5f7d90ff4a830abbe3905ac4f33f8b55b12f269d93c389fcd9675d09297d781f

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 08:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5f7d90ff4a830abbe3905ac4f33f8b55b12f269d93c389fcd9675d09297d781f.exe
Size

79KB
MD5

7e9506e0644dcf22105e525a5cf9d657
SHA1

397b2f6de470be82e49bdeb957549805b83bb1b5
SHA256

5f7d90ff4a830abbe3905ac4f33f8b55b12f269d93c389fcd9675d09297d781f
SHA512

3b9db350b206ad1ddf59a40411b7fbf195cc574c7f3360077171009d7a72cfbf68d3f31d8170b8779e827d01ce0683a1268eb84a997a1a9c00d8195a45e56733
SSDEEP

1536:cAnPLFmDe22r4DtzboWCAaYbIf1UE3MAjMbXLUEoiFkSIgiItKq9v6DK:xnPJm0XMNxyMnUEoixtBtKq9vV

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe

Executes dropped EXE 64 IoCs

pid	Process
456	Ojgbfocc.exe
3736	Odmgcgbi.exe
2628	Ogkcpbam.exe
4876	Olhlhjpd.exe
3232	Ognpebpj.exe
3496	Ojllan32.exe
4788	Odapnf32.exe
3576	Ofcmfodb.exe
1920	Olmeci32.exe
432	Ogbipa32.exe
1656	Ojaelm32.exe
3256	Pmoahijl.exe
4208	Pgefeajb.exe
3316	Pnonbk32.exe
4268	Pclgkb32.exe
4640	Pnakhkol.exe
3236	Pdkcde32.exe
3888	Pgioqq32.exe
1144	Pncgmkmj.exe
2936	Pdmpje32.exe
2316	Pfolbmje.exe
3020	Pnfdcjkg.exe
3204	Pdpmpdbd.exe
4356	Pfaigm32.exe
3632	Qmkadgpo.exe
4512	Qdbiedpa.exe
3744	Qfcfml32.exe
5064	Qqijje32.exe
5112	Qcgffqei.exe
4580	Ajanck32.exe
1536	Ampkof32.exe
4064	Ageolo32.exe
3016	Afhohlbj.exe
3156	Ambgef32.exe
3596	Aeiofcji.exe
1428	Afjlnk32.exe
2064	Anadoi32.exe
428	Aqppkd32.exe
3320	Agjhgngj.exe
3360	Ajhddjfn.exe
4528	Aabmqd32.exe
5036	Acqimo32.exe
1368	Ajkaii32.exe
2728	Aminee32.exe
832	Aepefb32.exe
64	Accfbokl.exe
2380	Bjmnoi32.exe
2092	Bebblb32.exe
4524	Bcebhoii.exe
4560	Bjokdipf.exe
2672	Baicac32.exe
4796	Bjagjhnc.exe
4384	Bmpcfdmg.exe
3340	Bcjlcn32.exe
2772	Bnpppgdj.exe
3992	Bclhhnca.exe
4296	Bfkedibe.exe
876	Bmemac32.exe
4176	Belebq32.exe
4996	Cfmajipb.exe
1496	Cabfga32.exe
2428	Cdabcm32.exe
3756	Cfpnph32.exe
1576	Cmiflbel.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5196	1864	WerFault.exe	177

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f7d90ff4a830abbe3905ac4f33f8b55b12f269d93c389fcd9675d09297d781f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 456	5068	5f7d90ff4a830abbe3905ac4f33f8b55b12f269d93c389fcd9675d09297d781f.exe	83
PID 5068 wrote to memory of 456	5068	5f7d90ff4a830abbe3905ac4f33f8b55b12f269d93c389fcd9675d09297d781f.exe	83
PID 5068 wrote to memory of 456	5068	5f7d90ff4a830abbe3905ac4f33f8b55b12f269d93c389fcd9675d09297d781f.exe	83
PID 456 wrote to memory of 3736	456	Ojgbfocc.exe	84
PID 456 wrote to memory of 3736	456	Ojgbfocc.exe	84
PID 456 wrote to memory of 3736	456	Ojgbfocc.exe	84
PID 3736 wrote to memory of 2628	3736	Odmgcgbi.exe	85
PID 3736 wrote to memory of 2628	3736	Odmgcgbi.exe	85
PID 3736 wrote to memory of 2628	3736	Odmgcgbi.exe	85
PID 2628 wrote to memory of 4876	2628	Ogkcpbam.exe	86
PID 2628 wrote to memory of 4876	2628	Ogkcpbam.exe	86
PID 2628 wrote to memory of 4876	2628	Ogkcpbam.exe	86
PID 4876 wrote to memory of 3232	4876	Olhlhjpd.exe	87
PID 4876 wrote to memory of 3232	4876	Olhlhjpd.exe	87
PID 4876 wrote to memory of 3232	4876	Olhlhjpd.exe	87
PID 3232 wrote to memory of 3496	3232	Ognpebpj.exe	88
PID 3232 wrote to memory of 3496	3232	Ognpebpj.exe	88
PID 3232 wrote to memory of 3496	3232	Ognpebpj.exe	88
PID 3496 wrote to memory of 4788	3496	Ojllan32.exe	89
PID 3496 wrote to memory of 4788	3496	Ojllan32.exe	89
PID 3496 wrote to memory of 4788	3496	Ojllan32.exe	89
PID 4788 wrote to memory of 3576	4788	Odapnf32.exe	90
PID 4788 wrote to memory of 3576	4788	Odapnf32.exe	90
PID 4788 wrote to memory of 3576	4788	Odapnf32.exe	90
PID 3576 wrote to memory of 1920	3576	Ofcmfodb.exe	91
PID 3576 wrote to memory of 1920	3576	Ofcmfodb.exe	91
PID 3576 wrote to memory of 1920	3576	Ofcmfodb.exe	91
PID 1920 wrote to memory of 432	1920	Olmeci32.exe	92
PID 1920 wrote to memory of 432	1920	Olmeci32.exe	92
PID 1920 wrote to memory of 432	1920	Olmeci32.exe	92
PID 432 wrote to memory of 1656	432	Ogbipa32.exe	93
PID 432 wrote to memory of 1656	432	Ogbipa32.exe	93
PID 432 wrote to memory of 1656	432	Ogbipa32.exe	93
PID 1656 wrote to memory of 3256	1656	Ojaelm32.exe	94
PID 1656 wrote to memory of 3256	1656	Ojaelm32.exe	94
PID 1656 wrote to memory of 3256	1656	Ojaelm32.exe	94
PID 3256 wrote to memory of 4208	3256	Pmoahijl.exe	95
PID 3256 wrote to memory of 4208	3256	Pmoahijl.exe	95
PID 3256 wrote to memory of 4208	3256	Pmoahijl.exe	95
PID 4208 wrote to memory of 3316	4208	Pgefeajb.exe	97
PID 4208 wrote to memory of 3316	4208	Pgefeajb.exe	97
PID 4208 wrote to memory of 3316	4208	Pgefeajb.exe	97
PID 3316 wrote to memory of 4268	3316	Pnonbk32.exe	98
PID 3316 wrote to memory of 4268	3316	Pnonbk32.exe	98
PID 3316 wrote to memory of 4268	3316	Pnonbk32.exe	98
PID 4268 wrote to memory of 4640	4268	Pclgkb32.exe	99
PID 4268 wrote to memory of 4640	4268	Pclgkb32.exe	99
PID 4268 wrote to memory of 4640	4268	Pclgkb32.exe	99
PID 4640 wrote to memory of 3236	4640	Pnakhkol.exe	101
PID 4640 wrote to memory of 3236	4640	Pnakhkol.exe	101
PID 4640 wrote to memory of 3236	4640	Pnakhkol.exe	101
PID 3236 wrote to memory of 3888	3236	Pdkcde32.exe	102
PID 3236 wrote to memory of 3888	3236	Pdkcde32.exe	102
PID 3236 wrote to memory of 3888	3236	Pdkcde32.exe	102
PID 3888 wrote to memory of 1144	3888	Pgioqq32.exe	103
PID 3888 wrote to memory of 1144	3888	Pgioqq32.exe	103
PID 3888 wrote to memory of 1144	3888	Pgioqq32.exe	103
PID 1144 wrote to memory of 2936	1144	Pncgmkmj.exe	104
PID 1144 wrote to memory of 2936	1144	Pncgmkmj.exe	104
PID 1144 wrote to memory of 2936	1144	Pncgmkmj.exe	104
PID 2936 wrote to memory of 2316	2936	Pdmpje32.exe	106
PID 2936 wrote to memory of 2316	2936	Pdmpje32.exe	106
PID 2936 wrote to memory of 2316	2936	Pdmpje32.exe	106
PID 2316 wrote to memory of 3020	2316	Pfolbmje.exe	107

C:\Users\Admin\AppData\Local\Temp\5f7d90ff4a830abbe3905ac4f33f8b55b12f269d93c389fcd9675d09297d781f.exe
"C:\Users\Admin\AppData\Local\Temp\5f7d90ff4a830abbe3905ac4f33f8b55b12f269d93c389fcd9675d09297d781f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\Ojgbfocc.exe
  C:\Windows\system32\Ojgbfocc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\SysWOW64\Odmgcgbi.exe
    C:\Windows\system32\Odmgcgbi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\SysWOW64\Ogkcpbam.exe
      C:\Windows\system32\Ogkcpbam.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
      - C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        32⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2288
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        77⤵
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1644
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 404
        92⤵
        Program crash
        
        PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1864 -ip 1864
1⤵
PID:5172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
79KB

MD5
f183a598059ec5d2ccc7c81bdbb18fb7

SHA1
8cbc5e4c31ee424457f1c0a5c99f02d2802d17af

SHA256
3b86c85b0e0bc6fbbd19425fc64772564b2e5f5c99a9853dd52ed95329c6cf51

SHA512
5a3cfe983c815e0a61c49a59423247b6892d9e87df1ca79cdca67a6c73f1be3591967e3b14c21bc75d89604d0265b9cba503303d58e79277304c3152adee4c6d

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
79KB

MD5
36590114fba762c97515dadbeeb370fa

SHA1
28c9d9f47fe4def97c561328607ee5abae01639e

SHA256
747199b669e7e872a98158ed37d2fe4911e8da0dc71d94069a2e3da2605e3e18

SHA512
5cadc676ede3fd542e8e82ef90c6605a36cf374c064327cd2fccfc403c63686c1fa23468db24429954a50de5b6be561ddff9640f1a7ced1cee2fe619ebb912e3

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
79KB

MD5
58990cf16dc047ccf912c6c3528d7fd0

SHA1
8682ba2114044c33d5a23440c568a8ed307b92eb

SHA256
9f0262309aabcf6a0147ee266399faeb284b75b49cca947f0b1f934639dbd81e

SHA512
3cc92888ebb3ff186dda5854418b033271b6e8f8e275936cfa4fc0966f45f2af909f4037fcaac8913380be5c216c52ab5c88cee038f07bba434142967f0797b8

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
79KB

MD5
bd8e2144cc02ffa7d787190ef6870856

SHA1
0f05ee75965cf5b4278d0e444f6e1e1d085ab65c

SHA256
837a24529fadae0db485aa1155cfaf923dc4d9b08977f41288a45441a661a6b7

SHA512
0e67a99b35e2189ad507c4dc5cc5df385bfdc88d71cc520db92c8524517c4997b7055b043585cda6154fef6bcca7324ee3a05e9bdeecce5f974c9753f433abf9

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
79KB

MD5
c349ae82fa177981c8b861f25534bb96

SHA1
91905cd9bb1bf312a6e7eac2758e37a1d49f4388

SHA256
29bc527a99191ea57a5b815c24776fc7ab564491ae99c3912a4ef2cef8e96ee5

SHA512
de82850f80ac1fac50901ca4a72fa933c4c8cfc67565229e4d4a6249d1916cb33037052cf592d1ff97151ae94b0bc35f221d3e99a91170745ad1091ea3117463

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
79KB

MD5
fef1680bbd14f3a2012f027d4d1dcbbe

SHA1
418ea5457697c741e15ff6d45d96f317cf3661e6

SHA256
f28eda548c7ed73d4713eab8506c652e42963b75a045501ae5fd6f948848b1f0

SHA512
8d543eb81ccc974602ccb9191876a801d25be6904ad4631f7b72c8d45f6e00edfc7d09f8a28a312d3abb94c2c72d7f3bf10c2090d64667cb10c317bf60a896e9

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
79KB

MD5
01798eedeae04f111678b903a2e2cc30

SHA1
6f08cc58418d11974914bf6a0d74afba692f5d62

SHA256
45cdf4ea4ef3c48c37f693afa07318adf78ce833443fad731c751d28cff7ec26

SHA512
5aa3c7b33e8130505219bc17ce1f3149b72d7da53e45c3da7580bda45ec65a599d2e56558b3a97b092af4e69f6ae39322f21b259c715bf175f1922bd55368c97

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
79KB

MD5
850b4bd3b73601a50400f182419dc3e4

SHA1
6e311225c4629e6e5e92cafdf22832204f96f8d7

SHA256
f8116b4337e1f56eeb18c80084005b8eb5758ff13d2ea7d74502b5c4c2542597

SHA512
42612e360a22efc45e7b55293bdfd5ff80363aeb31eacdf02b7d47978fb71e9f116f192b79876b3378a05e8af4917add88bcbcae8a34385ce34652a4d05cc572

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
79KB

MD5
3ca2eba9225ebe299610e21b784b45c5

SHA1
5341d34fd52c4ca92ab64b8ae9e4983705474245

SHA256
ecbfd42c75f0417c98777f5b2f9a9768098ea04bfc6f0995134c466e5255c219

SHA512
4c690f3ead6a42dd754ef13cfce4c492c29a866087776305f64e3536885a80982de32d1ed706bc0bb8c5c7bf1d98a48c50dc3cff67df1ce74a40dc5e37e08857

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
79KB

MD5
d8a8d8e175bce959ebd294d0680a7984

SHA1
28be47d3416de5aa3cc1067edca06d8440dd2956

SHA256
bf47c8e4cb745d58a8583c032a35f1d423ca42a844bee2353ec1426b020777bb

SHA512
1732cc5fbca2329e9b24d29942d3acc39138d9fae628f5596afa219f047bba548f1461e341a60d9ece93137b606ac34eb13ff0217d215bdaaaf9b10ee62b423b

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
79KB

MD5
22ebfcfc8896b0b55383ae38f0445e98

SHA1
e063fca6a373afd0402fae2cb5887101827cb523

SHA256
66ead2c0f44508a472747b3afd44dbe321fe37fb9a2e6f227521d39a5b1a5a8f

SHA512
3c92a2fd0462176926dbf3d5499ed3d55f07f58c0f23944369ddeb1d7cdeae30d1c722c8e80fabd42ba25dd8877ded5c5d665146e1ae32b22acc47ff4f2c4b97

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
79KB

MD5
20181116f4dc909ca1f599a18c36e9b7

SHA1
ba353e470e606651b2d7586a631cfa955f0d872d

SHA256
68b00dbf16ada341e3aebd1216283bbdd8e6f67072039c475a5065f333213e8d

SHA512
4ba934983f2e5aaaf75aba7f8a515b2fbfb265d417239548195b0a3ca52468e7b32e3a7f98071a082244cba66e869902fc29e8f1dff51e3ccacdd389733ef06c

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
79KB

MD5
9154c960af929daa3628d141bd649e69

SHA1
c3bc96a7f39c80eda49623d5b4337f50756774f4

SHA256
e346e6b5fe82e1845ee37f4abda6bcb99bd2f43a2fb0bccc779cea2844abc277

SHA512
d1c77e52b7665041c9d2fd90cf80e94dd72a4311e5a76c6539e769a7a71023dc39c9bbbbff3124748249e2efc76509a9925e900ed55e0a44a78fbfeafe911759

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
79KB

MD5
19d7b609fd4094bdda2e271f0284be0c

SHA1
1aa4a5f0b9234c9b29f10667d0b2ac6be7a58e94

SHA256
09090fad93290d83c4e648a8fc7dfaaba536d1b2ae61de0fed8ee0c20faa2ec7

SHA512
70727edd7bd771722a964e052d0e879da36c6043782c94032165eac68e86fce8c769567d36aee147c78370a68200a55b2dce3f6b6cf2a9d86f956295451024b5

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
79KB

MD5
9eb2e8ba6bad5e75f978bf1dd1ccde37

SHA1
13a957a50398cdc7f61c6ad57de4018cdd54a3b5

SHA256
013459099b588fc57411b5d519500a9745f835623f07986ccd637e66a6ecc7a0

SHA512
95b9ee579dca241bb00cdcabd9c76737be5572ee58cf91d1ef1790324ecdea723100dda3ab2a8ec8ee289954896df9a3b77fd87d0e6d751c3977f22ee78ac8c9

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
79KB

MD5
755d781ed2a0365d0b77aeca358fc6ec

SHA1
e3857d05e6c0893b42d5458c4f0f854c91904c45

SHA256
4a2f00f911b471b00f015870ee5f0fc3c715fc9f8d31216e2ab9add3c91183ce

SHA512
e93e781a5fb42bf733ef60b1d85c7417ca4bb7cbc32ea20904edcd72425698844921e20bc93d5fb609e3359b612ae2ac5cd0921e22f32a21a0fc551f2996b66f

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
79KB

MD5
7a70c1569d73f9639b8db3152a2b5bf1

SHA1
639be673caf4659a4337b9b042d1d97b33b5524f

SHA256
4e1017fd2192140bdbb7831bb905844c732e4e96a136ef055a7e8fa084a92de7

SHA512
9920f24bcbbf975da0f1ba4b36124093f26fef00ebd156c4fe47c5a1bbc48d30316213ac3cabd0b494c8c0fb1bdfe47a17589d09980cb4c39834f0fbdfa6502c

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
79KB

MD5
92abdbeec034d93d7f54a83ed9a23c4b

SHA1
abcd8a56c314afb02aa0e035e251286a5928cccd

SHA256
78a5ab25597a17b0d862f0975b38c1f9018bb583207ede3d9f90a979df50a22f

SHA512
e7ee6ca18e26e77ba690b25808fafcdceb4c01b758c5739a401dd9e27147fa7e8254df3eae777104caca2b66fa08b534951d8d08754d5c5345f0c803cc8798dd

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
79KB

MD5
537073669d0b6407381a2b8dedf58d70

SHA1
813cbeacacba9ed7996be69edfab5bfb2a77ce70

SHA256
fc86ce881aaa2fdb07c791aad3767fe538bbd9f39240c0a89bf856ac33e5979c

SHA512
a02b405e8d8fa4a40f578c8912f9e289809dd55209aaa2b3a73e1193e41ee1a01caefda89b9d5d4685c0e3a821c61bef8eec668745497cf5a66055f783a7e431

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
79KB

MD5
71838b326618aecb0793bd2c7d24a8ab

SHA1
8d9ec53eba78fe4322dce68a57622fa8774a9212

SHA256
17d47fa1f3101ea2fd55182cbf2f0ae44ede64af05eada84a04167ebdb06f4d8

SHA512
3eb1a1b7c29817d25b35ee329b8e065ee4a494df184bf30bd3c531d9d0dc1c3b81fbfb96e6162acd9c46f777d3834337a16d7eeec0f435cdf70ed6791e171aa7

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
79KB

MD5
f12b2e66ed99c69928c3f17b5bb3fea4

SHA1
96e5ea58142473fd9792380f5d839093429d823d

SHA256
a194f2f017c0e62e5d36470b0da2458c1d19e28859656790b4dc7ace2d7f1edf

SHA512
0b6deedd7686451a2a28ce4fa5999cfd9b12461284b418d223c20ff66dcd543eda3b9bea3a87a06a59140265af027f26e357a88af76a1c56d6998cde0a3f3ad5

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
79KB

MD5
3c9a70427b9ef509d6141a34fdcc62dd

SHA1
856038563e58edf59fa61757b5db519202e2e1c8

SHA256
f8ffaa86186da18e7208d16b6cf72024149cc59f18e82bf6695d9c9eef371503

SHA512
9a8b8ffcc18ce4ef6fd50207c3fbaf39a73c585d1c92358053543a46dd0dda46f243004e56dba3fb3bc3381eebb42b94c4c1cace64806a9e55e8d2e6d98c4472

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
79KB

MD5
a120392c0259cf0b9125d95213fb47e1

SHA1
8f8f65c8240a52889bf8e8620549269f2801ae12

SHA256
e7e7d803d4e86eed0338eb0128f311e146cae6cc4da6db2c7b8f8ae616e49c76

SHA512
2a17fcd25da15848e42a1f6a8c12a1ef4008d91999c01027ba9e7e185410591c8df1865486eb272b97dfe88c3aec5e820b4c043a9f0b90c21fa0212e7947c5e0

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
79KB

MD5
86310171cd5566877912af2b36a88a3d

SHA1
32c73d6516e2fb68390557e8a75c1cd2b75ebe2a

SHA256
39ae05d5ff04e3aa8bc6778efb85033a4194964bcd708ba233a765cb635acd0a

SHA512
890f0b229e76100d1d82749c5fd5985cc21e7cbda439726e1f87929434947287c52cbf3b8c082a8718e5492bc7692195ee03871478a376c8901fdf9f6e009074

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
79KB

MD5
f23959bbf5e1f4703d893cfd14d32ece

SHA1
030f10419679a01e6393f129025343218a88b404

SHA256
0ceaad4fc126c34a8fcc64a3c73ee560454720390b7e54689f92715678841a98

SHA512
633ade05991cb0351e22cae5c4247be735c96400fa9f64c47be33c18927dcf988e39609f6b7707e152626043e02720e754b691a22658e0dead9735b8abbaafe9

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
79KB

MD5
b29e6b7f98f556d150de1c6c9ef93882

SHA1
89be9ba75c8d35bb9af51da65158ac29072898ec

SHA256
7354cd98e9f637cbc336ba9346a96d1100cb933c1d93339729fa8fc98e2f2eb9

SHA512
85cd951173fabb48a137cbd6bfbdcf6707872a8741fcb481b9f60b48f81a2ea5018768d0e48b89b1672485544246e2fffe7b9f44b2e5ba14ae8c99174ba05985

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
79KB

MD5
18ccb4f5f30f3fc581a117ae4a8f6373

SHA1
5ec178ac3586a889faaed13df6874980baaf01b5

SHA256
ba986cc348141523622e091ef5f293cd1cbcc0a6704da27239ca7eadeb08b7eb

SHA512
7798962c6563dd919a39feedb0deb7c0f05964a8c9ca030078cb3934935c0bc2bdd8059f2e564a8605df71b849e98b820750496fab82553a1ffce7ef46202d46

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
79KB

MD5
edc5cb5e3acb2a7b3e6d1aa327c5990e

SHA1
8297f8a9c4fe2170aad573df720d672f94b63c62

SHA256
61b68f8cc4d374c45b1cf9e611db6753b89c9e32fa036a39755b5fe31e55afa9

SHA512
0c664ab4d22ea32f69b120043c9270b6828a6667c041b6d5dff51d58ea84de1e579e5dd189886bacb0e3876bc2dde9495cda97a837053741a1148a26fa6c8fc3

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
79KB

MD5
59d7b142780c6cc8714c38f589c8254e

SHA1
46b1e6ec43ded5e5dce1bbd3164726fd4e7f11a3

SHA256
0ec8e80a2326d280cb3e246b780cfe895924f276f8e35289df5a9f53c82fb3c8

SHA512
081653b08404f2deead046fab2a7ff1e5aaac70837235b887318a022696f5271a9f80ac796528e385867fbc3eac03cea2f9a7884b539bb0ad435f8a37b3428b4

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
79KB

MD5
467733710e1a1135b0ef460ed4fe64d3

SHA1
e1ddc8069c0529e41859d8c82907cdd342a27f1a

SHA256
ca51c6d5c5fb8ef7b50fef616c6f24bcda0e204e72d8601e088ecbb76d14ba7d

SHA512
6a40be0a3d8f8db744892c20361e42b11d28472dcad6fb846722635f0ebb1fa9c277eb7036a0194e0ff078c2887d82e0b44f493b47fc7d8227ff8eb66f740cb8

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
79KB

MD5
bf092eff05922862c34d10f846296433

SHA1
bde9cd9efac956960679b251260f1b8cf98add50

SHA256
509db1a0d90528df5ae053fd1690b3a1c4e25e046e483f44dd11171bc68194e2

SHA512
f539132b7d8f6c70a485981d169509457135b4f14709656e2619dc22cafcbef9e8e2e9a96a611b3be95f997ea75ab76cf4e02ab62e5d7e625e6ebcd5108649b9

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
79KB

MD5
ffa1cc18ac96aecf66df1811e873b154

SHA1
5e5968728f24d0d9f6f5fa66ac05c9631938be8d

SHA256
47c4f937844f01ca72ad7362ee8a9410a4fe7bbdef99b27fc93c8fcbcb165b8e

SHA512
10c509a5cf3ce30911ebbc7e809806e2860dbf5b9aa41d40290082e016c559d930ac83e733f3dc2e8fdd0412c1e50f1d61b970812151bc84a4a9292a6d6e4049

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
79KB

MD5
54826d12082731267f5fb322991af12f

SHA1
d033acf9f531904122d8d6c0e3fbec8e9c8ef629

SHA256
abd847787d3e1adce4c0abf51d05cd097293b1916fb9149c780b69f086ec964c

SHA512
c5c3d89f0e383dbc5f3a1afe48f0572e69707dd37a175272d5f8a3a1857daaf6f0497bc7bbb91e448730c1a712e2fa7aa830fe2779e928ffa45793f363af59d2

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
79KB

MD5
a3746d30ab87c8591a5c4f87a0b81a63

SHA1
d06334a4c3b3bab9c6f03d442a9619d38d7da9f2

SHA256
afecb52e3e30c5805f8af437fbf6e98cf5c46abf049ecd874dacfdf682dda8a7

SHA512
9bab665019dbb2d6d377cc0f4d32d25f5a962a7d6c249e1eb88c7de78839a0dda36cd5b53b2288f44412b6f0d8a976fc32c6cd0e9b109489112d0698d83575ba

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
79KB

MD5
f71aadf40d7fce628efb210c624d81b4

SHA1
90f4e0335510f295dda9be1044fbd5f9f1efcd90

SHA256
be4b1760c8ec8aee8787620cb5a3013bb56802d43c79f9e3102475aba1d3adf3

SHA512
8834f3deed1bac956f481122ff21c354808a780b18fb6300bbbb235041bc6c0dea0fc0a2aa028e3068a53fbb1b5084d0d8b1ce7bc0196e16c17a7cd4b88a7cb0

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
79KB

MD5
9fc4f6cf737ab9d941dd2cc48144e5f5

SHA1
590a6431c36a68c01a258b3e90b4ee0203723ba7

SHA256
118179bca3876ca2cb4c7be31d09b3dfcce43861ece37db9f31ab1ca2275c5f7

SHA512
16162ab856d520c9c12b7ecfd18463cfcbbd1ee1a4f3feccb803c9146af1cf97d8943e61660965002f395425550d155e770986dbfd18fe9c857804630509c9ef

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
79KB

MD5
137b0ea29d17a24aeac3d660f082640f

SHA1
3e2f7ba931854d0e2297be6a78e479e6be3ce028

SHA256
3a0a48322eb29a8877a27e736834f4f5428d5b7b0cd902f02fe8b8e8ae08bc04

SHA512
a939ee5a8af80b485f9b2de24d0210b411254e3ed483878a0f44e9d34b949e87216229acf9bb18418f564d34dba8a72513eb9fa4be3ca6f2d70c652529b8f3f2

Download Submit
memory/64-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/428-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/432-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-547-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/832-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/876-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1052-576-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1144-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-516-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1368-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1392-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1428-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1496-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-522-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1576-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-562-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2064-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2380-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-510-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-561-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3016-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3020-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3156-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3204-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3232-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3232-575-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3236-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3256-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3276-535-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3316-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3320-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3360-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-582-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3548-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3596-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3632-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-554-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3744-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3756-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3888-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4176-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4208-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4268-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4300-548-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4384-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4412-583-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-528-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4524-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4528-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4588-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4640-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4652-569-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4788-589-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4788-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-545-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-568-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5068-534-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5068-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5068-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5112-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads