2767b316e7205c40447adf7d58cad4d188652f1b90ba32099f793edb83d6a23c

Analysis

max time kernel
94s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2767b316e7205c40447adf7d58cad4d188652f1b90ba32099f793edb83d6a23c.exe
Size

93KB
MD5

a9a160bfbd26f4cc7fd52350576a924c
SHA1

204392d2c1c27f9ad08eefc6e3995939f72f219b
SHA256

2767b316e7205c40447adf7d58cad4d188652f1b90ba32099f793edb83d6a23c
SHA512

a8a79f2664283f31818f0474037e0f54915efb8d08ab98a463a36f766f64bd68a57befc6ec0468be02829557f7362955eefcdca9c9f24f32792d76b687ca0e93
SSDEEP

1536:/1LL0Pa2YbuNSFR77i3l3QUkO//xw/3JUkwZsRQ+RkRLJzeLD9N0iQGRNQR8RyVd:/NL0HIugb77e3aOhwfJBe+SJdEN0s4Wg

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2767b316e7205c40447adf7d58cad4d188652f1b90ba32099f793edb83d6a23c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chcddk32.exe

Executes dropped EXE 64 IoCs

pid	Process
1488	Nnlhfn32.exe
4588	Npjebj32.exe
4320	Nfgmjqop.exe
2276	Nnneknob.exe
4304	Ndhmhh32.exe
4192	Nfjjppmm.exe
4412	Olcbmj32.exe
2916	Ogifjcdp.exe
4828	Ojgbfocc.exe
4836	Olfobjbg.exe
3460	Ocpgod32.exe
2072	Oneklm32.exe
2924	Ocbddc32.exe
4596	Ofqpqo32.exe
3144	Ojllan32.exe
4700	Ojoign32.exe
3664	Oddmdf32.exe
384	Ojaelm32.exe
4656	Pqknig32.exe
1748	Pgefeajb.exe
1680	Pnonbk32.exe
4156	Pqmjog32.exe
640	Pjeoglgc.exe
1952	Pmdkch32.exe
1900	Pdkcde32.exe
4380	Pjhlml32.exe
4792	Pdmpje32.exe
4440	Pjjhbl32.exe
2288	Pcbmka32.exe
2728	Pfaigm32.exe
4176	Qgqeappe.exe
4692	Qnjnnj32.exe
2848	Qqijje32.exe
2888	Qffbbldm.exe
4064	Aqkgpedc.exe
4996	Ageolo32.exe
4152	Ambgef32.exe
512	Agglboim.exe
3800	Anadoi32.exe
1988	Aeklkchg.exe
1280	Ajhddjfn.exe
1268	Amgapeea.exe
1080	Aglemn32.exe
3828	Aminee32.exe
1540	Accfbokl.exe
5100	Bjmnoi32.exe
1228	Bagflcje.exe
2724	Bcebhoii.exe
4928	Bfdodjhm.exe
3288	Bjokdipf.exe
4388	Baicac32.exe
3744	Bchomn32.exe
684	Bffkij32.exe
4308	Bmpcfdmg.exe
3036	Bcjlcn32.exe
2040	Bjddphlq.exe
3284	Banllbdn.exe
4488	Bfkedibe.exe
4568	Bnbmefbg.exe
5040	Bapiabak.exe
2660	Chjaol32.exe
2044	Cabfga32.exe
2512	Chmndlge.exe
4452	Cnffqf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ojllan32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	2767b316e7205c40447adf7d58cad4d188652f1b90ba32099f793edb83d6a23c.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5920	5756	WerFault.exe	187

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 1488	4364	2767b316e7205c40447adf7d58cad4d188652f1b90ba32099f793edb83d6a23c.exe	83
PID 4364 wrote to memory of 1488	4364	2767b316e7205c40447adf7d58cad4d188652f1b90ba32099f793edb83d6a23c.exe	83
PID 4364 wrote to memory of 1488	4364	2767b316e7205c40447adf7d58cad4d188652f1b90ba32099f793edb83d6a23c.exe	83
PID 1488 wrote to memory of 4588	1488	Nnlhfn32.exe	84
PID 1488 wrote to memory of 4588	1488	Nnlhfn32.exe	84
PID 1488 wrote to memory of 4588	1488	Nnlhfn32.exe	84
PID 4588 wrote to memory of 4320	4588	Npjebj32.exe	85
PID 4588 wrote to memory of 4320	4588	Npjebj32.exe	85
PID 4588 wrote to memory of 4320	4588	Npjebj32.exe	85
PID 4320 wrote to memory of 2276	4320	Nfgmjqop.exe	86
PID 4320 wrote to memory of 2276	4320	Nfgmjqop.exe	86
PID 4320 wrote to memory of 2276	4320	Nfgmjqop.exe	86
PID 2276 wrote to memory of 4304	2276	Nnneknob.exe	87
PID 2276 wrote to memory of 4304	2276	Nnneknob.exe	87
PID 2276 wrote to memory of 4304	2276	Nnneknob.exe	87
PID 4304 wrote to memory of 4192	4304	Ndhmhh32.exe	88
PID 4304 wrote to memory of 4192	4304	Ndhmhh32.exe	88
PID 4304 wrote to memory of 4192	4304	Ndhmhh32.exe	88
PID 4192 wrote to memory of 4412	4192	Nfjjppmm.exe	89
PID 4192 wrote to memory of 4412	4192	Nfjjppmm.exe	89
PID 4192 wrote to memory of 4412	4192	Nfjjppmm.exe	89
PID 4412 wrote to memory of 2916	4412	Olcbmj32.exe	90
PID 4412 wrote to memory of 2916	4412	Olcbmj32.exe	90
PID 4412 wrote to memory of 2916	4412	Olcbmj32.exe	90
PID 2916 wrote to memory of 4828	2916	Ogifjcdp.exe	91
PID 2916 wrote to memory of 4828	2916	Ogifjcdp.exe	91
PID 2916 wrote to memory of 4828	2916	Ogifjcdp.exe	91
PID 4828 wrote to memory of 4836	4828	Ojgbfocc.exe	93
PID 4828 wrote to memory of 4836	4828	Ojgbfocc.exe	93
PID 4828 wrote to memory of 4836	4828	Ojgbfocc.exe	93
PID 4836 wrote to memory of 3460	4836	Olfobjbg.exe	94
PID 4836 wrote to memory of 3460	4836	Olfobjbg.exe	94
PID 4836 wrote to memory of 3460	4836	Olfobjbg.exe	94
PID 3460 wrote to memory of 2072	3460	Ocpgod32.exe	95
PID 3460 wrote to memory of 2072	3460	Ocpgod32.exe	95
PID 3460 wrote to memory of 2072	3460	Ocpgod32.exe	95
PID 2072 wrote to memory of 2924	2072	Oneklm32.exe	96
PID 2072 wrote to memory of 2924	2072	Oneklm32.exe	96
PID 2072 wrote to memory of 2924	2072	Oneklm32.exe	96
PID 2924 wrote to memory of 4596	2924	Ocbddc32.exe	97
PID 2924 wrote to memory of 4596	2924	Ocbddc32.exe	97
PID 2924 wrote to memory of 4596	2924	Ocbddc32.exe	97
PID 4596 wrote to memory of 3144	4596	Ofqpqo32.exe	98
PID 4596 wrote to memory of 3144	4596	Ofqpqo32.exe	98
PID 4596 wrote to memory of 3144	4596	Ofqpqo32.exe	98
PID 3144 wrote to memory of 4700	3144	Ojllan32.exe	100
PID 3144 wrote to memory of 4700	3144	Ojllan32.exe	100
PID 3144 wrote to memory of 4700	3144	Ojllan32.exe	100
PID 4700 wrote to memory of 3664	4700	Ojoign32.exe	102
PID 4700 wrote to memory of 3664	4700	Ojoign32.exe	102
PID 4700 wrote to memory of 3664	4700	Ojoign32.exe	102
PID 3664 wrote to memory of 384	3664	Oddmdf32.exe	103
PID 3664 wrote to memory of 384	3664	Oddmdf32.exe	103
PID 3664 wrote to memory of 384	3664	Oddmdf32.exe	103
PID 384 wrote to memory of 4656	384	Ojaelm32.exe	104
PID 384 wrote to memory of 4656	384	Ojaelm32.exe	104
PID 384 wrote to memory of 4656	384	Ojaelm32.exe	104
PID 4656 wrote to memory of 1748	4656	Pqknig32.exe	105
PID 4656 wrote to memory of 1748	4656	Pqknig32.exe	105
PID 4656 wrote to memory of 1748	4656	Pqknig32.exe	105
PID 1748 wrote to memory of 1680	1748	Pgefeajb.exe	106
PID 1748 wrote to memory of 1680	1748	Pgefeajb.exe	106
PID 1748 wrote to memory of 1680	1748	Pgefeajb.exe	106
PID 1680 wrote to memory of 4156	1680	Pnonbk32.exe	107

C:\Users\Admin\AppData\Local\Temp\2767b316e7205c40447adf7d58cad4d188652f1b90ba32099f793edb83d6a23c.exe
"C:\Users\Admin\AppData\Local\Temp\2767b316e7205c40447adf7d58cad4d188652f1b90ba32099f793edb83d6a23c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\SysWOW64\Nnlhfn32.exe
  C:\Windows\system32\Nnlhfn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\Npjebj32.exe
    C:\Windows\system32\Npjebj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - C:\Windows\SysWOW64\Nfgmjqop.exe
      C:\Windows\system32\Nfgmjqop.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4320
    - - C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        31⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3800
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1228
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        74⤵
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        79⤵
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        81⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        83⤵
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        86⤵
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        90⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        93⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 408
        102⤵
        Program crash
        
        PID:5920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5756 -ip 5756
1⤵
PID:5836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
93KB

MD5
2f42c2aecf83495a963eb158d746273f

SHA1
ce45e1bec946f179a44a10ffe4f4376fb98a738e

SHA256
796032532dcc691e296f43417f07ac65bba4b04df7713498875dfd1aaba9a1c3

SHA512
971e90c243df486a6b785fe1e45df76662a075d2e12c2b020695c79e5f89b1e99dc26a3adb46f92277723ed9c799bd3dff98fbbc7b91eb9b84eb268d736989dc

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
93KB

MD5
8a801429b28fb9e75f442ee1d8a2e42d

SHA1
b0ad70389ec354a6228853254fdf81970ad63070

SHA256
bef27e6eb338745a6217f1dbc2d6f858d01f4dcc8bc5aed9d4ee2a83ff11108b

SHA512
f5200ea33a71205e3fb866ea7b5bb08246e7c2929eb3260c96f59de61c003624ad8e7485bbd346d3d4fb428b052d1da01d06e251111c452423cd49b9a2c756da

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
93KB

MD5
68144ff7efc4a69a3ee247d7a7edcb87

SHA1
18325f9d34f14c04d45b4021a3399b2542f30c03

SHA256
4865ce8903c23b6165d0081bd1cfcb93a6df1f6d86bcaf5006f9b3bd713a6737

SHA512
e2a57b83db7bf26edc142cd183a90c3b47c7cb4da2f287f5edbef05ed692820a4f05f02ec1f6569c7b921e5cace2936bed7ee4fc6ed031b0789b54746fb59f6f

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
93KB

MD5
5c95eb3cbad5e1927a6c6d21d4b6e7f1

SHA1
093983f28eff451ac20a353fcceee32b0c74b2ba

SHA256
7fdc99ae35b31bfc5a37947422a8838a00c0652c6f649a766aff49653f0fd583

SHA512
6db23fd7b7f4303eee98e9e15b0277e6f5075caf491f7ad2b7fac159a0eaaf811d8246670583526f03faa546dedcc36250567919801a912b4eeda34079581aa6

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
93KB

MD5
79b226330be1e90bb2a73e57a657dff1

SHA1
de602c0739af2ebe9e2f1f8e9d5d116bc4ff5242

SHA256
8d1353ca4969b9c0e909bb85080690ac05fe6a30e10eb5cbc986314bd50eae11

SHA512
3c34ec80e8537dc1726cedd6f0fddf898bf58ad3a9518a15da49908abcce0515a80896f007715335ca6e7fefc95f8d2b332c1b13ba09fd0363b4778584dd4947

Download Submit
C:\Windows\SysWOW64\Fjegoh32.dll

Filesize
7KB

MD5
f4fd39c1b042402c42f41b773afae636

SHA1
d4cb1c2ffdf84a008513d5150748a3202eb9b223

SHA256
26e237ddc48407258c14cb9c4c4939979ab686de65590e7bfc19909cccd82995

SHA512
55d07a118b814c069924b8950445c7436d597bf1c14bf2db11dc3393f4c0d5e7a234c2a14924cf6e3b73ffa778051720d562e4e23e88b1a65ba25995ec879be5

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
93KB

MD5
05967039c0342ce5d4830c2224aec09d

SHA1
e638160e598ad5d2b9edc3bebd315e3193ccf33f

SHA256
2b38aa29802dff9ae0c3023fce6a85eb235eac2a346350824473ca24e2b1dc11

SHA512
41fb76eabfa6951123953ad4609e89a6fd543683619264533d41f62629e9f9e43eb419620bd448b2835d36bc814dcbd65882ba28ec81d4b6f06ab4b77559b5b2

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
93KB

MD5
dc40e4f57498c4bd16269052f628d039

SHA1
b8622a423d49c7d5bc922ebf7c1879dcc9a9f8ac

SHA256
b2ea70647561680059d018778fbbd5252d4ff7054831a4de2e30f9c54ff458a5

SHA512
e494dc8eff6e6c342ba30175108c19add87f95cc88c945781b2b3ed0184402cee02870599705de612dda6f876df0b2b3a5a0cf1a38c0ac9e0f9a0cc391bb1b7c

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
93KB

MD5
c03a69bbb47f6fbf544e068825aa4489

SHA1
c10b8f04650205165d189fea556891173ebb5924

SHA256
cd29085e2b82b6aa18842e8eabd99cebf32e6604ccede741d3ffee11864ad841

SHA512
6f29117e4a7cd55e38eea0f067e4c96c407d91b4e7b2073c139dad21ecd80f3082146076b60c869e14911de5f8edb0ec6faf6aa0a1f1cd6228f35fe01d354328

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
93KB

MD5
e2ce7a6b97831e2b832f24bc54507c0f

SHA1
8d36c1d95e9df102fce9671223271b1021668f70

SHA256
67723aad68889b7ed912719d49c1de1593f08dbeaa169f67435a3a2908bbb871

SHA512
dfc043dbeabf407c79bd7fa9e596f50e0fe1b9a9227e41b236e24e857e4356049363bfb23872438fe0fdc04dfbc081f15d76267fb4e4163e46cb357690cb51af

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
93KB

MD5
ddd023c163bf29c005c40cbb96e7f743

SHA1
c4e4adff2a421018fe539cfeb612f7771f059ffe

SHA256
40b2f592aefd2db4f709fdd4be521b0e6608591dc3d42be604886bfd3d369d06

SHA512
0667e9f81ee45481cdc125fdc3baef3fa94b45b90693a8eb838ee0e96488e211560cabd065f381ecc8f227bf1972d26cff601fc318dff16fa72254d5657b4730

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
93KB

MD5
f20929f96b060e605ef93a5ef5a054f9

SHA1
d5cc8e71f1654c369783f04101edaadf4f4aa458

SHA256
30acd670295201c2c6dffd4d750da8e39f63c1cb5c1886e5bd488f0d597ab080

SHA512
5e277f837482c79ea46606b4873eb8b77fb095a73575b77c6edc22cccb21dabd40712203084b595f6e30006d51d425c7f97f07edd065ad4fe8e154442c2e63a0

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
93KB

MD5
69c1ae6cc9a2a12a2013574bc17c8d0c

SHA1
d21880484eaa8b91059c09da71858aa56e1cffe9

SHA256
8cf624d938127c75774b86e093f0c2401a72fd8caf607e7d446ac37e99b6e5a3

SHA512
567f26cb3d22459cb65b6019c092c275e68afebe27fb4476c7a279a4c5d3bbc61879c3c7f8ff535b955341a7f67545f61c8e4c5f69bf57ac3efa51ed72c1ae40

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
93KB

MD5
3c527c92cd67b48e314ed17c793ecc01

SHA1
7f7a284ebf6531c31a62debfb5f13ff5ba423d8a

SHA256
d2416113df17fd50a4ab236e3498b55b412a234c9a35bf2fa412e00a2588af38

SHA512
cdb976cdd5383bcb87124a0a9988a3b6f745a315a9f9b9a6843eccb7a25212bef89eb16cbb43413930517bf68f1263a8f48ffd1f2065aba62cbc56150c9e1292

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
93KB

MD5
4e97ed8181f3a7e9cbe633cf1f1c52a7

SHA1
8c8c16501b925916d1059e8c77c4b0a70a73e448

SHA256
b94f9d692da03011116962de7a321c4c855f760904262a265195b77015f3a4a1

SHA512
2509d8f103d1d1fa908ae6ef5326e853426f9af2b505ff43519ee828f2574684262baf43392dfb865111e98d0fa41257d8e01d63fb6f5d69eda6ca1ebf5c0282

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
93KB

MD5
c8a7fc350946e194467c113cf0eb7898

SHA1
b33664ddc03cd7385e943f0660ab0ef6725cc8cd

SHA256
2ab0ed8d19600312adbe66b890168eaf085095c415665a5aad812ae05f9dc5b9

SHA512
d3feadf6b7d223b88a47f8ecb86aba495b6cc3537a173eb22fc27d416fac0ee4f7a8c0f77b4182f6b9a9e4145780c0ee672b9178440c943bea353588365293fb

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
93KB

MD5
acb236d1d6186c67186005153615d464

SHA1
78d099bd18a8a9c4993c2886f9e91008099a927f

SHA256
61e937e6a23fd4263e3b111d319904550fab55cd614954955d3774b4eb1318b2

SHA512
eeea5b2e178d3fc833306c3caa7191014aac47f1e3716eb48f4b225cc8c96a72fb1a2125f39f0b6225f356e43c0cef23f651fa1bd3396cb1682f8eb6af5ef041

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
93KB

MD5
7a0e981fc9e5d61688c29ca2b7fea58b

SHA1
c195dc94453a25cf14ca00e7f888a4ed6e3b1aa8

SHA256
a67ce94d98524b535aefe54c9d15ef9b5bbc58a8c662a368c515ae8b2198c986

SHA512
cd8ffe9936681f2b411d38874805cc18af25cde2dd01dad842454375732a7130760617d155e905978336fdb88585852803b69c3ade686c115434e13a64765f01

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
93KB

MD5
68d59d338125e0944a3ec5d12bc42aac

SHA1
b5ba28a723d381b677d9f062c6da359ac9862d91

SHA256
18c01f6f9f76d3bb9f2d876f49745bb29e9be9b4e642994d4f4da2015b94c732

SHA512
3a5cee09d40e1c9e2759e3c4fe44bdf6dd443946584dd195a337a7fc15ac916875f4671615701aa8ce93a7d79c7d65056eb8252790de4a581a283c043699bd88

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
93KB

MD5
51049c64aa383aa9424168284d8b5c97

SHA1
8b8e8f8c71d10a93de708deee511fdee0451ecc8

SHA256
118c5edb04347f6da0099358a221f854dba9ca0966317b874a34ed57081412ab

SHA512
24f75ebfa81e2cc7749cbb185195026597edef61d71ed0474cd3cb056adc00a46be75bf218a2ee115b831f49d4edae6c99408e3da5ef45a6bcb4b14172040e42

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
93KB

MD5
e96edd50946519f4f9b76203a68ac236

SHA1
781b6b02c04bec70e2a2c9551d96ae32b0cc2dde

SHA256
4733f5599d6a377e7b506042a45cd78e23826acd44f89da1cbaaa955ac0f4d59

SHA512
68a6b3874f9954e5f2b5e4c5f5ebc689baa98293d8ed23a4851bc6939b8583fe98f2c6518c0506a78515111aa27e1cefc0b510a997e1239267ee52c8f57cb959

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
93KB

MD5
b4bb0acd3f4d03389bbb4445282519fe

SHA1
85538f35c92209358f2ad99f9fd10b21408532f1

SHA256
b18490848261fc818b3db52496776b4d9ba0799b76babf767f09141eec244566

SHA512
81432856afaf0bcbb6812be83e5d16650b410b40442164d9432fa81a7f3904bf1b6e9d8109649b8b9f6e0c0a5bc9260fdd1c2764800d4133f4b29c974337e202

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
93KB

MD5
576bd880c82f9f0ef49069b65ee28ef5

SHA1
c1263d7e7501dd79c76ea799688f7dc90aeff79f

SHA256
a70457500efb24a3503a9d3dd0fdb940f51bccabe36ed1b86348c41679106b32

SHA512
7c6a32fa02df8035094fd38a2a016218465896ec8cf218c90c7d2712535dadb3d62ca34cd67944678089c1f9356e5cbdc5687b835bbe309f1f247f48f2d1ca7d

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
93KB

MD5
9103e8483cdca498c22cea8145c32177

SHA1
b3c64457d3ca87238daaf6742da8028b2782121c

SHA256
f2c2c91e0262a49e1a5166a75cd37f076ac317464558f7433f444bdc78c64e71

SHA512
8909540690360f9fb81aa1767e33d0b5c1133bdc3e420593a73c74789d93c90e2efdc7635e06adc7ae87aa33be57f6ccaf1623918107d08cf154eac95bcfe7be

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
93KB

MD5
9a68db438b75521e5e950f3d54135812

SHA1
51e92d2f9da7179a6ee9ae06754a82470762c70c

SHA256
a6196cf0a4b2ea21014b84c2d2c7a9fdba8dace6870965eb97254839edef34c7

SHA512
c257b6a45b85e0111254416a8d0d29230f4ad507d0e829f23b393a3bd47ece133ef116ac7c414590c1339532206b97ec3e6167499fe2f86d7e6ba11eb6d986b4

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
93KB

MD5
2e1ddd7c26ab76011e2dd89f72108281

SHA1
385c63debb186eaef334a5bb52340d548f690f43

SHA256
b9940fde3411cec9566378c83b0881d70c8120a0477a643e14dd2b337d7eee36

SHA512
201c85a5a2023fa317822d67be9e1bad224c35cfc1e2565fa5208d45ef64e4d386c99b43c4694db6065af4255a60cf26dfe4e3d7d0c81ee32f222ce73d43b17c

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
93KB

MD5
f361510ad081d065f03e09c82d427c84

SHA1
a5ac9dafa616958de84b09722ec0290657cf3313

SHA256
2e35eaa94723266e1e598e855e336a46faaf6d65e77d89099967a94360cebe5a

SHA512
eaceea335fd9f0a3f8386e293536eb09cf8cccc535fb845e8018a65c1408b99347d8feb890c37949c5329aa14e27b8524ce2fd051890c0e27a7ba114d4131d6f

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
93KB

MD5
5e3742028165953353690a758b4e5276

SHA1
b9c7121445f35bfe066df859ee3d36543dde8397

SHA256
e9cc37a96abd29c22633b1112fb47a6ad95fc0cc7b42e126660da3a4e2e5baf9

SHA512
22c31f86116a43031915a5f3dbe697d363843f2dc57c197381baf6b5155000d505fa67e988d9021f09c3c193532977b87be86bc21ec6c20c6fbe230c63bd3e15

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
93KB

MD5
1ddf2aafd43b53167eed495109393e1c

SHA1
dbda0f18fc205881aa414bf6ea1c563aed5df827

SHA256
adef599e3008645316a1f19853e2873920c4898a20df50735b0f001a381a06d4

SHA512
94103e566eef47fc87f58e4f5d2b61caa3e71ff9d24c4b9e6aa529815c6b20206ba45a6b2c2a120ebd5579a399ccb30d48d524590a9fe09af465ef159c368c36

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
93KB

MD5
80c1f14459ec24cf2466445e1a36316c

SHA1
ad9114754ae2168c2118651888e963b545cf8603

SHA256
bfc8a0db49872b0cc610f677d8a62013eed2098290045f287d6227d343380f3c

SHA512
d121071b92b660d6ae558597a0391b5990d9aa12936df17bc8fb83e9592f46d26e99a897c156cff7495c4233612570bd5b89f5425e8375b4a64f67d42e8cb1fd

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
93KB

MD5
f896c1ae5f8b66534d6e10f494caa768

SHA1
b1ce1d66add8e5668d13e1e8617faa75473c3b49

SHA256
e46801d7d027ef090b474c45bdb875636f10dd8241a20382dfc4506299042519

SHA512
90a4f9419fe3fb75531502d87e470e735b5bc4f01fb14b489c8352887c398c9b18758595307343c6edf541f53278933ae27f6fe7500639fc94f2a5012c587be0

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
93KB

MD5
c700f8f87f3ca1d0bbc512a649ce6305

SHA1
2cf5b9b46ca249e706931a51fa1067f07753c323

SHA256
1a3719e8c7b9df99db847bb9566b9f2ff727c1895c811d6cff0579f24c563461

SHA512
d6c953ec8b2aa5c443b37edb1d79da586de816860bcdc4c910c9644f759c2ea382985aafaf0913ae098df3773f3efe07480b01fb5f15fb8c9fe4706f7e60cd5a

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
93KB

MD5
6deebca64458d2af858934f91e1d366d

SHA1
60c1a7a1b883ccaae7965b8b12f1b018a61a87dd

SHA256
e4eae4ce40ff1ea40368f179eb1379b5e4062b7acbae99627739b54605baf309

SHA512
1e1b3ee94c8d7944c0795c1fe7e8145902d0fb2b8737179243548f28b4dec4f5f1966a4abd4a3339d28b833dcde3a03dfcb5c4b27d221400bf43d666eceecb3c

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
93KB

MD5
2cad20c5ca1c0667237519cacd4dc688

SHA1
8b72ebda0721ee42f740ffce542a60f92ef774cc

SHA256
ce59a8eb5dd492deb82892a022c6c2cc297b42b7bfb47be4d08f7f16bb2d971b

SHA512
81457bdd8814e819f039dbc469986af72d303198e4e9caa8519de35a6d4d8517a2882e5bef43d7b683cb1474f6c5de66df00491ac6340e3ec4209221bb8ca752

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
93KB

MD5
762b3546d40ed96881fa6bb33caf6c86

SHA1
19a4937fa71a12e08f30073ff64ebaa9049c5eed

SHA256
4e3bccbc15003bc98eba63d3f36cf3901a252e3ca61dcacca876b5e5d6b234f3

SHA512
4e920bfaad2918412d25af898d8e06cd40d8b661f8fe16191f5366a39d738f1491fa67c185354b2711b3e6624fab54bba197eaad2de811150f0280608eb04a2c

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
93KB

MD5
1859d609765ed16a793052f1e5e5cf21

SHA1
7e643281fb47b274fe615a3baf9a923a3614d093

SHA256
5d24496dc1c7a024a79073cbc88e1ee730e8036bb9cb24b4bfd09e8ff93f75e6

SHA512
9597979eedfb2b267c5951473952495bbb620775fd918ee349f939da1adb9565d36a0a35be5fde1c5114ce3cf9c5974891ef353b2e5454176678beeb15f6244f

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
93KB

MD5
528b9b7f533301c8800f45d349b6092b

SHA1
63f74dcb7fb1c7431092465f4bf8a9e081933579

SHA256
61658c8a27541807c1920fffefb3ef45b3bc4822db5aab21c9579cace4fee5c8

SHA512
7096cd561bba0acdecafab830cd9c0088588d9eec4caad1ac0461b5934841f0e3dcc363289db58188431d6fdb9acac6065436fc1b9da25dc611ac2fd4392d519

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
93KB

MD5
82d3d10f0b98c71581d81d1650dc4bcb

SHA1
bab64f44fc9e9a7e5ff84ae861048a1afd961755

SHA256
3c69660b7bf0b394d04d089e0cd9eb17bcc53a28395a9d87a69dc079b4f3acc3

SHA512
daa1543c1d50a1de23923088cbdb5826542e31c841f41dce3da7c97339a79c3e69f06645c76c5b238ec880d2ce17e1aa8b858542454695a87f4ad239e5f3bccc

Download Submit
memory/384-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/384-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/512-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/512-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/684-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-381-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1268-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1268-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1280-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1280-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1540-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2072-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2072-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2276-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2276-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2724-392-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2916-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2916-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2924-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2924-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3144-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3144-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3288-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3744-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3800-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3800-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3828-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3828-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4152-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4152-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4176-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4176-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4364-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4364-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4380-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4380-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4412-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4412-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4588-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4588-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4596-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4656-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4656-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4692-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4692-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4700-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4700-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4792-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4792-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4828-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4828-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5100-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads