fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b

Analysis

max time kernel
94s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
Size

94KB
MD5

bcba9be346fe1e7f148669c2350670fe
SHA1

920e12a2f371f0c5e3d3ff24d5e800b07199de87
SHA256

fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b
SHA512

c2eb268842ee533f889eb1f2819df2aa7b5ac0725fc7fee6af8eda98763e106002946b900967bd7d3f9241d990a2b6d17f372190f384f863d04ff01f040e878a
SSDEEP

1536:UAmbI8QZHxIjbfNO5W7rThvzf2LWS5DUHRbPa9b6i+sImo71+jqx:Iw8+WPlrkWS5DSCopsIm81+jqx

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cncnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pccahbmn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaplqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogjdmbil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdojjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdojjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akkffkhk.exe

Executes dropped EXE 64 IoCs

pid	Process
4204	Oaplqh32.exe
828	Ocohmc32.exe
4364	Ogjdmbil.exe
3776	Ojhpimhp.exe
4520	Opeiadfg.exe
1000	Ohlqcagj.exe
3020	Pfoann32.exe
4800	Paeelgnj.exe
1988	Pccahbmn.exe
2544	Pjmjdm32.exe
1632	Ppjbmc32.exe
5024	Phajna32.exe
2428	Pnkbkk32.exe
4040	Pmnbfhal.exe
1976	Pdhkcb32.exe
3328	Pjbcplpe.exe
4576	Palklf32.exe
3460	Phfcipoo.exe
2372	Pfiddm32.exe
1980	Pnplfj32.exe
3640	Ppahmb32.exe
4936	Qhhpop32.exe
4912	Qjfmkk32.exe
2452	Qmeigg32.exe
2352	Qdoacabq.exe
3164	Qfmmplad.exe
1636	Qmgelf32.exe
2168	Ahmjjoig.exe
4836	Akkffkhk.exe
3476	Aphnnafb.exe
4796	Ahofoogd.exe
4688	Aoioli32.exe
1892	Apjkcadp.exe
1248	Ahaceo32.exe
4216	Agdcpkll.exe
2288	Amnlme32.exe
1528	Apmhiq32.exe
3568	Aggpfkjj.exe
708	Aonhghjl.exe
1568	Aaldccip.exe
4948	Adkqoohc.exe
3040	Akdilipp.exe
2192	Amcehdod.exe
5116	Apaadpng.exe
4848	Bdmmeo32.exe
4396	Bgkiaj32.exe
3120	Bobabg32.exe
5096	Baannc32.exe
1564	Bdojjo32.exe
876	Bgnffj32.exe
2136	Boenhgdd.exe
4388	Bacjdbch.exe
2676	Bdagpnbk.exe
4236	Bklomh32.exe
772	Bmjkic32.exe
3136	Baegibae.exe
4952	Bddcenpi.exe
1624	Bhpofl32.exe
2812	Boihcf32.exe
1824	Bahdob32.exe
4832	Bdfpkm32.exe
4208	Bgelgi32.exe
3240	Boldhf32.exe
1304	Cpmapodj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bgelgi32.exe	Bdfpkm32.exe
File opened for modification	C:\Windows\SysWOW64\Cdbpgl32.exe	Cnhgjaml.exe
File opened for modification	C:\Windows\SysWOW64\Aonhghjl.exe	Aggpfkjj.exe
File created	C:\Windows\SysWOW64\Lqppgj32.dll	Boenhgdd.exe
File created	C:\Windows\SysWOW64\Ojhpimhp.exe	Ogjdmbil.exe
File created	C:\Windows\SysWOW64\Qfmmplad.exe	Qdoacabq.exe
File opened for modification	C:\Windows\SysWOW64\Amcehdod.exe	Akdilipp.exe
File opened for modification	C:\Windows\SysWOW64\Bdojjo32.exe	Baannc32.exe
File opened for modification	C:\Windows\SysWOW64\Pnkbkk32.exe	Phajna32.exe
File created	C:\Windows\SysWOW64\Fmbgla32.dll	Akkffkhk.exe
File opened for modification	C:\Windows\SysWOW64\Bgkiaj32.exe	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Hnflfgji.dll	Cponen32.exe
File created	C:\Windows\SysWOW64\Ddgibkpc.exe	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Pnkbkk32.exe	Phajna32.exe
File opened for modification	C:\Windows\SysWOW64\Akdilipp.exe	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Dojqjdbl.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Paeelgnj.exe	Pfoann32.exe
File opened for modification	C:\Windows\SysWOW64\Paeelgnj.exe	Pfoann32.exe
File created	C:\Windows\SysWOW64\Ahofoogd.exe	Aphnnafb.exe
File created	C:\Windows\SysWOW64\Kbqceofn.dll	Bgkiaj32.exe
File opened for modification	C:\Windows\SysWOW64\Boldhf32.exe	Bgelgi32.exe
File opened for modification	C:\Windows\SysWOW64\Ckgohf32.exe	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Qhhpop32.exe	Ppahmb32.exe
File created	C:\Windows\SysWOW64\Kioghlbd.dll	Qmgelf32.exe
File created	C:\Windows\SysWOW64\Dmncdk32.dll	Bddcenpi.exe
File opened for modification	C:\Windows\SysWOW64\Cgqlcg32.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Apjkcadp.exe	Aoioli32.exe
File created	C:\Windows\SysWOW64\Jhijep32.dll	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Pccahbmn.exe	Paeelgnj.exe
File created	C:\Windows\SysWOW64\Hiebgmkm.dll	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Agdcpkll.exe	Ahaceo32.exe
File created	C:\Windows\SysWOW64\Bdmmeo32.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Aqjpajgi.dll	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Ebggoi32.dll	Bklomh32.exe
File created	C:\Windows\SysWOW64\Cnaaib32.exe	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Nnahhegq.dll	Oaplqh32.exe
File created	C:\Windows\SysWOW64\Ogjdmbil.exe	Ocohmc32.exe
File created	C:\Windows\SysWOW64\Qbkofn32.dll	Qjfmkk32.exe
File opened for modification	C:\Windows\SysWOW64\Apjkcadp.exe	Aoioli32.exe
File created	C:\Windows\SysWOW64\Qkhnbpne.dll	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Plikcm32.dll	Baannc32.exe
File created	C:\Windows\SysWOW64\Ijilflah.dll	Caageq32.exe
File opened for modification	C:\Windows\SysWOW64\Dahmfpap.exe	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Oaplqh32.exe	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
File created	C:\Windows\SysWOW64\Bpcaaeme.dll	Ahmjjoig.exe
File opened for modification	C:\Windows\SysWOW64\Agdcpkll.exe	Ahaceo32.exe
File created	C:\Windows\SysWOW64\Ichqihli.dll	Aonhghjl.exe
File created	C:\Windows\SysWOW64\Iocedcbl.dll	Amcehdod.exe
File created	C:\Windows\SysWOW64\Mgnddp32.dll	Cncnob32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Pnpkdp32.dll	Opeiadfg.exe
File opened for modification	C:\Windows\SysWOW64\Ahmjjoig.exe	Qmgelf32.exe
File created	C:\Windows\SysWOW64\Akkffkhk.exe	Ahmjjoig.exe
File opened for modification	C:\Windows\SysWOW64\Ahaceo32.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Boenhgdd.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Bahdob32.exe	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Aggpfkjj.exe	Apmhiq32.exe
File created	C:\Windows\SysWOW64\Bgkiaj32.exe	Bdmmeo32.exe
File opened for modification	C:\Windows\SysWOW64\Caageq32.exe	Ckgohf32.exe
File created	C:\Windows\SysWOW64\Cnhgjaml.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Ennamn32.dll	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Ckbcpc32.dll	Ppahmb32.exe
File opened for modification	C:\Windows\SysWOW64\Ahofoogd.exe	Aphnnafb.exe
File opened for modification	C:\Windows\SysWOW64\Amnlme32.exe	Agdcpkll.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4852	3456	WerFault.exe	169

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmgelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgkiaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdojjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bddcenpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cncnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckgohf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opeiadfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfiddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmeigg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahmjjoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgibkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppjbmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnlme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aggpfkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boenhgdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnplfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjfmkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahaceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdcpkll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnkbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aonhghjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacjdbch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caageq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocohmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmnbfhal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjkcadp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpmapodj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbemgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogjdmbil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfoann32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphnnafb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pccahbmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Palklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boldhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahmfpap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmjdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoioli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apaadpng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppahmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akkffkhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akdilipp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcehdod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjkic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojqjdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahofoogd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmhiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqlcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paeelgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phfcipoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhhpop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdoacabq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdhkcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjhbli.dll"	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogjdmbil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdojjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdojjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcfimfi.dll"	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmeigg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boihcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiebgmkm.dll"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdmlfj.dll"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmgelf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokgcbe.dll"	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhlfgd.dll"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bklomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll"	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojhpimhp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 4204	4568	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe	82
PID 4568 wrote to memory of 4204	4568	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe	82
PID 4568 wrote to memory of 4204	4568	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe	82
PID 4204 wrote to memory of 828	4204	Oaplqh32.exe	83
PID 4204 wrote to memory of 828	4204	Oaplqh32.exe	83
PID 4204 wrote to memory of 828	4204	Oaplqh32.exe	83
PID 828 wrote to memory of 4364	828	Ocohmc32.exe	84
PID 828 wrote to memory of 4364	828	Ocohmc32.exe	84
PID 828 wrote to memory of 4364	828	Ocohmc32.exe	84
PID 4364 wrote to memory of 3776	4364	Ogjdmbil.exe	85
PID 4364 wrote to memory of 3776	4364	Ogjdmbil.exe	85
PID 4364 wrote to memory of 3776	4364	Ogjdmbil.exe	85
PID 3776 wrote to memory of 4520	3776	Ojhpimhp.exe	86
PID 3776 wrote to memory of 4520	3776	Ojhpimhp.exe	86
PID 3776 wrote to memory of 4520	3776	Ojhpimhp.exe	86
PID 4520 wrote to memory of 1000	4520	Opeiadfg.exe	87
PID 4520 wrote to memory of 1000	4520	Opeiadfg.exe	87
PID 4520 wrote to memory of 1000	4520	Opeiadfg.exe	87
PID 1000 wrote to memory of 3020	1000	Ohlqcagj.exe	88
PID 1000 wrote to memory of 3020	1000	Ohlqcagj.exe	88
PID 1000 wrote to memory of 3020	1000	Ohlqcagj.exe	88
PID 3020 wrote to memory of 4800	3020	Pfoann32.exe	90
PID 3020 wrote to memory of 4800	3020	Pfoann32.exe	90
PID 3020 wrote to memory of 4800	3020	Pfoann32.exe	90
PID 4800 wrote to memory of 1988	4800	Paeelgnj.exe	91
PID 4800 wrote to memory of 1988	4800	Paeelgnj.exe	91
PID 4800 wrote to memory of 1988	4800	Paeelgnj.exe	91
PID 1988 wrote to memory of 2544	1988	Pccahbmn.exe	92
PID 1988 wrote to memory of 2544	1988	Pccahbmn.exe	92
PID 1988 wrote to memory of 2544	1988	Pccahbmn.exe	92
PID 2544 wrote to memory of 1632	2544	Pjmjdm32.exe	93
PID 2544 wrote to memory of 1632	2544	Pjmjdm32.exe	93
PID 2544 wrote to memory of 1632	2544	Pjmjdm32.exe	93
PID 1632 wrote to memory of 5024	1632	Ppjbmc32.exe	95
PID 1632 wrote to memory of 5024	1632	Ppjbmc32.exe	95
PID 1632 wrote to memory of 5024	1632	Ppjbmc32.exe	95
PID 5024 wrote to memory of 2428	5024	Phajna32.exe	96
PID 5024 wrote to memory of 2428	5024	Phajna32.exe	96
PID 5024 wrote to memory of 2428	5024	Phajna32.exe	96
PID 2428 wrote to memory of 4040	2428	Pnkbkk32.exe	97
PID 2428 wrote to memory of 4040	2428	Pnkbkk32.exe	97
PID 2428 wrote to memory of 4040	2428	Pnkbkk32.exe	97
PID 4040 wrote to memory of 1976	4040	Pmnbfhal.exe	98
PID 4040 wrote to memory of 1976	4040	Pmnbfhal.exe	98
PID 4040 wrote to memory of 1976	4040	Pmnbfhal.exe	98
PID 1976 wrote to memory of 3328	1976	Pdhkcb32.exe	99
PID 1976 wrote to memory of 3328	1976	Pdhkcb32.exe	99
PID 1976 wrote to memory of 3328	1976	Pdhkcb32.exe	99
PID 3328 wrote to memory of 4576	3328	Pjbcplpe.exe	100
PID 3328 wrote to memory of 4576	3328	Pjbcplpe.exe	100
PID 3328 wrote to memory of 4576	3328	Pjbcplpe.exe	100
PID 4576 wrote to memory of 3460	4576	Palklf32.exe	102
PID 4576 wrote to memory of 3460	4576	Palklf32.exe	102
PID 4576 wrote to memory of 3460	4576	Palklf32.exe	102
PID 3460 wrote to memory of 2372	3460	Phfcipoo.exe	103
PID 3460 wrote to memory of 2372	3460	Phfcipoo.exe	103
PID 3460 wrote to memory of 2372	3460	Phfcipoo.exe	103
PID 2372 wrote to memory of 1980	2372	Pfiddm32.exe	104
PID 2372 wrote to memory of 1980	2372	Pfiddm32.exe	104
PID 2372 wrote to memory of 1980	2372	Pfiddm32.exe	104
PID 1980 wrote to memory of 3640	1980	Pnplfj32.exe	105
PID 1980 wrote to memory of 3640	1980	Pnplfj32.exe	105
PID 1980 wrote to memory of 3640	1980	Pnplfj32.exe	105
PID 3640 wrote to memory of 4936	3640	Ppahmb32.exe	106

C:\Users\Admin\AppData\Local\Temp\fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
"C:\Users\Admin\AppData\Local\Temp\fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\SysWOW64\Oaplqh32.exe
  C:\Windows\system32\Oaplqh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\SysWOW64\Ocohmc32.exe
    C:\Windows\system32\Ocohmc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\SysWOW64\Ogjdmbil.exe
      C:\Windows\system32\Ogjdmbil.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3776
      - C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        41⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4948
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        57⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4208
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        79⤵
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 400
        85⤵
        Program crash
        
        PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3456 -ip 3456
1⤵
PID:2804

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
94KB

MD5
bb28761a72e5e09b9d073fee65b7ff67

SHA1
932d3d65e252ea5e81e344d0add335bf57910b88

SHA256
106413e188e6a49dd4a17602be8edee8186a68a454f43ae335c3e92f668ee121

SHA512
2e16d7290af857c914768bc4989de43113e8e85d0e02597d9dbca85ba0fcdf1c5d8480340c5cc2abbb9c60d955ce04f7ef6e26763f18c9914a64eb442cd1ec32

Download Submit
C:\Windows\SysWOW64\Ahofoogd.exe

Filesize
94KB

MD5
ac8606dda8b3662fc11626c039a8eb4d

SHA1
47f8ff428d4acf072397d3878e596f7e3699ac5e

SHA256
60ff32c2639873fbe4ad72268059706e12748fef5880347dc8721959980b7ccf

SHA512
52a8ed7d558ed6ad35e559de04ff14e0a05a9352ed14978f0a093ea17aa062f5a097873b05f5dc380bc92829bffa981d997248ed620702428838a4586518c741

Download Submit
C:\Windows\SysWOW64\Akkffkhk.exe

Filesize
94KB

MD5
00d4a5ac3b285de261c87ad6ec3d8095

SHA1
1498846b74d12bca25963c9e43238d87704e9095

SHA256
a1e02efbfcd76e395ac640b36d5941997030b998436dc0ef9d1da0835213840b

SHA512
09cd18835c1420bd388cf0f3a4112f1c8a876e5fc2f591d73d1f3cc6c5ca89dd00126733dae8b1d251a22e093f6cd34491cb329066dafde407f2746867ce2190

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
94KB

MD5
9e218114fcc51317f719ad31580e67e2

SHA1
de572f843ac3a561eacd7be7f2551f84496b7082

SHA256
038f097d42b8d1dacd8dca9cbe412e7e601df5d5e113b5614c3785fefc284ea3

SHA512
d1b4e57145749b0880a8e6a79d172d89f49bdac1d8828cf7943839012fa9e258105c9d4fec5850c86b06718bb2134e8c0e74c2d9ddbd994c32eee9764f5c3bcc

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
94KB

MD5
047127a120fbd0caecaefd0e4feeeb47

SHA1
9621d1b5f55a31126c0921c7a732d4c38e25abfc

SHA256
3be10eed66fc58e695242cf9a914aba23b7e2c715cdfbc262e40c0bd636db7e4

SHA512
c5e75ce97315c798dc7bfc4576811b586df6f3af13a547a2482ce1029df626642f378ef32f8b75d25f31fee20e6992a13c97b07326cfa1b6226d18c987773e18

Download Submit
C:\Windows\SysWOW64\Boldhf32.exe

Filesize
94KB

MD5
7b335fb96f89c0332521e30b44d62ec2

SHA1
88e23118a9301ab0c6e35e0c9c702863d3f7f648

SHA256
d452e1cc62ff5cd3ac60983b8509d6443212b4a2d274ae2ad2e01a4972c4b069

SHA512
b12beed55dc1b66ddbf45cb0701e5cbcf8e6c7b68b5f4e63db0d036694adabbbb1a808a8b99bd5fbc7dea82e3eb2182f8200ec5f0773ad61acf6f6fc6cef1a8e

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
94KB

MD5
d6c5598c36d86938ba2952f3383343ae

SHA1
666ae18db500fe633ef79e7a3308b5a0383c2f9a

SHA256
2fdfcf5697869cf9f6c4ac4a6b02f57fa47730d069c25bb4bef98b7e25710eb1

SHA512
5fe158f594febb235cf73a436f1c0662baaeda7f87f69547c4232f3f9c28435f6b46ca4c1e1aa6a96be7c98bfd485c8467ec2aff3ff6b3c25dc57d254b8a74e3

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
94KB

MD5
560460ea4070caf43d6147012b097490

SHA1
a1d798e4a79bd44ad86d034399b5801173b08f2c

SHA256
5fd9da8a50e6c1d86569d93a0af321c1e473adaea811e20834b06d21b0f38e2b

SHA512
cf75b2d9c9520a1f1900c4b3f6005ba4f1ae0303db1a15ccf1eeead12978b00d95469d1d4a8588b21a9c506ace4ee9d572f2c8abdbdc309056a676f57ab690ba

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe

Filesize
94KB

MD5
b3467fa8184722053d5e2b58fc382b7d

SHA1
fae58eaff06ea68c2dd88396ab8b6a4b3253896a

SHA256
0f848a5c1e1cefff7c13e2cb2378c8961109bf7afcbf617006b8c4a6ceabd8ad

SHA512
840aa62772bd183a40d9d9bdac9b6ea54e61a73c12991a01151ec3dbf74b651fdfac072b4da474c5e89cda3d3fbcd7bb74b86a5eb8fa96d7169822a60c08c935

Download Submit
C:\Windows\SysWOW64\Ogjdmbil.exe

Filesize
94KB

MD5
4eb5149c074bf05330c0c9c18caf387b

SHA1
c4bdd0f2105c8fa832c6d48ce8b40ca256e845ad

SHA256
2618b507f596c937f283ac428b1b249177d927f2e37dac17b5489103e6179113

SHA512
a2d4674c99c4f53f9c1373b4cb8162c263aab8eb7a6808e8c7cb6c416f077db887957fded34d55836fdd4e155db8c535e493c65d87d9c727c3c9426a7e44d311

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
94KB

MD5
28bed15c0748e15a4e0bb4cf8fa03bbb

SHA1
8d3e596e3f008e0425936fb1d8bf3b88876d1185

SHA256
b11b59deefed7dea1852e9b37c16ed0eae26433dc72e15f4746afea0c5934fc7

SHA512
30ce3caaf10bb93543da1e2aa66d03f94893532c7b3b25abe11f24b24b0bc6b7422163d3cd9ce9fa30c2b5688f9a52d04dc13f3f3e0d22224df1625afc94405c

Download Submit
C:\Windows\SysWOW64\Ojhpimhp.exe

Filesize
94KB

MD5
48d0607c30852f2c75c4125fe9da00f2

SHA1
3306b9051cd76c07ec4fb40f0c5332382f4639d4

SHA256
2e695a9f56d55919ad7ea844aa0b8fd9b8580f2a039dfeed4ad090bd04fe05eb

SHA512
7064eb7fa2b8954a8159ae1db40873f3fdcd63ba49f61ab3515c27567a35f4c60a960a357bd242c138976b4618c5166fed5b26267469c90be4b78f7cc3f62c92

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
94KB

MD5
ad9a3b5c7da74d2841f18459190b06e6

SHA1
123e4a2365c15daf385c5d389781e6fa5991af23

SHA256
23a9091e3b24c482722e1298397845e42097be83ec7e90b11d95dc31f1f0d0b4

SHA512
745610e971d896f2845cd196b29da2c5581becbf243061bd57dd23a2dcde547b96e6eefb5b850a999517f5790ec549e23552548a39a083e5c098c093366b8c07

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
94KB

MD5
915254824577a35c15c262f5d825fedf

SHA1
ea05d9b247c9bf3258013799c74b7ca65aee6710

SHA256
43586cc2ba25bbccc40e4062c363632d78910c056dff6b54abf286b2922c9f24

SHA512
13a398e4f65e75fa71bba4ed3fa8967b47d480b3b94e7fd1390c46d6c43da1d927b5d7034ac28ee23dc75fb5955f1e4b6ae503a40b2be64df319274a9fc9d562

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
94KB

MD5
2a5513577de2cac8fdf27aaca88efcc0

SHA1
b7e34571cd06442ec81081ee67a6442352f7eee6

SHA256
e169e84957c8b43cbda94913405933c6faba219467c307083dafbe42870905cf

SHA512
960f5c136e41272e1ce8c0845f59ee1ca12f90e385bcd95c1b668c5b9833e8556942a848d1c4d9579a1362d7e926bc797290c738f6cf44f1b9b57cecdba13d3e

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
94KB

MD5
e03bff0057885ff78358a54a0a955b76

SHA1
6cba5459858538320f7876045f575c72109f2bf6

SHA256
488ed38d72c712d1add7f3ae73032c02c14cbec7578b1e88d0d15c38e09185f0

SHA512
cc3fc58b606ddf2910df9319626e9e9eeb50a772b0946df3ee8f09a790236c517ca9f7db19d902bfc18798940717d73f6eff40a0c9115e528b6e4b69cee104b9

Download Submit
C:\Windows\SysWOW64\Pdhkcb32.exe

Filesize
94KB

MD5
c7da05c1394ebad4263e49dba4cc2c92

SHA1
9cfd2499ee8c92ddd7b78df7537a02f565f7892f

SHA256
4c688c36d8ed82f4ccc1889b9908349da75cd026986522843462331a521af0dc

SHA512
f5c355eca5d1dbcf0e27629fa259ebf36f8c6d91d6aa36d8ad4552463b8b98ab171e3a5499337189d43889bf8d2c747e8233f34ad1f0200c9e5bd622eb3930fb

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
94KB

MD5
06409953f0a3a9439ad778c1db53d8ce

SHA1
7975e30dcd35efab3b3e1907ea00ff446ecb4f90

SHA256
d7961e76cfe355cbf33da786ee1ad7e409003cb61469e7ddad20f4d5ae597d5b

SHA512
4580d420692956970353ded30764d55d9d6d4d46e54d14022b979faa64a40ac8f9277fd4ef585e36268e9371cbe90b1839543c62d19e1f37623ee7533dd2188c

Download Submit
C:\Windows\SysWOW64\Pfoann32.exe

Filesize
94KB

MD5
5030a4fed810c41dc40495735fd11266

SHA1
00596adf58f1eed89200c2f447a13494d2c07565

SHA256
fe8830e3937fa14e35372b538c465ab6ba749db2b1df8a636355144585c092de

SHA512
0888502f69c48cb7a684f28b7149e77f9884a5dcc43ea00ec044c89345600640ac14e18686b75ca64d3f36ba8512dc422c4c155c53238660f70b3d8fac7769b2

Download Submit
C:\Windows\SysWOW64\Phajna32.exe

Filesize
94KB

MD5
70a3219b0794ee7a20552c2e65e06c46

SHA1
a40147806d4f96af578ad8af753e05e5f9525e82

SHA256
c47235e53987c040809d8a4c56d917f9f5c785a51a891e29cb51a8d4a8dd1048

SHA512
95cc17c15319fed15a120574bc6cabcf055353b481aafd2b17a13f509928f6a67631565207da1c33a63ac8d838a6780fc6733f62d4b9a2db68acac073e580a02

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
94KB

MD5
7bda9675eb48ea6fc75aba6945efdeea

SHA1
01c592211c89d432fb3659050d7501a34e5ac6d5

SHA256
0bbda4a8c12a70e9b4792abc1e0b008884283f3c5189526d1e27b45adbb2f870

SHA512
5a6a0e9145a0d34d03c841016bc8c33861219161b032393c679441889f9806806f6affca18f31e9a6bba3bf820f18a56cdb603f503d9cdb290ab8a9ca27aa999

Download Submit
C:\Windows\SysWOW64\Pjbcplpe.exe

Filesize
94KB

MD5
a1d93a1b50d6aa3c9653db52aafe5da4

SHA1
7837dfd0ee139eab1ed47b14b60a0aaf5a6e4535

SHA256
b82278b01ba03bd379547908d81afa929fd661c56adf12013991767910521856

SHA512
544eee21af0efc9fe5d93963d556f227d84382f7ce9b2c2fa0010ca4e00da09807bb20ed6f050400c2b9630d76f8e9ec017b55bd60f12d49cc7f667e2ca7b5c0

Download Submit
C:\Windows\SysWOW64\Pjmjdm32.exe

Filesize
94KB

MD5
14ed483e449620809dbbb5434902ec0b

SHA1
2e3d21be21a8e452c5d45cfe285976e10e956ce2

SHA256
47ea3fc157b2578e1f1149122933463aa3bb120f45b506796faf2636a1ea2974

SHA512
55c2e2cb4d74fef8abb291d4dd3f878ed2aea5691b8a1d9d3119af77d2eb1f675a14426c3abbf31443d972667f5819aa92f6180bcc1712842efc0943f827c789

Download Submit
C:\Windows\SysWOW64\Pmnbfhal.exe

Filesize
94KB

MD5
84da1e5a53756f467850795f85a45ea9

SHA1
195a7fad397c14af375b53cc917eb0e3ca8bd68f

SHA256
cc85fab506d26c37050c684b2d99796cd9735c75ea7b407fe348933c5f3c40af

SHA512
bbdc1602d536442b1982492da4e87e12fdb173cca8c8cf34c30ace993a0df1528ccb783aadc1a20e2cee22cfed1c8d8d587fe8fb187c8aadcf87e2d026941394

Download Submit
C:\Windows\SysWOW64\Pnkbkk32.exe

Filesize
94KB

MD5
0c0a639a9c6f9e400aa29f51fd0b7e27

SHA1
c4511b81d7a6c44ba29828900081e06c21aec754

SHA256
538da64d80918b81ea5d0eca5209b87528698af1ebda73a12d5d14d5bc820099

SHA512
d177428563198bb46516ca5ff7f60f1b9032319c12834d4a75ad33927fdcdcdf177e76ec0746c8a9ff247f258d315cbd18a298b887764ab808e95337504c4964

Download Submit
C:\Windows\SysWOW64\Pnplfj32.exe

Filesize
94KB

MD5
59b0a73d889e14f80064382b9452baf9

SHA1
c38f45a2611214d5dd55c4e5120e59ffdba59874

SHA256
a37e65b49a551352d686ecf6e6604874ac291ae866b325b424d1487facc62556

SHA512
92cf0d59a96e56442747581f561f62eb64dd0fc209312fbf33cc0ea49af944d54674cdb1a4c4c3389ec1e1394378624cdf248d87e2299d78f148d4e2098d95e2

Download Submit
C:\Windows\SysWOW64\Ppahmb32.exe

Filesize
94KB

MD5
b043d7753b6daa9f6dbb0c9de5dccde9

SHA1
ba40126d60e5d8635eeeb5566bbd3c95c6f5e53c

SHA256
e02d00c0dd82ab304674f7ffee3e1b4917fc55a3131b8f79d3261b776b5c6d78

SHA512
d83755f3dc2bef9961155378e58c1fb4d93ab24011ee2af8bb2f5e88c802c79876c744fc375dd0974ad378ec9600b830f217c19cb8470e18b53fbf9bb10dd393

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
94KB

MD5
9e1273483952e5fbad55c7d02083402a

SHA1
f143f505d002e994971e294169250f14b8c1c55a

SHA256
ebc21cfa1aa368cf904d8a83ba19ae698106508c2bf601a31e21b52ac703df15

SHA512
905ea5eb0726af94f025b9074d89c28442a735c4cb1dfdf6716d2881451f011baecf45c9a294c879143545722e28ebbff7acd675e0870ccb3ee428691609123c

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
94KB

MD5
f3ab2c5a19eaffe628596bc89087ec78

SHA1
0970fcb3b18e79544ec789b049ef27814ea454bb

SHA256
dfe961e7bda797bd1362a6d02a83c8f3964f7a7db318b2bb7d0e7311d0fe4859

SHA512
1e2efb4fdb87c1efc4446c1d410f24707063f60aef1cbee20f9b83e8003959089913914a5891a189f4249cb3aedec6c302d9af3df6776d8af1ef035caa5c34de

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
94KB

MD5
964c3b0698b0369c6e4509ffdd1570ac

SHA1
2628ddaea5af60abef7eb07d73b6070e008b0d37

SHA256
de31acf2225a983fefabc7d78a8224802a96f494d85db093864d22c7e4989b7e

SHA512
c08c1f5c3779de1b26decc084098d7490f69921296c4bb0a45729c5785b09453ac739d3baeeba837a51524a73f6655fca33c65c63cdc634a6d51689eca2cde75

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
94KB

MD5
e29f0a1a38787578e611d0912021e906

SHA1
03ceca2d6cc3660bbeb1b4bfbe3ff683a70d0905

SHA256
1d83fb1964395021836d0c245801e05218d25905d295c7bafba602e1bb9f6317

SHA512
85014cb94deec65b7f549c9ab5b2e1d1789cad84b0a9f74953c9839c5b6524e76ceabfacba3bf0188970dcde91c69e4028ef329528ed55ad63fbd593bd3b7176

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
94KB

MD5
d1b1228d9ad5d6ec8a8012c61aa03b4b

SHA1
7356f999661633d579a6abca2519383613646b93

SHA256
c7a1ad87c62af269a139fdda77f704907366868f1b4a10519f17cc08361af572

SHA512
57547ccd7d94144dc6660507abab5df2cf738ee507d61428faa3a00762976107ee3c06a4d8ecce7b9c224a262179d95a05bdf27f0671a611a3cd0616935d3182

Download Submit
C:\Windows\SysWOW64\Qmeigg32.exe

Filesize
94KB

MD5
46b36725a60361a778711522bff5a528

SHA1
abe9bea6054f2e57f01a1f8e26fc273c87cc6823

SHA256
ef21d54cff30038adca3f568f69250a4494134c3a146c98a018edc4cc5683cf0

SHA512
8cdb430af5b4aabbe9bcf073baed5d9b8ca0b8c9b65acbbfd6c70e1171625e34173662dde843cb40b51b2005ca4ca4b4750e38ec60b84241913a612913a8fffd

Download Submit
C:\Windows\SysWOW64\Qmgelf32.exe

Filesize
94KB

MD5
b5de348833d3a04f8e5cbb20b9677416

SHA1
a067505fe9400939dde2526a5f4bcd949f0c85ff

SHA256
c274fa2d24f85a2e85e3cce9d9f24c56b14ab7ea1fdcd8e832a8a90430bab67d

SHA512
10454ad803b5f0b1a9db1722a9a3223dcb507daf228ac14968085a05d100ec02fb47a05cafed35e735e1907296b84d1d674e7987a2bf9c26b72ebd43ebe69ac8

Download Submit
memory/708-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/772-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/828-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/828-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/876-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1000-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1236-571-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1236-546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1248-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1304-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1376-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1476-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1528-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1564-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1568-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1624-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1632-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1732-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1792-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1824-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1892-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-570-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1976-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1988-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2020-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2136-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2168-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2192-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2288-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-157-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2428-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-197-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-533-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2544-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2552-574-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2552-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2676-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2736-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2812-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3020-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3040-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3120-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3136-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3164-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3176-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3240-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3256-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3328-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3372-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3456-568-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3456-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3460-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3476-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3568-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3640-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3776-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3860-569-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3860-560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3940-540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3940-572-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4040-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4204-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4204-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4208-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4216-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4236-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4364-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4364-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4388-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4396-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4520-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4568-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4568-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4568-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4576-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4688-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4796-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4800-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4836-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4848-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4912-189-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4936-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4948-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4952-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5096-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5116-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads