1ad81a55ce5d4c37c8c290cff453b3e2715208579aff528c60c6a580fb77c1ff

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7f6f3a39f3aab802704add7c4f85a20N.exe
Size

582KB
MD5

e7f6f3a39f3aab802704add7c4f85a20
SHA1

e747752229986e55bdea70dd207f30a19540db24
SHA256

1ad81a55ce5d4c37c8c290cff453b3e2715208579aff528c60c6a580fb77c1ff
SHA512

beccbd967980f8ba444824c7e82f064f202b06623d9224585950ad4d0716aadc989917639f3dbc6404d9220a5744f0823db065eba2209ed49dd405c186937d42
SSDEEP

6144:F5hueYIQHZ4ii7+1bRtPcCrc6egLCCGP7+1bRtPcCrhCRkR/+MG7+1bRtPcCrhr:fXpQHZ49YNrAgmCAYNrekcPYNrB

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e7f6f3a39f3aab802704add7c4f85a20N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe

Executes dropped EXE 64 IoCs

pid	Process
1140	Ncfdie32.exe
3080	Nnlhfn32.exe
4536	Ngdmod32.exe
4880	Nlaegk32.exe
3620	Njefqo32.exe
4924	Olcbmj32.exe
5012	Olfobjbg.exe
4396	Ocpgod32.exe
1660	Ojjolnaq.exe
532	Olhlhjpd.exe
3796	Opdghh32.exe
396	Onhhamgg.exe
2192	Ogpmjb32.exe
2288	Olmeci32.exe
1952	Oddmdf32.exe
1336	Ocgmpccl.exe
1892	Ofeilobp.exe
3836	Pqmjog32.exe
2572	Pggbkagp.exe
2896	Pjeoglgc.exe
3780	Pflplnlg.exe
1348	Pdmpje32.exe
3456	Pcppfaka.exe
3388	Pfolbmje.exe
3520	Pmidog32.exe
4712	Qmkadgpo.exe
4276	Qdbiedpa.exe
1264	Qfcfml32.exe
2812	Qffbbldm.exe
3060	Ampkof32.exe
3448	Ajckij32.exe
4168	Aeiofcji.exe
4272	Ajfhnjhq.exe
3588	Amddjegd.exe
3888	Aeklkchg.exe
1052	Agjhgngj.exe
2556	Ajhddjfn.exe
3916	Amgapeea.exe
3180	Aeniabfd.exe
852	Ajkaii32.exe
2588	Aadifclh.exe
5016	Bfabnjjp.exe
744	Bebblb32.exe
216	Bjokdipf.exe
4212	Bmngqdpj.exe
3412	Bchomn32.exe
3516	Bjagjhnc.exe
3500	Bcjlcn32.exe
2124	Bfhhoi32.exe
4932	Bjddphlq.exe
4744	Beihma32.exe
4512	Bfkedibe.exe
4328	Bjfaeh32.exe
3692	Bmemac32.exe
2520	Bcoenmao.exe
4592	Cfmajipb.exe
1020	Cndikf32.exe
3956	Cdabcm32.exe
2460	Cjkjpgfi.exe
1948	Cmiflbel.exe
1492	Chokikeb.exe
2452	Cnicfe32.exe
3884	Cagobalc.exe
4668	Cfdhkhjj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	e7f6f3a39f3aab802704add7c4f85a20N.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2284	3828	WerFault.exe	167

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7f6f3a39f3aab802704add7c4f85a20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	e7f6f3a39f3aab802704add7c4f85a20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e7f6f3a39f3aab802704add7c4f85a20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e7f6f3a39f3aab802704add7c4f85a20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	e7f6f3a39f3aab802704add7c4f85a20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 1140	1256	e7f6f3a39f3aab802704add7c4f85a20N.exe	83
PID 1256 wrote to memory of 1140	1256	e7f6f3a39f3aab802704add7c4f85a20N.exe	83
PID 1256 wrote to memory of 1140	1256	e7f6f3a39f3aab802704add7c4f85a20N.exe	83
PID 1140 wrote to memory of 3080	1140	Ncfdie32.exe	84
PID 1140 wrote to memory of 3080	1140	Ncfdie32.exe	84
PID 1140 wrote to memory of 3080	1140	Ncfdie32.exe	84
PID 3080 wrote to memory of 4536	3080	Nnlhfn32.exe	85
PID 3080 wrote to memory of 4536	3080	Nnlhfn32.exe	85
PID 3080 wrote to memory of 4536	3080	Nnlhfn32.exe	85
PID 4536 wrote to memory of 4880	4536	Ngdmod32.exe	86
PID 4536 wrote to memory of 4880	4536	Ngdmod32.exe	86
PID 4536 wrote to memory of 4880	4536	Ngdmod32.exe	86
PID 4880 wrote to memory of 3620	4880	Nlaegk32.exe	87
PID 4880 wrote to memory of 3620	4880	Nlaegk32.exe	87
PID 4880 wrote to memory of 3620	4880	Nlaegk32.exe	87
PID 3620 wrote to memory of 4924	3620	Njefqo32.exe	88
PID 3620 wrote to memory of 4924	3620	Njefqo32.exe	88
PID 3620 wrote to memory of 4924	3620	Njefqo32.exe	88
PID 4924 wrote to memory of 5012	4924	Olcbmj32.exe	91
PID 4924 wrote to memory of 5012	4924	Olcbmj32.exe	91
PID 4924 wrote to memory of 5012	4924	Olcbmj32.exe	91
PID 5012 wrote to memory of 4396	5012	Olfobjbg.exe	92
PID 5012 wrote to memory of 4396	5012	Olfobjbg.exe	92
PID 5012 wrote to memory of 4396	5012	Olfobjbg.exe	92
PID 4396 wrote to memory of 1660	4396	Ocpgod32.exe	94
PID 4396 wrote to memory of 1660	4396	Ocpgod32.exe	94
PID 4396 wrote to memory of 1660	4396	Ocpgod32.exe	94
PID 1660 wrote to memory of 532	1660	Ojjolnaq.exe	95
PID 1660 wrote to memory of 532	1660	Ojjolnaq.exe	95
PID 1660 wrote to memory of 532	1660	Ojjolnaq.exe	95
PID 532 wrote to memory of 3796	532	Olhlhjpd.exe	96
PID 532 wrote to memory of 3796	532	Olhlhjpd.exe	96
PID 532 wrote to memory of 3796	532	Olhlhjpd.exe	96
PID 3796 wrote to memory of 396	3796	Opdghh32.exe	97
PID 3796 wrote to memory of 396	3796	Opdghh32.exe	97
PID 3796 wrote to memory of 396	3796	Opdghh32.exe	97
PID 396 wrote to memory of 2192	396	Onhhamgg.exe	98
PID 396 wrote to memory of 2192	396	Onhhamgg.exe	98
PID 396 wrote to memory of 2192	396	Onhhamgg.exe	98
PID 2192 wrote to memory of 2288	2192	Ogpmjb32.exe	99
PID 2192 wrote to memory of 2288	2192	Ogpmjb32.exe	99
PID 2192 wrote to memory of 2288	2192	Ogpmjb32.exe	99
PID 2288 wrote to memory of 1952	2288	Olmeci32.exe	100
PID 2288 wrote to memory of 1952	2288	Olmeci32.exe	100
PID 2288 wrote to memory of 1952	2288	Olmeci32.exe	100
PID 1952 wrote to memory of 1336	1952	Oddmdf32.exe	101
PID 1952 wrote to memory of 1336	1952	Oddmdf32.exe	101
PID 1952 wrote to memory of 1336	1952	Oddmdf32.exe	101
PID 1336 wrote to memory of 1892	1336	Ocgmpccl.exe	102
PID 1336 wrote to memory of 1892	1336	Ocgmpccl.exe	102
PID 1336 wrote to memory of 1892	1336	Ocgmpccl.exe	102
PID 1892 wrote to memory of 3836	1892	Ofeilobp.exe	103
PID 1892 wrote to memory of 3836	1892	Ofeilobp.exe	103
PID 1892 wrote to memory of 3836	1892	Ofeilobp.exe	103
PID 3836 wrote to memory of 2572	3836	Pqmjog32.exe	104
PID 3836 wrote to memory of 2572	3836	Pqmjog32.exe	104
PID 3836 wrote to memory of 2572	3836	Pqmjog32.exe	104
PID 2572 wrote to memory of 2896	2572	Pggbkagp.exe	105
PID 2572 wrote to memory of 2896	2572	Pggbkagp.exe	105
PID 2572 wrote to memory of 2896	2572	Pggbkagp.exe	105
PID 2896 wrote to memory of 3780	2896	Pjeoglgc.exe	106
PID 2896 wrote to memory of 3780	2896	Pjeoglgc.exe	106
PID 2896 wrote to memory of 3780	2896	Pjeoglgc.exe	106
PID 3780 wrote to memory of 1348	3780	Pflplnlg.exe	107

C:\Users\Admin\AppData\Local\Temp\e7f6f3a39f3aab802704add7c4f85a20N.exe
"C:\Users\Admin\AppData\Local\Temp\e7f6f3a39f3aab802704add7c4f85a20N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\SysWOW64\Ncfdie32.exe
  C:\Windows\system32\Ncfdie32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\SysWOW64\Nnlhfn32.exe
    C:\Windows\system32\Nnlhfn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\SysWOW64\Ngdmod32.exe
      C:\Windows\system32\Ngdmod32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4536
    - - C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4880
      - C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        24⤵
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 408
        82⤵
        Program crash
        
        PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3828 -ip 3828
1⤵
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
582KB

MD5
f6e8bad9e9166233f931f481623901ae

SHA1
bfa6ea283524630c81be05351d140e6576eb8523

SHA256
eb08e9c6a37fa5c531d0b80644b667023a9ff0b4e7d4078291101d5f56661b16

SHA512
6174326572c1403f39432b95f76f352044f6b786489a75293c0c8c191546d89ebb3226f3b469432037e2ff87dc3a43a58c7e499ddc282600098687463b0c5e90

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
582KB

MD5
1d92c0b02dfcbbdb386796360bc1552d

SHA1
5eb8da1146889f06e8b53c761153beb35e16c42e

SHA256
ecc263db1dc370716beb0146e966d3f0f3e9de9c0b8bbeda60eeb3e8e6d28950

SHA512
c810673e5cd975bde97cc1cc49dec3635c5861af94cd2fd9e11911348836a76f3b270b204ff17f04972d190d5b2ff043999c114da0dd029f309dad7bc0fbca34

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
582KB

MD5
42a379c77d26296dcadf82d4c69fe4fe

SHA1
8644f776fb9a21dfcaf25ccf52cecaa8fe8db356

SHA256
ab331f59afb017a745908d064966eaca5cbe66c532a93de3d4b94dcdd029657c

SHA512
285d6783a8290b41642b3b583c15ee6d52ba4446c73e86ebb57b0ea27837785b24676d1b4a80fc61501484c88d5de4df2fc3cc414a8ddf100497a5b801b363fe

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
512KB

MD5
58ac33ec2d884232327bba5829618e30

SHA1
c13ddb6a7981d08c732f34d843dd8fcd83269d36

SHA256
32a6043cd6819c769c0d33ff8888c1f3dad8ffaf4c6b409fa74e0949451296df

SHA512
5db82facdc1142c192f7dc5e43d8482f06cd483104b24107a9d4d79aef242480e218901e3e44b2633ab8355e56392710cee4b8f71d002448acfcf29f91089d14

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
582KB

MD5
aabaf4eb6407f7548ec141e5cd303e3f

SHA1
f124a46f929b480a4f0d922799194168981b10a8

SHA256
9457dcbf9144864c3e791a17d56933155e949106aedc648ac39128834fbec30e

SHA512
0e72f15a28a79875d2cae10b75442591048efc12d06dd999c463d92edc79767b958587fb31b1a3a0b887c228fe4f2017d97ae83f30a4d4fd19145bf6e758d8a6

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
582KB

MD5
e37eb239eaf8336b0071e97908dfd8c5

SHA1
1d5902b1feca94c6a0d8f6900f836496120f8823

SHA256
ddcf8f87f49a0ec71ea837d15e05ed00760abcb38f50f3418ee797e8c5ea0069

SHA512
ad559b6e99fbab3748a00a506d5fd64f7d2407d51bd0b358a77374853a77f228510a58afc88d21501c474e906081dfb594ea9349d754de39e89a5cd42172ab42

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
582KB

MD5
49e7e654492c2613dc8328e08d53d1e8

SHA1
14588c52b4415d2b58194bdee6c1d3f3c4860081

SHA256
a356f13ec72aebe7c28fab029dfbf377dc9df13624e47fe95cf8d371170b7ef7

SHA512
c4dcadf09e01a20d6b1c99a74794c66159f220cfe61d6f1c5f8dedc837734f69c799cab20f583b0765870585050be61ca1331b1d923dd6a29e5f0e3275f1947d

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
582KB

MD5
1ed12cecfd11b488ecfdf16fa9bdd0bf

SHA1
68cd2bdc674d76bed195eaf5bf7e941f5c6d2bfb

SHA256
c0691d8226b5a95d5b3dff1bb9ce4a06dc9aa6a390b8f6cab89792b07d543cbc

SHA512
550fc7884c373293bc5f28ea1b91003329424006ae8faccde5313580e3ba00f7a446ebeb61a9974247cc8a631ab35dd1005892b2e2ba664be7d748c59676d6d3

Download Submit
C:\Windows\SysWOW64\Jdeflhhf.dll

Filesize
7KB

MD5
df18ac9c54cfe80d6020d09bb6b2f47c

SHA1
6499f343aab959630f74fbf0693a1e769740d692

SHA256
4c3a7dbc8c4652d0b0d4a64f5bbe559c5d01cf40f894278245334b492d00eee1

SHA512
b4e512c51e83bdffc9c859abd829e9fa7a3a0f2e7e7cbbb078935d9e14c0b4d079a27de7ee6918041796dc458e38b8d73e2e1a9757ee93709da132a369978c8c

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
582KB

MD5
3363cfd37888af0e4163ece9984a4b71

SHA1
3070adfbc861511df5a2f403a9392bed2a1dfc39

SHA256
cd5a4cc48968bc99f99915309c6f04526633028b65f9eac5041bd0c9c8bab1a2

SHA512
11f2e22c6e318900b6d4602590ef6ba91ba950fdbb345b16442ff4c6a241d164a042692cded05ac4321ec1326416e6d741886eafcbe83b6f26140606ec21fde1

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
582KB

MD5
37fb8489df218c8bebae7158f5dc0385

SHA1
f148fe83e5577c707af04dd2d852b4e98c29518a

SHA256
8b6a0a0a93085a3a33443fb382343db9134cc2c1b3a0e4d311eaf54bfc8d4db9

SHA512
5755a93e4b3576a2a9e14f54a0b84063f0d8d8e43f9319ba96d28e7707ea5b2a49fe0eba88e7f975c3f8f53d89ad1342d65d8e53e5ccdefd027535dc348a33d5

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
582KB

MD5
d3854fbd5445a664cbd75a4b1b9f2420

SHA1
eb252a74f320c3ae21865d87394061c37d755cf3

SHA256
394df6452c25bb0cd75f8499ba7921915dfc28017facb934bde11a90ce2af34f

SHA512
7219071cf58477cc847f3a9c23fd183c34c4ac9f2d17c10c3ae78f00d52ef7dee5d346217fd9db3969a26567bb3c3dd723957e8b2b132458ef446a0168e8bf54

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
582KB

MD5
46c8019f29889fab497fc11d99b5023d

SHA1
50bc585aa5ff4adf3ca996e88a75cc9e9743faca

SHA256
2b65e4960868115bf2b1006477a956dbefcde51ca4dc432b8604a7ecb8de1b91

SHA512
9053bd00135e27df4ff639422d2ee3f1ec4c8ff4d335b9da5a1306e52a2e4778c4a02b128175c98a689ddd832ce9c15c1f678cece701b48517c1ee1dfe8ef268

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
582KB

MD5
d8673af2792e8b439e13cfd9e26e2026

SHA1
82b8b4072f09fd67469d1cee03898d8c8f6bfd4a

SHA256
4274a165f6893c66a8203c2e9960b113e12cc9566249faa47037562868b08cf6

SHA512
d496a5182d66bf3d170e421bde277f094116973e857577a0dbc6a48883a7e2c6cc4781869c3e0472a2b5729703a11e24f0262c9035d7d4486ea6bc5fea0a76a5

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
582KB

MD5
6ce8db8c02c67eee27f369c7cf7a96c2

SHA1
2c951009b8641297d2ed7bc2689e5a60bc6de8d2

SHA256
c7fe83b6dc8f9c19501e35986b2b3ad5e597d228a51d998cfa1bb0b3a4afda67

SHA512
92eb90a3d5d82e6c213e47719542c95158e74a663bf308f067371b906edfce65b0addd7d485165a91dff23cd46045e76aa5afa0cd64689e682bd5c63a9bb1979

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
582KB

MD5
43a0e86918dceb623e88ab212540d46e

SHA1
b6213428e0d6c554542b28c91ec06fd8ea9ec72e

SHA256
1532375ff82e390082818c87aecdae5a701fd8454119ab6c3ede94c71dcdd22d

SHA512
ed95c56ef5548f96e7011b8ee6fb2017e8b3e306140d2f235ac629e0debcc30cd1e5e00566b72cacac9e165563da35bf82f12200488ed6da63c5d8e2a4249d1b

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
582KB

MD5
0dd530da5bd40c1f25a78a9eb89b16cc

SHA1
24ef5ed5654cbc7d697a93149b607edef97ca1fd

SHA256
86ac03ea9223495e7d1183a2fce3ec5c6050b0e8b3cda51859ebc857d5a16c28

SHA512
6c92cd36759bcc1ebf49aa1f648512242e8962177c28a81876d794ed042fd43ed420430d4ebce0e8c07466dd04f02cf19c469a2d05f85028bfaed0f3c1657822

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
582KB

MD5
54adbf1c57965d0e7438b87f64e5519f

SHA1
2d7fa96b7e3ceaa8df6a50a3249914464938b7f2

SHA256
fd445a14c177be788acab6a11abba1541c03cf22b613242596d4f2803c9cb164

SHA512
370056a3ee8d7c40e02ed2fc36942e988c8c859d3aade69b9d38feae0de24166d344a5a5d96de5aabede35a4dd69af908c61abf0ee33b97543abc0b10eb1ee78

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
582KB

MD5
1e65ce996dccba050d057bab8fd51584

SHA1
4bfefa822aa0d1496b44956e765b94859b0cc28f

SHA256
756edfe06f0a8b9403036c35ab6570ae87e529cfaeacd36c9672ab6813e2ec8f

SHA512
303349db2cdd0b2c1fde45e119e9b41c74d851e41eb262966f152b3a48a58711011faf10c668b27d367ce93a49037d90da654ad399b5a086d030b9c3464a14b7

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
582KB

MD5
57dbf4d04b86a3f0ed504f8d501ae51f

SHA1
442a8fc774238c8f13d1c3ced357a2c5d2362c3e

SHA256
54d1b0adb5c529468e6597c6a0099d07cef06b598d355fcd693873215eabaed7

SHA512
f4866d2968b14eb6ac2009f6728485bde0b55b89132d11571ae07e20ef22bc6a6336232ef4e00dc64ad4bfb6ce62f90aa6c2a01f4ffc623ba077b9628b809604

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
582KB

MD5
82db6fd762dc240a47326f1920f7b45d

SHA1
13a9797c3b7fd03466bfa5b4e90799f1f86f0503

SHA256
23f8b388235503c3046d05768a2ae0e828539164f1be9804b8a6a95127fea8be

SHA512
bd647ee00445f5ed9d3bb6c74ecc7bcbda05fdeddd8cf407895639656050bf5a796a477bd5e070041590fb736ad95fb9c59bcdf3c090241e86f5d1be2182d550

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
582KB

MD5
e65c8e23e5e01f367ddb0814976d6990

SHA1
1ef156ee882cc42489c6501a1ae50cfd2f7be520

SHA256
c5c148ccb64b4f34d4849deb15b6187465e5209e205cee9812adb20b41fc0ca5

SHA512
5b7022015519596acf3ba5859e9af61f6c30a8fa01b94ec1976ddef1ceb5c0dbe9290b7683276ced029ee0857a90ceb175c526e25d4f7932984c506fd786f1c9

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
582KB

MD5
e99106cce1a50f2585c6f06dba98ceac

SHA1
a314de4ba3ba0a52886b9e7a4b7c1daa55a1c903

SHA256
72d196b35aefb33cf6dfd4ee65f7cf982db716e44074b37400694b7886683e62

SHA512
0fe0355928f212ee6c11191626c3012664bdc4cf73f07f53735f9525cfb72155c1a523172706ef983e7d36e7a7307fd72116068f8c4f7eb405640f56200104a6

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
582KB

MD5
dfaf3061be6ac281c1934bdcfef1a3fc

SHA1
550cdc0f84e86a31cf7b08670c6f7e8181f5b2ff

SHA256
d065c92142f2dfa2f65265b72cd7eec251f9843549e7d9d8835c7bfa148e7997

SHA512
93341a2466103b6028d861de96c8e4a919cb5fe2e4aebb013fc8daa618efeb9b9f1eb907a5cbff19435292ff7e245a5f0eefba86e5ac152fd6756e3a1ccfc674

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
582KB

MD5
3b4a522f236b3c665bea4306579c3701

SHA1
effd125c29de62d0c1a7fb74bbcc2984b0f7f7bd

SHA256
17881ce24f38fb6be3e07b007eb473951ccc649b63820a84119a4e0a53bbdc00

SHA512
5501fa769d0d827d5f2642eaa68864c807a946315eefbb5b10209ad1c63c4ad5b695b84a9a40675c6a781634a5ae677d8510b733b3adb86ef0fa1a419d8e8c50

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
582KB

MD5
fa65c5d8e8b6e727880470abc9469123

SHA1
caa150cc8e0b7376ead71354163cbea24ce67f1b

SHA256
b3bd4985a5c15fc370dcf5571ec934abe1b9dcb78f2f607f801351b9f37c04e4

SHA512
8eca2083a7ad27d786c51a8c3fd664ed465d671c69e6d0827035de1784fbd6f7b4e83931fc86fb18bcbaf040ac617da48bb0fbaeff434375be6cac556ccc4b88

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
582KB

MD5
8a764104ed8958aa2e9b5c69b5f769d2

SHA1
6a228b5536d1f67c2e206704b32047fad858a6f5

SHA256
3ea7137739d014f3f9bc82cf7a8866566fd842a92767d2250448bdc4bc767fbb

SHA512
2eda01315d6d83be2c1abb6c1b81f0f437addc0c8b4f3d19e578f6051a4bbc23930c043dd150739119dc4e0a594b9f8019d97829e5c60a0f23bed0651c7524d2

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
582KB

MD5
a211b4b0d0f5e994b45a3acdcedacf4a

SHA1
7ac78767fd3ef79db2c12f5b560927b11c23ea94

SHA256
4f16b52802d0e3d6b1105de9cf16ac6604c428afb8ad463f34e64055f013eea2

SHA512
3003e8d1ed78099414dba2c95f062300fb77a9091920eba84997eff22d470df741a3090c5b41941721234cd1a54352948b97d134b76cfdaf04540bc4a95e2199

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
582KB

MD5
bde412e0b2b80c56ca738619da09c798

SHA1
f1aa0171a82c23394f2dad60a3ec36b6a94cccf0

SHA256
c26b155055ad401e1365fed9c5d7f85929973ee369d8dd7f64fa0fa89e45082c

SHA512
2358639b0feee4171d91bb00d41af6f0e3cbd3e8c3dc1742d46a095cc9fffe7308b1e3cbe7f7de7cc2ae54c70c5d74371d523b77fe9106ba51b3633fd4101cc0

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
582KB

MD5
23a2a66ab1311f23b46a0f73c27cbd46

SHA1
7f2d2239449c58f07415373c01bc70be120a49eb

SHA256
58a9f19b49b93e67beb5f3459881c9e522389a3a9aa4cbfcf14fee811eac30d2

SHA512
2c867cddc6a9507ce97d4ac73df25bc8475d9c2ffd577e5790d71447816957285e554e550ae02cddeea30a896cb2a9f5645a47978cbb012edb7a2f054937c13d

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
582KB

MD5
8ac3f3d6990b90fb5c16c7afc3eb0ba3

SHA1
bd0eb7cfc4066b343ce0fec7e7e68c75ccfbe548

SHA256
c369154e107167e57323739e2f3341ff7790fa9c568484a40d98fd7d9ae0ea21

SHA512
b23fb121bf6e9c28c186824df7fbdb07bc2f8c3870ad8a38790496caaa2d259453c2b57b7725073706835c5573108391585acb02bd24ff5292a2b3a0da98ad31

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
582KB

MD5
e02ca48cd6030db3e5cd84f6a31089a5

SHA1
22c20d6f1f16b853af2903aa763a2290a63657f5

SHA256
77b48c618af2ecf70ac133e17c78598cebfe931a90a17e3fefdbd3ad125119c2

SHA512
44d6af5dd853d6868f0bb36b55b1f1ad6bb9e4ec21acab12d90c0c353613a2530ededb41aa37deba458c582d4c56cbb235ca494e5584e2a2a8310d48b00dc466

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
582KB

MD5
81c0b9f9df3ebd9c49a5c0106cc0cd0e

SHA1
e54d387395ef7460806a97b4a437dfa21b7d3d19

SHA256
b33741e5bdbb67eee2518c0fedc8f147e4dc2191e9fe65f77191dce94d254b43

SHA512
8da69b8e194935766db90d7d07a3cdad1f51549a7b6d0ef1e5604d9e3aa96f58f07d0c336d2eac0936e039be465fa20741fa334da6949ad98a12f0a0ea6db433

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
582KB

MD5
f548b26842557d3119d57660a34052de

SHA1
58af4877118c62479dfffcbc736987706d31bd77

SHA256
5ba2ed6a0e67cc9e4e12dcd80c897d8964d98bdad0b5aa7fcf8fbc98993e6a84

SHA512
c9424260bd88f30e34fb7928ecebe9faf8226d82ed41f94aad335bbf13a1c71219443691a6ddcc073ea4fd9ea1558dd917272d593bc12a45fd2efd17e8182d10

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
582KB

MD5
a779cf8235b29830f426fa4485082299

SHA1
cfdcf095e16b44f87bb97fe0a70796cb46d2610a

SHA256
361640b2ed30f56bd352f1586cd93c3a1ce1e9a6f4dffd283c0121805906ed58

SHA512
94e48417060606fa17e63d4a08cb0c1c03d9b7f923654d0d006223f3eb17542e21e6bb21e9bd5e40188b16f0a7a2cbd221ae9d04abcfd3c07cd2d8511cd15fa0

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
582KB

MD5
eb04a87b8f6ce2c67fc606c9632babc2

SHA1
ad14bec23434358737179cb4a05f16e6f6f84548

SHA256
e0d791571cfe971df423175263ea653b11d9922b063d54ee70f1327c5e2d7c17

SHA512
de539fb6f37c6f51c9638c0675b96052e30e85f4db06495c93a3d440f911740987a75123fc2e208a0a6b1b973bd09bc6744cf25fe9a7fef6471fae38cc73c7d4

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
582KB

MD5
7452dc0632fc69c76dc1341a7b136cb8

SHA1
c5da4ff9b7cbe81d36a7c9f93d4218b9c7340601

SHA256
538b49a97cd6d91987b8f00d4eacad1005ff4fd726ae3c47839b35390fd63543

SHA512
c88f6b39887348a23ac0ddf8dec3c907338f8b391ae1e2c0c4b6243b15cbc417d5935aff3c8a83b5e74f986474fc37d35fe2fd3458aab479417362da4389d497

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
582KB

MD5
72609f7b687bebe99c89a54d3e4f9e1d

SHA1
e685e80e250b77eec1c00b6d6eac2a21a0ecded2

SHA256
122d24e484d68018a55fd91162e6f144ff315001d74370e1debebf5c440986b6

SHA512
0de05f868a47d88bfb17297cce9ade72267c3332171240520630849db1736dd2329209d57ad3949be3e6a06f07db1dd2e37f49d833b4acdeb60fa5df8a72d9df

Download Submit
memory/216-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1256-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1256-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1264-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1336-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3388-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3796-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3828-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4168-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-636-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4668-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4712-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads