Windows\SysWOW64\Pokanf32.exe

Filesize
59KB

MD5
3d1b45a58279ed4d1a97e9c7b3f0e285

SHA1
617c3b3a4093e2374a896fa1e786db6704bd8651

SHA256
be55fb61c0512614422f0854973dcc7a08e98bc20b4e5fd53fd99d7bea6b675b

SHA512
0713f36a6661ca0bdac18aa32896f72e2c45011f3db97d32a789757b780e8595b8a1e6c319d310a28e2f2ea5ee0165918b7e3d8c49c9c4567b6cf102157cedb2

Download Submit
C:\Windows\SysWOW64\Qcncodki.exe

Filesize
59KB

MD5
eadc3e62ccaf48f3039c8f54d885e43f

SHA1
18051c2019a8032673f21cbc7f9d080efa8f9c10

SHA256
ca5af44e0e004b9403457d0252fbf0434480658a11b166a2a85c65a47e57282c

SHA512
b34bcd4490e8e0cf4aa15f1dd83fed3bf83c3f9d4a48453bff3ffda87ef0f1168b8f801ab5e3486df424c464921d5de76d34479a37ec783c56986c9c10995d3d

Download Submit
C:\Windows\SysWOW64\Qfgfpp32.exe

Filesize
59KB

MD5
9df0aae52571abf70c5c5ae44767681e

SHA1
5f8f3bfa0238335484a1bb0d50938eaf9abbbfd3

SHA256
da01757cc509cbaaa9f593bec576bfc4c3a2644a421b32bd903dde01eec18c2b

SHA512
b7c2017ae0a6c7d126a17b77c90f52e49fc073850a30365223ce665d8630518466765ac525308bf60d63ccd7d878d95fed1baef54ccd59f0fd5bea427e663898

Download Submit
C:\Windows\SysWOW64\Qfjcep32.exe

Filesize
59KB

MD5
279af3d3043a6341899ae86b80da9e8a

SHA1
97d1623aa5e5dab477347c66214d6c27f7a334bc

SHA256
060cbd4738783d51996158fd4af44d61124375c972fcdeb65eadaa1a152be708

SHA512
03ed8039bed7cc3da104f622cdaaf995db46303bfa9f49ba13ca8c900b3c89d2d77ae837d28b88d6555d7ca7ec0f3add6bc446f0bc07a3910e0b7762b380f398

Download Submit
C:\Windows\SysWOW64\Qifbll32.exe

Filesize
59KB

MD5
2ef58cf4697940e10c2672d6a231f91e

SHA1
0dd539f7c4d0db9698036a46d5e581420c8be5b0

SHA256
1cd3df5e22f4a2a7ea9dc691954b1144557d450e6f2cb7d2f2f591a194e62f90

SHA512
33f209a66e1202a906b798cc2f7d0472a6e116319014adba5bb94d535e9824c33555e017f4d3a6034575b5b5acfcfe911cbea2776c0f54e3da3e29291afab793

Download Submit
C:\Windows\SysWOW64\Qmckbjdl.exe

Filesize
59KB

MD5
94174cbd265c394fb11ebffc696229f6

SHA1
b7c94c1c19f9c917a234befa09f27b908e4efcf2

SHA256
d4a077c8c8b71069d50b0e7b74dd743ce9e6f9293e93b27f595cb7399c51fb89

SHA512
d9fb0315c1cdfd06090d4527fa1d2f0ec9893f55241d5bc1e4c74563063439ae84c2fb9a110e25144bbd5e7cd741dbf883aa6aa2c71f504cf45aafee70df8891

Download Submit
C:\Windows\SysWOW64\Qppkhfec.exe

Filesize
59KB

MD5
4aea342a01bacc4be06d60cda532bc31

SHA1
90a6218dfe7e2e6f0024437c5cdc671b4e1b19e9

SHA256
704f01e6756966d575123199daf5d72ce9cce3bafb05faee8b2323e11235d02a

SHA512
049cfb2b0061beb49b6fcab5bff8eb9d60a9328d7d41bf718b93019b4665385568426e11ab183ba7fd820e28ac8af810d45f85f1ea7dbd2134afaf54aae9a394

Download Submit
memory/224-119-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/264-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/264-552-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/348-448-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/392-377-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/404-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/540-334-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/672-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/704-344-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/812-199-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1012-442-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1212-424-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1228-316-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1464-328-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1468-346-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1484-418-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1492-192-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1500-538-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1500-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1508-168-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1524-223-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1568-183-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1636-231-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1900-362-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-104-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1940-454-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2028-255-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2052-579-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2052-47-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2340-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2540-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2544-156-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2676-268-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2768-71-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2876-376-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2920-322-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2976-274-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3004-352-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3132-406-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3144-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3232-388-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3236-364-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3256-310-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3292-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3416-247-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3440-87-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3500-39-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3500-572-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3600-111-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3648-239-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3660-292-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3852-286-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3932-370-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3936-394-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4060-280-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4064-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4064-559-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4112-430-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4116-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4132-436-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4360-460-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4372-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4372-545-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4444-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4656-215-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4740-207-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4808-412-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4836-298-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4844-400-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4916-565-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4916-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4964-176-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4968-308-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5016-95-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5128-466-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5168-472-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5208-478-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5248-484-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5288-490-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5328-496-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5368-502-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5408-512-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5448-514-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5488-520-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5528-526-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5568-532-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5608-539-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5652-546-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5696-553-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5740-584-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5784-566-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5784-583-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5828-573-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5828-582-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5872-580-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5872-581-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads