bc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe
Size

64KB
MD5

f293597e66180fb81b2c93734faf1fc0
SHA1

89965820316c63030cdd466c8ec7dd3328e6a9ec
SHA256

bc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7
SHA512

923c16785f9cb7cbd5fdaf532e634324fd04da6060dc2618a3a970e8051d7c5dccdbaadcdaa2985219cb9cd956fdda79643c1c67b60cadf79e4d15c272c51f05
SSDEEP

1536:Z4MvqDwDgFyj25Qu9RhWtDaUkTDy4WHM54LUXruCHcpzt/Idn:Z4MSDwUFy2RRhY9kl2M5gpFwn

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ondljl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omdppiif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgeenfog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oclkgccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Palklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpeahb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofmdio32.exe

Executes dropped EXE 64 IoCs

pid	Process
5084	Oanokhdb.exe
904	Oclkgccf.exe
3436	Ojfcdnjc.exe
1364	Omdppiif.exe
1532	Ocohmc32.exe
2860	Ofmdio32.exe
2196	Ondljl32.exe
716	Opeiadfg.exe
4976	Ohlqcagj.exe
3168	Pjkmomfn.exe
708	Ppgegd32.exe
2044	Pccahbmn.exe
2544	Pfandnla.exe
3152	Pagbaglh.exe
756	Pdenmbkk.exe
1764	Pnkbkk32.exe
4328	Pplobcpp.exe
1132	Phcgcqab.exe
3224	Pjbcplpe.exe
836	Palklf32.exe
4672	Phfcipoo.exe
224	Pfiddm32.exe
3916	Qfkqjmdg.exe
3280	Qobhkjdi.exe
3640	Qdoacabq.exe
4936	Qodeajbg.exe
3172	Qpeahb32.exe
4664	Aogbfi32.exe
4508	Ahofoogd.exe
3756	Aagkhd32.exe
2168	Adfgdpmi.exe
4836	Aokkahlo.exe
456	Aggpfkjj.exe
2272	Amqhbe32.exe
3468	Agimkk32.exe
5020	Amcehdod.exe
4252	Bhhiemoj.exe
4420	Bobabg32.exe
2876	Bpdnjple.exe
1560	Bhkfkmmg.exe
688	Boenhgdd.exe
4492	Bpfkpp32.exe
4288	Bogkmgba.exe
4484	Bnlhncgi.exe
4792	Bdfpkm32.exe
1728	Bnoddcef.exe
3048	Conanfli.exe
5008	Cponen32.exe
1212	Ckebcg32.exe
4396	Cpbjkn32.exe
4080	Chiblk32.exe
3328	Cocjiehd.exe
2540	Cpdgqmnb.exe
2904	Chkobkod.exe
1968	Ckjknfnh.exe
1612	Cnhgjaml.exe
3564	Cpfcfmlp.exe
2020	Chnlgjlb.exe
3680	Cklhcfle.exe
1672	Cnjdpaki.exe
3396	Dafppp32.exe
2940	Dpiplm32.exe
1016	Dddllkbf.exe
3976	Dgcihgaj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Aogbfi32.exe	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Ekbmje32.dll	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Bogkmgba.exe	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Jilpfgkh.dll	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Ilgonc32.dll	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Qpeahb32.exe	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Qfkqjmdg.exe	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Ondljl32.exe	Ofmdio32.exe
File opened for modification	C:\Windows\SysWOW64\Pagbaglh.exe	Pfandnla.exe
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Cpfcfmlp.exe	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Dllfqd32.dll	Dkndie32.exe
File created	C:\Windows\SysWOW64\Pfandnla.exe	Pccahbmn.exe
File created	C:\Windows\SysWOW64\Kmephjke.dll	Pplobcpp.exe
File created	C:\Windows\SysWOW64\Ckjknfnh.exe	Chkobkod.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dgeenfog.exe
File created	C:\Windows\SysWOW64\Gaagdbfm.dll	Ocohmc32.exe
File opened for modification	C:\Windows\SysWOW64\Phfcipoo.exe	Palklf32.exe
File opened for modification	C:\Windows\SysWOW64\Ojfcdnjc.exe	Oclkgccf.exe
File created	C:\Windows\SysWOW64\Palklf32.exe	Pjbcplpe.exe
File created	C:\Windows\SysWOW64\Bobabg32.exe	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Fbjieo32.dll	Bpdnjple.exe
File opened for modification	C:\Windows\SysWOW64\Dkndie32.exe	Dgcihgaj.exe
File opened for modification	C:\Windows\SysWOW64\Pnkbkk32.exe	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Amcehdod.exe	Agimkk32.exe
File created	C:\Windows\SysWOW64\Adfgdpmi.exe	Aagkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Amqhbe32.exe	Aggpfkjj.exe
File created	C:\Windows\SysWOW64\Kbqceofn.dll	Bhhiemoj.exe
File opened for modification	C:\Windows\SysWOW64\Bogkmgba.exe	Bpfkpp32.exe
File opened for modification	C:\Windows\SysWOW64\Ckebcg32.exe	Cponen32.exe
File created	C:\Windows\SysWOW64\Cpbjkn32.exe	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Hlhefcoo.dll	Pccahbmn.exe
File created	C:\Windows\SysWOW64\Hhblffgn.dll	Pfiddm32.exe
File opened for modification	C:\Windows\SysWOW64\Cpbjkn32.exe	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Cpkhqmjb.dll	Ckebcg32.exe
File opened for modification	C:\Windows\SysWOW64\Cklhcfle.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Ocohmc32.exe	Omdppiif.exe
File opened for modification	C:\Windows\SysWOW64\Ondljl32.exe	Ofmdio32.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	Cponen32.exe
File opened for modification	C:\Windows\SysWOW64\Chkobkod.exe	Cpdgqmnb.exe
File created	C:\Windows\SysWOW64\Pjkmomfn.exe	Ohlqcagj.exe
File created	C:\Windows\SysWOW64\Dpkmal32.exe	Dnmaea32.exe
File created	C:\Windows\SysWOW64\Agimkk32.exe	Amqhbe32.exe
File opened for modification	C:\Windows\SysWOW64\Dnmaea32.exe	Dojqjdbl.exe
File opened for modification	C:\Windows\SysWOW64\Ohlqcagj.exe	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Ijikdfig.dll	Adfgdpmi.exe
File opened for modification	C:\Windows\SysWOW64\Dhbebj32.exe	Dpkmal32.exe
File created	C:\Windows\SysWOW64\Mmlmhc32.dll	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Cpdgqmnb.exe	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Amqhbe32.exe	Aggpfkjj.exe
File created	C:\Windows\SysWOW64\Bhhiemoj.exe	Amcehdod.exe
File created	C:\Windows\SysWOW64\Hlohlk32.dll	Amcehdod.exe
File created	C:\Windows\SysWOW64\Oeeape32.dll	Bpfkpp32.exe
File opened for modification	C:\Windows\SysWOW64\Oanokhdb.exe	bc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe
File created	C:\Windows\SysWOW64\Oclkgccf.exe	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Oingap32.dll	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Hikemehi.dll	Bnoddcef.exe
File opened for modification	C:\Windows\SysWOW64\Dgcihgaj.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Oanokhdb.exe	bc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe
File created	C:\Windows\SysWOW64\Ohlqcagj.exe	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Ehojko32.dll	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Dafppp32.exe	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Bghgmioe.dll	Cnjdpaki.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2432	412	WerFault.exe	155

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpkmal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojfcdnjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdenmbkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfkqjmdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfcfmlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcehdod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfkpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pagbaglh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phfcipoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qobhkjdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnjdpaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgeenfog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omdppiif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocohmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbcplpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahofoogd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbjkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chnlgjlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Palklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bogkmgba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiblk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplobcpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adfgdpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boenhgdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcgcqab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodeajbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhkfkmmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conanfli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oclkgccf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofmdio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opeiadfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfiddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdoacabq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnlhncgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ondljl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppgegd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnkbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aogbfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjknfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpeahb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhiemoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpdnjple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojqjdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aggpfkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokkahlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agimkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll"	Bobabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aggpfkjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dgeenfog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpkdp32.dll"	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjieo32.dll"	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghien32.dll"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelfeh32.dll"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll"	Ahofoogd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oclkgccf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbmje32.dll"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampillfk.dll"	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjnlmph.dll"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll"	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	bc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqnma32.dll"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgeag32.dll"	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjbcplpe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlohlk32.dll"	Amcehdod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgeenfog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaagdbfm.dll"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll"	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeape32.dll"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnahhegq.dll"	Omdppiif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfandnla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ondljl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmephjke.dll"	Pplobcpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmdgodo.dll"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkgohbq.dll"	Aogbfi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 5084	3528	bc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe	81
PID 3528 wrote to memory of 5084	3528	bc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe	81
PID 3528 wrote to memory of 5084	3528	bc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe	81
PID 5084 wrote to memory of 904	5084	Oanokhdb.exe	82
PID 5084 wrote to memory of 904	5084	Oanokhdb.exe	82
PID 5084 wrote to memory of 904	5084	Oanokhdb.exe	82
PID 904 wrote to memory of 3436	904	Oclkgccf.exe	83
PID 904 wrote to memory of 3436	904	Oclkgccf.exe	83
PID 904 wrote to memory of 3436	904	Oclkgccf.exe	83
PID 3436 wrote to memory of 1364	3436	Ojfcdnjc.exe	84
PID 3436 wrote to memory of 1364	3436	Ojfcdnjc.exe	84
PID 3436 wrote to memory of 1364	3436	Ojfcdnjc.exe	84
PID 1364 wrote to memory of 1532	1364	Omdppiif.exe	85
PID 1364 wrote to memory of 1532	1364	Omdppiif.exe	85
PID 1364 wrote to memory of 1532	1364	Omdppiif.exe	85
PID 1532 wrote to memory of 2860	1532	Ocohmc32.exe	86
PID 1532 wrote to memory of 2860	1532	Ocohmc32.exe	86
PID 1532 wrote to memory of 2860	1532	Ocohmc32.exe	86
PID 2860 wrote to memory of 2196	2860	Ofmdio32.exe	87
PID 2860 wrote to memory of 2196	2860	Ofmdio32.exe	87
PID 2860 wrote to memory of 2196	2860	Ofmdio32.exe	87
PID 2196 wrote to memory of 716	2196	Ondljl32.exe	88
PID 2196 wrote to memory of 716	2196	Ondljl32.exe	88
PID 2196 wrote to memory of 716	2196	Ondljl32.exe	88
PID 716 wrote to memory of 4976	716	Opeiadfg.exe	89
PID 716 wrote to memory of 4976	716	Opeiadfg.exe	89
PID 716 wrote to memory of 4976	716	Opeiadfg.exe	89
PID 4976 wrote to memory of 3168	4976	Ohlqcagj.exe	90
PID 4976 wrote to memory of 3168	4976	Ohlqcagj.exe	90
PID 4976 wrote to memory of 3168	4976	Ohlqcagj.exe	90
PID 3168 wrote to memory of 708	3168	Pjkmomfn.exe	91
PID 3168 wrote to memory of 708	3168	Pjkmomfn.exe	91
PID 3168 wrote to memory of 708	3168	Pjkmomfn.exe	91
PID 708 wrote to memory of 2044	708	Ppgegd32.exe	92
PID 708 wrote to memory of 2044	708	Ppgegd32.exe	92
PID 708 wrote to memory of 2044	708	Ppgegd32.exe	92
PID 2044 wrote to memory of 2544	2044	Pccahbmn.exe	93
PID 2044 wrote to memory of 2544	2044	Pccahbmn.exe	93
PID 2044 wrote to memory of 2544	2044	Pccahbmn.exe	93
PID 2544 wrote to memory of 3152	2544	Pfandnla.exe	94
PID 2544 wrote to memory of 3152	2544	Pfandnla.exe	94
PID 2544 wrote to memory of 3152	2544	Pfandnla.exe	94
PID 3152 wrote to memory of 756	3152	Pagbaglh.exe	95
PID 3152 wrote to memory of 756	3152	Pagbaglh.exe	95
PID 3152 wrote to memory of 756	3152	Pagbaglh.exe	95
PID 756 wrote to memory of 1764	756	Pdenmbkk.exe	96
PID 756 wrote to memory of 1764	756	Pdenmbkk.exe	96
PID 756 wrote to memory of 1764	756	Pdenmbkk.exe	96
PID 1764 wrote to memory of 4328	1764	Pnkbkk32.exe	97
PID 1764 wrote to memory of 4328	1764	Pnkbkk32.exe	97
PID 1764 wrote to memory of 4328	1764	Pnkbkk32.exe	97
PID 4328 wrote to memory of 1132	4328	Pplobcpp.exe	98
PID 4328 wrote to memory of 1132	4328	Pplobcpp.exe	98
PID 4328 wrote to memory of 1132	4328	Pplobcpp.exe	98
PID 1132 wrote to memory of 3224	1132	Phcgcqab.exe	99
PID 1132 wrote to memory of 3224	1132	Phcgcqab.exe	99
PID 1132 wrote to memory of 3224	1132	Phcgcqab.exe	99
PID 3224 wrote to memory of 836	3224	Pjbcplpe.exe	100
PID 3224 wrote to memory of 836	3224	Pjbcplpe.exe	100
PID 3224 wrote to memory of 836	3224	Pjbcplpe.exe	100
PID 836 wrote to memory of 4672	836	Palklf32.exe	101
PID 836 wrote to memory of 4672	836	Palklf32.exe	101
PID 836 wrote to memory of 4672	836	Palklf32.exe	101
PID 4672 wrote to memory of 224	4672	Phfcipoo.exe	102

C:\Users\Admin\AppData\Local\Temp\bc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe
"C:\Users\Admin\AppData\Local\Temp\bc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\SysWOW64\Oanokhdb.exe
  C:\Windows\system32\Oanokhdb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\Oclkgccf.exe
    C:\Windows\system32\Oclkgccf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Windows\SysWOW64\Ojfcdnjc.exe
      C:\Windows\system32\Ojfcdnjc.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3436
    - - C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 216
        73⤵
        Program crash
        
        PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 412 -ip 412
1⤵
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aagkhd32.exe

Filesize
64KB

MD5
346122ed9ee3c326c3e900e9e1d31365

SHA1
351c13b2f224b2096c533cb1816b6c1c766c9789

SHA256
36631079a0161fed43b03f828d983d62b20fcb4e94768a74bb5d8dcd80979ce4

SHA512
ecd3d52fba683fcefee2979a9daed2dcf956917e3a0e0360e5200e61c39c65809a81b258c36f0e3b618b2e6282a1c97cfbc8bd20cfebb901cb61d2e6955cf548

Download Submit
C:\Windows\SysWOW64\Adfgdpmi.exe

Filesize
64KB

MD5
11a637ce02ab1772ba8c6b1a0843cd0e

SHA1
7af7593369b04b7fec03addadf1c49bba9870754

SHA256
bf6aea31382d1372e23368d7ccf906aefd609b686247fdf849a9a6bf6b4b43c8

SHA512
75ee3bcf3032696f6b5e63575ec2d362d9cfea3720fc7b8f1f68e0acbfe417a0a2cd2c48ff1c9acc97812bcf7dabc6b6e7ac23fb4b3f43aa203a1d34a6bf7219

Download Submit
C:\Windows\SysWOW64\Ahofoogd.exe

Filesize
64KB

MD5
57f95a595bb9d4c7debaa105543fde29

SHA1
080cd67021f45bd877bfe8f76a0ff1d825f25d44

SHA256
f79deb75d9cf73c868fc8233e034aff8c80390d855258d7971907f7bdbb01306

SHA512
666b0fd6cbacba72de74e54e90812ed67383d64e4c179ca80767aaf6c55d6ca166f15fc4b591f16db91b4fd04fd48122fa9df7326d26dc9c015e9e1e8f408666

Download Submit
C:\Windows\SysWOW64\Aogbfi32.exe

Filesize
64KB

MD5
b4ef94faf58216c09ae0dded5023d4f5

SHA1
994b17a74463724969f8f8a2bd2baabed3971148

SHA256
edde499af366f88b33b41742d42c8c6893fee091421aa0dce22dcf3cf3154836

SHA512
7bc15ee4d9fccb58d8ee2f097dca532823c92b082ed66904ca9e63b2b2407c83d97d3ba3923a9162f7855336abff3e8c0de00e3fe94865647dcfa5705eff1465

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
64KB

MD5
7013c12d1f8382a376c00947669f81bd

SHA1
34e53dfbad67d0e9ac76e2b157c40efed746fa22

SHA256
03937ff6f68dc65c596baabf959ce647eb243a913c418ade03f8efa7f72a4536

SHA512
2c841dbc5fc34ca064ae0a1412b21306eddd403adfc4f8a7c7ed7417cb41bc07be1535b8e52c7a969f9ba7d50a6b7913a33833615142bb49fba0fde4b6453280

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
64KB

MD5
d9ef66af7635b93abb098e3b4e7c364d

SHA1
e959896e8bd9cda5c2754fac1ac588e99d65d78a

SHA256
442ecbb8696d5d716b7dbf389ffc8850e57220fa740f418fd60007bd2c5268bb

SHA512
8c7e922f24481b43c5e210dbfd126872fa7ad2b4b4eb66c3e5b77f49cedbd365f342bc0489a84d3b25a8fbb1bd5e489c2844726750f009a54254435c6f8d704e

Download Submit
C:\Windows\SysWOW64\Chkobkod.exe

Filesize
64KB

MD5
91c36f19139975722d4c4fe00174f5fe

SHA1
fa58f319efc4becd0e0c00fccf1a2f4999b70ce8

SHA256
ba31c07ff04786eeee7e5dba37fc0948e08effc2454c0702771092e4c0b85593

SHA512
e16bbbba2170fffa82e5933179cd1ac2e5c4c605d2fe476e556beb9b783009b228fa6fc90db2783a942387310b5123d5cb41c171319b35eb8b66380a9570c0ff

Download Submit
C:\Windows\SysWOW64\Cnhgjaml.exe

Filesize
64KB

MD5
7c54f4b6a93b5193b6e6554ca34bd506

SHA1
8f2d2d63b412b44cdd15da1e93740e361b34f4d3

SHA256
bc1d69e139a6fb8a8f0aa0dbce961fc53a7488ec7988741f12df66e5265cf2f5

SHA512
b93ab5181149ff6157d98ed46a757e51268a9eaf40f81e01538d8dd4577d2eca3892a1f95c55aa1e844ba4d02cb52134d9196d1768db3cfbd36647a4b1da29fa

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
64KB

MD5
acb2dc0fa5555bdc82d30afc521eb734

SHA1
cf132c4c6d9103703ba541bb199f2bd4fa96c309

SHA256
68a9f40f2ff823f7cd771a4e0e5d2024f96d67a4ef88eb1dc4b58233db5b40d9

SHA512
2c27c1e81a24a8f3f3ea888fa38cb4f1e88114b90d8dfde6b43fd37bdc7c961477a1b6e0d798f4ab2f3b7627c68a8092b63accc935695fb2e43da3aa7efebfb2

Download Submit
C:\Windows\SysWOW64\Oanokhdb.exe

Filesize
64KB

MD5
0b230d27518fd165ff841f8fa8f5d89b

SHA1
f2659028845e13482ccb031ca31e7b92c8479677

SHA256
ac926ac27fd49f7f092860bd13a86fca67ef6c601a29bb78608333f9f2953259

SHA512
c4e23d5a6f7f5ff6d4cd661190f8d227497b33a027ebb12fd9f108bef86bfd1cdd7009bad0133a96d4ed484cfcd6166721745f4a06e9c06fcf59568f6ecee47f

Download Submit
C:\Windows\SysWOW64\Oclkgccf.exe

Filesize
64KB

MD5
32bc8b581b8d753d425e4800776f61fb

SHA1
f0455e20a20708877725b7ddccc26b7443bf64bb

SHA256
5698f59a5cb03dbec5788b01332bbfc0e4f9e8dfdbaa54f7a66dab2354d4de21

SHA512
e39e9cd9394062398bfaa7b30662b6c84818d723d3c666187ca010c60cfe23b0f351258d43f4032d0907474e3259724e07dc7e996cbe0e5e8524b9a27db39f51

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe

Filesize
64KB

MD5
28bf9e57bdc8a3cd2b24ca5820f27b51

SHA1
1a0c86ee4bec8f6ec541f5d415de9f4e37677530

SHA256
2aad6aeb5b382e1f8d01bcc195a5ce81900cf29ce059f64c0eba9d94aa66358d

SHA512
fea61051b601b374d8a6d4ce080c01baf239db0f2f53adf466fa7befd18e0e3b2d1a43fd05c6a51b4afbe1c17ea389252abb1b064eda30cba3519e625f4afb5c

Download Submit
C:\Windows\SysWOW64\Ofmdio32.exe

Filesize
64KB

MD5
fbcb334fb2ddc35a764adffa6ac05d14

SHA1
8434b6bca5fcded516fcab34a39fee8a931482fa

SHA256
40d0e9b32e0a73a006884408393cd462603f4f75d20178576d99357d74a8a348

SHA512
be92caaf8146f5e064a6905d3726d3108e48a9adf7aeaec5c0cf0035154b8b22469b62c5a016cb926a7f46e997bfac137d9d49c842909cef37d3404944ab7bf5

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
64KB

MD5
abcf87b540aa6273f4a1afe615461108

SHA1
7e05636bac62fdb28bf608553b8983fba953b5ae

SHA256
2b141a48ecf7d80d50299967910640b9955ada111d76b633247f11d9029f22eb

SHA512
bd91ef5048302b450307f32aacb7319d562e8b2b1f9f886f34f51733f3ce74c42820b873c5b71ff6530360af844610cf7e5ac95fbfb843afd8f4556762e6c327

Download Submit
C:\Windows\SysWOW64\Ojfcdnjc.exe

Filesize
64KB

MD5
3932123681c92c36c05cb91c6500b9a4

SHA1
6fabffc4178a8fecd21e8d54190b7c533bfdf7c7

SHA256
5aa654c6e6114df10bca159ca3816b61fad63b97c1dda2867e2f67782103befe

SHA512
97a6d449f470880fde3f11e554fa9d80fccc7ecd09e9c69d1cb016a6980426a82216cc84ad5698020eff62e0ae5dda5283efcfa9ca7477fcef07a999c11ea46d

Download Submit
C:\Windows\SysWOW64\Omdppiif.exe

Filesize
64KB

MD5
c2fd69f80e620eaedecfef1c75eaee47

SHA1
789250ce900d6c6f29f0450bed89bd3e6dd4c136

SHA256
6dd0797cde3430ac8bba62a0738aba8f510e58dd67c8985a031e2bdcbc6e6719

SHA512
01ab87b79644de2b1a909859f42e5a249e027d7dd493cc1ab666eee9bc438e65108860507edff6b8a7b8b6cf51780b9da76e45a9e488571c363a05340ea0b0dc

Download Submit
C:\Windows\SysWOW64\Ondljl32.exe

Filesize
64KB

MD5
6107786015b8847e5fc714bfdecd52c5

SHA1
851be9501b74ac9e1948e71a77c52e453e3cff11

SHA256
7b82067736e5e94eb00d907a38baed4ba49b0fc045de381a5c9fb5c3266f38e6

SHA512
b7818aa92e8438a760b4aa7b982026a73fe82da4eb81ba357de599865f595633a0c1f8c624290c460ebce96d92b26f276db99aaa4c22b246276f76327fc95506

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
64KB

MD5
52124d3d5a8c739ffa951e1680a09b1f

SHA1
d33c3c385cdbade720a1e7ae2b2a9a5af4cbb65b

SHA256
b4fbbcdaa24d80d2875ce78845aec03590e49dfc46d6b6dddc2fe4d29a497a1e

SHA512
eb466de10ee12feaf70fd105bff8e08308b2f6165a3cc48b6e60cb4f216abecbe071d4400983295c492fad407ef5f247592699668aa33e0432392ae7000332f4

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
64KB

MD5
3d0fa33108c4e044520d0af5a27df722

SHA1
72bea0f38f206ba7c51cee08e686eeddac1833d1

SHA256
1c84b7eaf47300957b6ab94c2a564af75f481cea448b20a36c3c4a902a6c123a

SHA512
93804845bf389a1b76bf85d9e4503cb67dd6442434e053f568d66ee6f7f384daf8ac37d957d2e9bd290d2d04bbf6a3ce7a697a39a5af05915500d1175a7441d9

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
64KB

MD5
0faad361c2e450d5753c59714f2a61d3

SHA1
956e3b1fd9097c298f4640fc98a9db1c7dfac9a2

SHA256
f7f7ca36d095b9f0780d9ca026374f42d247a7adfd0c9261b6532131db3fd5fb

SHA512
69725b69950e0b708bf3cee2b9bca67027a40e9ab7a7c69a2dbc0a79f3586d6e70852ee64b12b44cf2a4ea065bd63895b85047f313f301037717ea115f9c2751

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
64KB

MD5
9a98d30fe742465fa8f55e98c2db55dc

SHA1
154898a7363321704c8c77e47dce77af1ebcadde

SHA256
631d0f9ac4652795abeb2748d403d68e0404a93d54789c9ab896ba71077e873c

SHA512
ccc49f45d3414c8f372ce145f2bc64fbc727aaca009350e2bd4c405e5317ac6aa6b16deac93236af752c82195284398fae81d38b3da3ae7bd83a48cc17387ae7

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
64KB

MD5
73a2ce892780c2325a6f4bbe7a528e82

SHA1
f616bc993cc7f2a19dc7a8afedf41bea156911df

SHA256
ab3cc98b84ddcc994840c150c22d3197afc97972babe24cceb9b53a9794e11bb

SHA512
4a7b9e9e09d3c8051d76e06c402d95130ff9ecdac2846a2248ec904ca69ab67d6662f68a6e6d040d6c0809c46d6d4359d0dfbe87c12778457253d73f62cc35f0

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
64KB

MD5
3a13fcff994b07d015c34ec7bdd836ab

SHA1
9d8c6d9e1d19304b650f189beeeb8e453879c0e5

SHA256
c8b8c63fa71cfa063d73874f2f937c8cb13ceb0facde184ef81bcf36c51a8ad9

SHA512
034b6a0870eb613c384fc7fad3a14b06dee528eda424112ef2b7bd2831d14d9f1bb218ba3f4306981dd1b01fc2b4ab42e7b34c749b032eaee8c02a4b14f17d2a

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
64KB

MD5
8c794984cc2ee515425383e8d80d395c

SHA1
cb142fe650f61f6a0c55f153a7d1138f021e76af

SHA256
69a11851eefd2bd65c18d55baf923bfb2b1fbbcc2e8923d5ea0c3bdf9bd98140

SHA512
efcaa23be76d84116e84e88fac86b26b52e067684205c316ad043de2546fed3493d40ab7c9f7c7e03bbd6e89f5143b5f39c95022fccac92f81481066cf726d24

Download Submit
C:\Windows\SysWOW64\Phcgcqab.exe

Filesize
64KB

MD5
89afb177770bd4f7f0486041e6a2de6c

SHA1
2a52b9040e8d83986173f446ee8429584763359f

SHA256
af580bd4c70384009d094c6b46c2f7aac0368b05b1e359255c64bb26e6342869

SHA512
a36b62cdaf0a3b8810d564e24a19f738fa15e002c174d18d956d20d72d69f6c7cae725c0c48729c5c3dbff6fb136d1fc1d347501de6063ae57195f24782fd2dd

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
64KB

MD5
f177b8d9836cd1c5e297546eb2e40bf3

SHA1
8cd1a1901edb048308550ed1c721cc39251386be

SHA256
981d95f03ac0ab5b119f0d453da3518e05a4677b876b2e598bee631ea1ba2d1d

SHA512
003076d06a136d5d357c937972cdebf4aa4783838326eba0c9219b8843b86e089458e0964f9d646f0983d25f1cfbe24c10f0535e7171be4217f088c38bdcd199

Download Submit
C:\Windows\SysWOW64\Pjbcplpe.exe

Filesize
64KB

MD5
a5a8643fe41a48f7a2deb4bc9b1523e5

SHA1
71937608be65deef4e254351a9feec9a21adfb75

SHA256
43e103c9443d1ab6a8c0abe386801ed6f9835a06fd033e898793da98a1c5f5e4

SHA512
fae2bfa41e3892e33fc6107be507f8dae9962f29ba4b09d3f77db08ac48674d56d7a872c6719e4cacf962c704fa82ec496f32cc275387323084f6ce39c7bc5c9

Download Submit
C:\Windows\SysWOW64\Pjkmomfn.exe

Filesize
64KB

MD5
3707c20888c2342a8ecc26acecafcdcd

SHA1
118f98fec22f729385143e43a50d49f3e70e146b

SHA256
4d8a7a5e33ea1ae27f7f10532641505403fbb5095fd98a14c8ab4f5f7b590747

SHA512
b026d1b66e7f80baf64964cf3f2234f58850506395676d6a572d27510a73db3e0017316ea03cbdc887e71686a9c090787c2534a2ec8eee8ae1678145e86f844b

Download Submit
C:\Windows\SysWOW64\Pnkbkk32.exe

Filesize
64KB

MD5
cf81095a61e6ebb3230ea54137ddb4e4

SHA1
4bd511551727f63f01a2264dc6ed0bf41d01f755

SHA256
3a88c4275a6644adbcea59e316a75190978dfbd0487abd5eaa51eaceb246459b

SHA512
44890c09ffb488e20caec2a34979f8fa35768d50fed5fdfe61a1199a556721296971da7593c72bf8209c543d016e21fce6a02f60e2e8fead3cc818558896cc3d

Download Submit
C:\Windows\SysWOW64\Ppgegd32.exe

Filesize
64KB

MD5
952c2b68ee719c39b3621c65ac66e37d

SHA1
b00b7a7b0f24f94db05e5069643c3b0251204649

SHA256
d2fdd43661ed8f765d592173e4823c060d5aeac4df78cf3847d87074d607aa43

SHA512
d365b602222bf9b727bd9acea00637f1b337a6b69ae1923968e519c6ea9db88b3ce3dd64243d6e5b6fb9306b67da6e02ca98e04fa3f91c491ca1e5048308e440

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
64KB

MD5
de9dfcddad993b01954862ea25e5c1ad

SHA1
2b02534fd16d4b2cc33da55d508d4fff261c0c98

SHA256
e55dcfa9069da72d0719811b472bbcf64d93707eccf3996363a0f90f53b862a6

SHA512
8b3a13a2f715690d41035a315f27e9ee3dc456944a304ed59d391fe721ac0baabf14869968dfb9aad76171e1fdc49455380657c1ed96ab84d4eb25eb0b9b7a63

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
64KB

MD5
6736b6a1e4fd631f4bcd360cd5b6f9b5

SHA1
6b7e4638ac6ade6c10e1db6bfa4c0008aad4a72e

SHA256
6377fae7926d562e5771bd1f97ad8b90b5b6bb579bd8753adca2164b5f97b2d5

SHA512
24ee83b75d9c6bac0e86a1b86c90c3076f91761abc18320c3a39368307446092674f5a2252ffcda8bb207f8d27a5239e8aa5d8a12e884c00cf01535f33706f3c

Download Submit
C:\Windows\SysWOW64\Qfkqjmdg.exe

Filesize
64KB

MD5
5d90f8fb841b4857df871f15574e90fe

SHA1
cada10a5110fb17e659a3c5371441f92e874aae4

SHA256
13049d2fd1b4ae6f0275a285c05bc90a5e4f59664cddcce2fa7fd6dba768e0fb

SHA512
225daf03b2f1e0bcac43d6f12e3bbef525e19d7154e946b8a55bbcb905ca057df44784da5f9ccff73f1bc575fb708e3b8f05b5455db57adcf12a2ef837f8e527

Download Submit
C:\Windows\SysWOW64\Qobhkjdi.exe

Filesize
64KB

MD5
e741362e90378b2db15f3968f7ad00d8

SHA1
579f4820119f9f390a8b45cc5d66b132babb9afc

SHA256
17af9f2c33638583bd21bbe1cbedc41291ce5d7dd8121f67265d9ab9432902e6

SHA512
ce60b8a8b8e8228467d2037d2a218baa46a981d056eca1f1af1c57c2f3d0d93d55b4061d2cb57870cdf80f4ba5cbb493b439e316e2cae40ccdd9614f3194e0fb

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe

Filesize
64KB

MD5
3bc32f4be6032ce73249e1b82c4a0d7d

SHA1
7ad1f00736b6d0d7e415abce516323ce517112b7

SHA256
cf0571173aa27aaaee1c34ec31c15b253b31cedda2bf9b9edee92f63b5b448e2

SHA512
a191405182bfa06a8873ea9455b25816d69d14c0935adee25211288e5568c222d0a18dfc54059211b6440c1644d28d618adfe899bb3e79f0e650c73823b249b6

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
64KB

MD5
dacfa1e795c32e9fc0b21f65eac4f269

SHA1
3576aae0677e10ec2309c97fbff695d7daf43c32

SHA256
1cef19cf6627388d5caf860072683f03c340661f0bc476eeabf4ae4d48552852

SHA512
7698777bc156b308ddf422f166b4db66ddd51630191e32554196edac741b5615e5896e769a790bd0d13271e71c3141eb85270b73b4499d096cc98b6813720beb

Download Submit
memory/224-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/456-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/456-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/708-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/708-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/756-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/756-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/836-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/836-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/904-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/904-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1212-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3152-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3152-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3280-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3280-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4252-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4252-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4664-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4664-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4672-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4672-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads