f7564f626940b25434b443ddfc32d02f9d81c3f591b5f5005413003991c9d4eb

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7564f626940b25434b443ddfc32d02f9d81c3f591b5f5005413003991c9d4eb.exe
Size

370KB
MD5

b058e68a5e0ba5b6ce0eece5645e7db8
SHA1

d29ba78c1c9e23fd03a1cca2fd4d866b08c3e4c5
SHA256

f7564f626940b25434b443ddfc32d02f9d81c3f591b5f5005413003991c9d4eb
SHA512

576a772cf0555c29a6455a799077c0c03c905c4abbaf2ca5eb9927333de4cfd3861433ae13c244311cfe75ad07e2c0ec894503099c36a85d6e9e0f7ffa34f160
SSDEEP

6144:qUgrfZGjYpNyGpNDU9fwRE5H2dpNonHd/twMLc2Ao2pEYTBFqZNjE1rhJg3htVtb:qZd0qUfCyHJWx67fLx67

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f7564f626940b25434b443ddfc32d02f9d81c3f591b5f5005413003991c9d4eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgfda32.exe

Executes dropped EXE 64 IoCs

pid	Process
5052	Lmgfda32.exe
3548	Lebkhc32.exe
4460	Mbfkbhpa.exe
1348	Mpjlklok.exe
264	Megdccmb.exe
896	Mckemg32.exe
2324	Mmpijp32.exe
3588	Mlcifmbl.exe
2704	Mgimcebb.exe
2472	Mcpnhfhf.exe
4664	Mlhbal32.exe
2104	Nngokoej.exe
2680	Ngpccdlj.exe
3316	Nlmllkja.exe
2272	Neeqea32.exe
2492	Npjebj32.exe
4352	Njciko32.exe
1528	Ndhmhh32.exe
1264	Njefqo32.exe
4060	Oponmilc.exe
3036	Oflgep32.exe
2740	Olfobjbg.exe
3940	Ojjolnaq.exe
4388	Opdghh32.exe
4532	Odocigqg.exe
3456	Ognpebpj.exe
4448	Ojllan32.exe
3580	Onhhamgg.exe
4484	Olkhmi32.exe
3664	Pnlaml32.exe
392	Pjcbbmif.exe
3512	Pggbkagp.exe
3892	Pdkcde32.exe
696	Pjhlml32.exe
4304	Pqbdjfln.exe
2888	Pgllfp32.exe
2544	Pqdqof32.exe
4004	Pjmehkqk.exe
384	Qdbiedpa.exe
1760	Qfcfml32.exe
4324	Qnjnnj32.exe
3684	Qddfkd32.exe
2036	Qgcbgo32.exe
1356	Ampkof32.exe
5108	Adgbpc32.exe
2420	Ajckij32.exe
624	Aqncedbp.exe
3532	Aeiofcji.exe
2736	Ajfhnjhq.exe
3424	Anadoi32.exe
828	Aqppkd32.exe
3300	Ajhddjfn.exe
1064	Aabmqd32.exe
3024	Aglemn32.exe
868	Ajkaii32.exe
3020	Aadifclh.exe
2496	Bnhjohkb.exe
3740	Bebblb32.exe
2880	Bfdodjhm.exe
4500	Bjokdipf.exe
4912	Bmngqdpj.exe
2172	Bchomn32.exe
1008	Bjagjhnc.exe
3016	Balpgb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lebkhc32.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Gjeieojj.dll	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Nngokoej.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Lebkhc32.exe	Lmgfda32.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Megdccmb.exe	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5136	5020	WerFault.exe	177

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7564f626940b25434b443ddfc32d02f9d81c3f591b5f5005413003991c9d4eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f7564f626940b25434b443ddfc32d02f9d81c3f591b5f5005413003991c9d4eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll"	f7564f626940b25434b443ddfc32d02f9d81c3f591b5f5005413003991c9d4eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 5052	1876	f7564f626940b25434b443ddfc32d02f9d81c3f591b5f5005413003991c9d4eb.exe	82
PID 1876 wrote to memory of 5052	1876	f7564f626940b25434b443ddfc32d02f9d81c3f591b5f5005413003991c9d4eb.exe	82
PID 1876 wrote to memory of 5052	1876	f7564f626940b25434b443ddfc32d02f9d81c3f591b5f5005413003991c9d4eb.exe	82
PID 5052 wrote to memory of 3548	5052	Lmgfda32.exe	83
PID 5052 wrote to memory of 3548	5052	Lmgfda32.exe	83
PID 5052 wrote to memory of 3548	5052	Lmgfda32.exe	83
PID 3548 wrote to memory of 4460	3548	Lebkhc32.exe	84
PID 3548 wrote to memory of 4460	3548	Lebkhc32.exe	84
PID 3548 wrote to memory of 4460	3548	Lebkhc32.exe	84
PID 4460 wrote to memory of 1348	4460	Mbfkbhpa.exe	85
PID 4460 wrote to memory of 1348	4460	Mbfkbhpa.exe	85
PID 4460 wrote to memory of 1348	4460	Mbfkbhpa.exe	85
PID 1348 wrote to memory of 264	1348	Mpjlklok.exe	86
PID 1348 wrote to memory of 264	1348	Mpjlklok.exe	86
PID 1348 wrote to memory of 264	1348	Mpjlklok.exe	86
PID 264 wrote to memory of 896	264	Megdccmb.exe	87
PID 264 wrote to memory of 896	264	Megdccmb.exe	87
PID 264 wrote to memory of 896	264	Megdccmb.exe	87
PID 896 wrote to memory of 2324	896	Mckemg32.exe	88
PID 896 wrote to memory of 2324	896	Mckemg32.exe	88
PID 896 wrote to memory of 2324	896	Mckemg32.exe	88
PID 2324 wrote to memory of 3588	2324	Mmpijp32.exe	89
PID 2324 wrote to memory of 3588	2324	Mmpijp32.exe	89
PID 2324 wrote to memory of 3588	2324	Mmpijp32.exe	89
PID 3588 wrote to memory of 2704	3588	Mlcifmbl.exe	90
PID 3588 wrote to memory of 2704	3588	Mlcifmbl.exe	90
PID 3588 wrote to memory of 2704	3588	Mlcifmbl.exe	90
PID 2704 wrote to memory of 2472	2704	Mgimcebb.exe	91
PID 2704 wrote to memory of 2472	2704	Mgimcebb.exe	91
PID 2704 wrote to memory of 2472	2704	Mgimcebb.exe	91
PID 2472 wrote to memory of 4664	2472	Mcpnhfhf.exe	92
PID 2472 wrote to memory of 4664	2472	Mcpnhfhf.exe	92
PID 2472 wrote to memory of 4664	2472	Mcpnhfhf.exe	92
PID 4664 wrote to memory of 2104	4664	Mlhbal32.exe	93
PID 4664 wrote to memory of 2104	4664	Mlhbal32.exe	93
PID 4664 wrote to memory of 2104	4664	Mlhbal32.exe	93
PID 2104 wrote to memory of 2680	2104	Nngokoej.exe	94
PID 2104 wrote to memory of 2680	2104	Nngokoej.exe	94
PID 2104 wrote to memory of 2680	2104	Nngokoej.exe	94
PID 2680 wrote to memory of 3316	2680	Ngpccdlj.exe	95
PID 2680 wrote to memory of 3316	2680	Ngpccdlj.exe	95
PID 2680 wrote to memory of 3316	2680	Ngpccdlj.exe	95
PID 3316 wrote to memory of 2272	3316	Nlmllkja.exe	96
PID 3316 wrote to memory of 2272	3316	Nlmllkja.exe	96
PID 3316 wrote to memory of 2272	3316	Nlmllkja.exe	96
PID 2272 wrote to memory of 2492	2272	Neeqea32.exe	97
PID 2272 wrote to memory of 2492	2272	Neeqea32.exe	97
PID 2272 wrote to memory of 2492	2272	Neeqea32.exe	97
PID 2492 wrote to memory of 4352	2492	Npjebj32.exe	98
PID 2492 wrote to memory of 4352	2492	Npjebj32.exe	98
PID 2492 wrote to memory of 4352	2492	Npjebj32.exe	98
PID 4352 wrote to memory of 1528	4352	Njciko32.exe	99
PID 4352 wrote to memory of 1528	4352	Njciko32.exe	99
PID 4352 wrote to memory of 1528	4352	Njciko32.exe	99
PID 1528 wrote to memory of 1264	1528	Ndhmhh32.exe	100
PID 1528 wrote to memory of 1264	1528	Ndhmhh32.exe	100
PID 1528 wrote to memory of 1264	1528	Ndhmhh32.exe	100
PID 1264 wrote to memory of 4060	1264	Njefqo32.exe	101
PID 1264 wrote to memory of 4060	1264	Njefqo32.exe	101
PID 1264 wrote to memory of 4060	1264	Njefqo32.exe	101
PID 4060 wrote to memory of 3036	4060	Oponmilc.exe	102
PID 4060 wrote to memory of 3036	4060	Oponmilc.exe	102
PID 4060 wrote to memory of 3036	4060	Oponmilc.exe	102
PID 3036 wrote to memory of 2740	3036	Oflgep32.exe	103

C:\Users\Admin\AppData\Local\Temp\f7564f626940b25434b443ddfc32d02f9d81c3f591b5f5005413003991c9d4eb.exe
"C:\Users\Admin\AppData\Local\Temp\f7564f626940b25434b443ddfc32d02f9d81c3f591b5f5005413003991c9d4eb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\Lmgfda32.exe
  C:\Windows\system32\Lmgfda32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\Lebkhc32.exe
    C:\Windows\system32\Lebkhc32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Windows\SysWOW64\Mbfkbhpa.exe
      C:\Windows\system32\Mbfkbhpa.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4460
    - - C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        28⤵
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        69⤵
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        73⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:524
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        84⤵
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 396
        94⤵
        Program crash
        
        PID:5136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5020 -ip 5020
1⤵
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajckij32.exe

Filesize
370KB

MD5
6ce932d24b4eadeab89df17951d5b3e3

SHA1
0abbde2c9ddf2db01795834170fc74aac8d72863

SHA256
1a8c52452ca97ac963712d1ba7235adf08234b1c0d15ba7d5a006680ff9e516a

SHA512
7b4822646d3dd7e05f107ae7c46783df9d84a252515c32f33e09d88a4d6a7cf1670b5ae840403001b9456eeafe8c05f011fe671915e2b428bb6ef492035ca45a

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
370KB

MD5
709b0c641e9161b4bf18197d79750ef4

SHA1
1a0e4121a727d31b6f30d1222365e56cde1e5d66

SHA256
b58ed77ca45fb2fe0dbcbe13bdca51ced90a55e0865b881d0ff14e4f1df7eb66

SHA512
54e8b26f531a8f9752f1c5a4e26f1d95185123fe7ee2a78dcd33400880d1dfd8a445f8c6bf6100e5cb1abc1b1cf764bdbc0f1d97084f14522552fb6ca1c40711

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
370KB

MD5
013a03e0722a071219683735e5992355

SHA1
021837ccdae637bf849a7c07414a51a2e4d56ee0

SHA256
4ab9733875d6db8f2e4b9aa05b2e0ff56eac780289c4aef0d28008a501a935a8

SHA512
7a7b9495c6fa3ea1d1faf4ef5817a16da46989467c454c1d7854d3f8f362382666a8d770f46dc2e375ce77a07ff75c03038b2b7141c54d860fbd770aee18c613

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
370KB

MD5
bc0cf1b8aa027f4ca76d2ba767fb04ac

SHA1
2314c87e664a0f118481bed2d9437329460d2e57

SHA256
f4c460f46e53d6ecd3ae21df0147098577b8bb4a24776e196e8de3cb532769fc

SHA512
55a02e8e5b083ea7f833f2f1db0f6f4af093768c08db9cab6b9ff09b8dfebfa9a7036ca05e0d122e6d9611fb974812a8224a4e570ecb4647d8388f89fa49e9eb

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
370KB

MD5
a548486d8e10bb7a7c9d7089f38f2e0a

SHA1
9e1a20bbc13ebf899a78655e88d4c6f5c619afba

SHA256
0935bcb2675a9246fdacdae528799498a3b22f934017616bb54c8006539fef54

SHA512
e639b4498382710f2979fb25950ab18ea44590625bc0dcc5e05488170df2f05cb78d114e07be156259a2dd974bcc9ddc4ce79fd1055347c44a08af1060ac3f79

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
370KB

MD5
a98a4aeeb258b5ee471283e459e70a51

SHA1
b8a4084cf53a69b572b50351fc7d4c82ce7a039f

SHA256
e8fe6f8c12f7f04860bc686d3d44849ec544394048f7b21232f090c1bc828310

SHA512
d6f3380debb17c46da4440310551e4187e962fb7d8e6d641dc7d23d41a9c28c306f28f13138353f90f3ff20ac3aa5bce2fabc6c66d290a9eed4a610082f59827

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
370KB

MD5
d2d3c65de026d7eea066d8f312b467e4

SHA1
15914e64eb72d501e980873ec83b5f2a984f8668

SHA256
4250da018d3f80a151c6a3f2e6212d2aab79639e64e6c0ee9a40b5aea8866f8d

SHA512
b961ef96bd5469fb76ba0e33ffad853cb2f3f0b0c80db8dc8f9cd7dad0f15994215bcbd94e7e333c50456ff350b5efde5c2f36706e6f576412281a55b0b5c97e

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
370KB

MD5
c8ee2c7c559fc2c0ca533a19a82e8de6

SHA1
551b761f436c0278492487b81b5bed0e753db860

SHA256
90ae1207ce7be1b1f3639ebd5acde916e50c7a33db186440de53e8a3371f9aaf

SHA512
0ef610c613ff4133d13a9e7598b6c49796db4b66bd3ee8a1142caedbe086ea457322a5ec59151fa5402f4dadf6c06f384c6cc41a91967bf63312d0cbd22ff0d5

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
370KB

MD5
78359ac670b499cc973c353404cf682e

SHA1
bf28c657359fc64b96200b676fe7f98769d670f8

SHA256
261e30246815777d0e7c4a60711077ac2bc6ae09aa4bb47fde35e6f3a1cb3f20

SHA512
ff7b5730ffeea583937939373e44423056cf2c566a5c8166999854cd79bd580dee642c223d2875fd285a93a4882902039c471ca44f7d7e2184fd39847ab7ed9a

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
370KB

MD5
b6270c7b35d24ba378271f225308639c

SHA1
27c87d0a26f412274342b2aa585cbc695beb980c

SHA256
b5f86aee04a11bf2df8b10110eca14ab2a3400512967cd12c73279b11fdf55e4

SHA512
a41fe56a31942f68190b54f96aa5281b10dbb7647848b696e2500e42d52103d042014f002919d2becf84c7d3d6e97075df67199332ba28d8d89f8458030b4484

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
370KB

MD5
546108b8a97c7f2130f6ad002a01197b

SHA1
20ec56443dda56923218000ba0499a147daaaa52

SHA256
cb526c08ba831603d2df43bd5665a46d381ef9ff3ee27b853e43414bf837dd78

SHA512
dfd171d51983d88c72e0a067aa3f50108db4093040cc75df975d4800c78bf688ec22549dfd622a0461824706065cea474c69dd28334afb794444ae624f8aa295

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
370KB

MD5
11ca05757baeff4c1bc5afa9686929d4

SHA1
c48702c6ad82a5d644eec06a0d04aec9b9c9f829

SHA256
3fb4939ffd911c4a166b332990cafc7936d7f2763f9b826109c39fafd33b3b4d

SHA512
e6224bfc574e63e5fa38afb6d31eac9187d3bd52c14cd11fb2122b4e1f5004d53f2fc6f81cceee37e6f7809d82871f3ca78d30218dc01ddf47f2544d38291004

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
64KB

MD5
24e587079c46dca496afe84c17992c51

SHA1
05e8f38e995b4cb8423f55ca8a3631737e5ad93b

SHA256
21a7f0dcdd36f1b49096b99abe9921f03ad2544c8389182fddc2630b0b3edefe

SHA512
84fa6b3098277d25d154b2d50f6b67c24d348620c3c35065de70f8dcc7f7e900d9341a0a3e54508ce061068d73b27c9a4c65cc80df32e41500f90c76aca363e8

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
370KB

MD5
07e7186fba0a1a2d1776997119d53c10

SHA1
300ff14643aaabcf3344ac0cbadd118f955fe51a

SHA256
360e9f22cbbc185577d2e90daae9de8e916659fbd56f418641ca221fcfa4b7c6

SHA512
db1eb84a32dc7edd697f9fce39136dc07593bb590bf0f7a1a6475a784306e20b4a4a16b150c701ad67b5fdb6019ad03524c059e5e3b9dda09db2c4ba878487e1

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
370KB

MD5
8b9cfdfdbb8bc9dc4c94394c8605d2c9

SHA1
c2476829244a754f804bb15337077480c5f1a489

SHA256
bc268fefd867772d77459e18b73abd39070b2156bb1d0a19182d4b7a9d904f18

SHA512
0acc2494cbe1052920d6405a34d6f1af1722eec7e781fd06542d45d951e9d1003fcac03530bd1712f22ad391516be5f05647c2adbcf6d45b95d3babba88d8d12

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
370KB

MD5
d7ac9e28c26064c6b9ef048d0fcacdcf

SHA1
fb1a1ba4410d9ab5f5df84bbff8338bde36b70b3

SHA256
7f97191285220bc8bf548ca1fee9b18b138c0131c18a4f28ffd463325be209ce

SHA512
462940dfc55e321907821580e8a6ff3312e27f1e73bdfbf29c268fedc1f80d6cf8fe96d1a5dab602d180d2094bc6c1ae0d19f602fc95484bde3722754d940f5d

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
370KB

MD5
03ecc4f4e989e75ceeeb9334ed21d7de

SHA1
cb21e102e3c1222304ace8f8561d0a30cbc2106c

SHA256
a6329e98f81cf68126ed8a37bf03de7e64974fb9ead80002df5d5bbbc05a4f28

SHA512
47ad8ae91ffe4e64dcde37068906dd5fd99d4ded67a3211c9ae27ce8c61c2a035dd5b6d8976a3f104dc35c37da4cd3e7eb15ba7eded13ebac43f45efe8843b4a

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
370KB

MD5
9b822a821475751350de894095fb1ebf

SHA1
35c39b380378798d6335da402bb8d052c9c3ae6e

SHA256
01444887ffdb97090d998fc43105d7c1a00dc52fb7d7e5240c5dd5e3faf64a31

SHA512
30d58d52bcd87610837f287146d9788cd218e594842e89469cff2ae7fe259be4800ce084d3fdf5cd1f2de0b97b478974fe65ba6b718a9b699a7102203c324da4

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
370KB

MD5
5d55f66500ba1ef459079074d408c577

SHA1
7d0fc56713f005be1331e9ce49482fc8c0a3e4df

SHA256
877f11c9a42bee351e416758533fcc8423a51fd88cf06f13921de9ba475a2dc1

SHA512
a764031141aa6fb9db9dd8847c632a81906b1910e0c07781280ac133dd2fbe1c0327bb3b906477df3a2355ba1c83d08b37b95c8e9d9ddfe6cc50421d69db7cc0

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
370KB

MD5
a20a73a975d7fca10615eb76a397fc64

SHA1
d8fb88b9b9976df4e21e48fe78f0a9bd5a31a654

SHA256
55e0649674c5de62750b6ca4ed69b23764faa98458038280aac42ba50956dbc7

SHA512
e9d039bea14297e2c1ae9a0e5a63a173b9f2a4efd762bcb733cf6d2e6bd6d6cbdc65ee5dde76c9d373d73cf91b2f491d8ab9a28e26ae8178d62917ad0efc1104

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
370KB

MD5
a407e7107e7e82b96622d5bc6d11a0a4

SHA1
51d0d946dcec905b1b228fdeacd5007a71e02ff6

SHA256
229f8dff54db111d0f0c0319198ed8438a83e02477025af41b890a6599db5bca

SHA512
c3b7f8f950e1a916e473edab2e0d073b9ae6e9279531ea0abe8f36ad942fba20a1565baf3894af0292f5bb33a9f858240834654ca5fea149df88a19a265fd9ae

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
370KB

MD5
cf772181cc04ea8c769b72e9c04b0a0c

SHA1
e88788f4fc681fdf9964e2d0cfc2368ef3cc4f64

SHA256
12428bbf8d47268f2c757b886fe19950a38672b1f8ef7c9c084b879a1b08f8ef

SHA512
26015dd6b762b44cb13e3a49206c2415785afdce7a3d66b47579df5a72f033780ee4a8f421a84c3978c9ba50078fd2b575e2f88397774313d6df8c2dac30d63b

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
370KB

MD5
8747d62c02239fd1b423f3a626676923

SHA1
5c6ca94ced1e2faa5fb70c2b08b21bd67ca56bae

SHA256
f09c9706c5f9da8293cfc230747fe37ed4e19b169d01d7d7285026987d492ae4

SHA512
1c6b3cba9ddec4dfcdb9908f5c48659d11ba8ef8df43726513c5d2292ff84d20b1aba1668afd3e18a89f05e3af2ec636850b5e080da9d1e47a09c6d0e3e06a5d

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
370KB

MD5
c531897e0c18e430ef9c39f7bd97ed06

SHA1
6b16856c0cb80b0ca3f9f8ff6fadfc9a48cba8cf

SHA256
e00be893db2668af24f2463089ee6aa3cd00fa690ff9db3c9ae21e707dc5a5f7

SHA512
c3f1d13eb06be99a048cb4bd062841492ee67c7426a6e4c2539934e2e9fc8c576a24713141280bcdba2a9f21043d76aa390549eb33b00098f4f83d7bebc81ff6

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
370KB

MD5
a663dc704d5f0c2b9970e709924e65f0

SHA1
d6fe3da3f13da55e75a41375e2da548cf150a194

SHA256
a5d0ba4af44fe589cfdb4792ad2079b028249d3a999cf56b71d67ac49237b690

SHA512
d257d02e455a736134c2a30b80c270e07562f61afdfa1b241083ec192a5bb8d00a57ea1e65596ee69406ed5d73e99532b2bce6def4f9e0b65a4c132cb9ea4fa1

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
370KB

MD5
55db4f8675933687731c72b6d4c39ed5

SHA1
9fec5f499af895d69c95474f753378c55ee79486

SHA256
38a79fc5e8d270474dd76a3cccd7be1fc682bcfd10e483a604ae9b881ca0b81a

SHA512
35596b9f315070fadde04f9d41779eb4e7cb72bdc33855df50a5912d28d7c130ea1708a0813b686facd67897a364bfc1498138ea96eeb19e8166e8912ffab8f1

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
370KB

MD5
9d5cd4edc30fd82c0f523ee600bb66ef

SHA1
30ae97a5334ff37c186cd075db5aa970e49ccb72

SHA256
ed063a3599005ebcb20de82ab16f3fa40706437e411d744d7819f55afbcee20d

SHA512
06fe5f1ee17df89226d1ea2f2c2d47fd01293cc50e9ae25ad905546e17fb2c0c32f408e1209b94ad49938feb6b217403d456511b2a8ea40eaef0160b2af79896

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
370KB

MD5
04072073fb439099eb702d8b2ad2322e

SHA1
41b63985c604d59764605b4060a4ffcb8933e2fa

SHA256
e50390e792bc404ffc44f43276756f2d33883d56b9193fe61a05819c0c8c5bb8

SHA512
d9ddd66fb1bc5413b1625efb07a89607abf55e2f543261f067c2b00d03c2bac0c67d474bcf4dd639fd508766470967288858cfc65fc5f5ee81306154620a918f

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
370KB

MD5
050ac6004ae4e92b4efdb4d0b9ae0c52

SHA1
ca98d8372c04f194539a45faf0dfe31333df3694

SHA256
4cdba7d03020260409a94211567fa6045ef27a432613cbb6dfb11032f4ba2731

SHA512
b52c1ed875f9808b714f64790773cd30481d57c8599c51e40ecc8f51cdb08043ec791c134e591a387f62056fc29feaa84255ca4b9d1194b9e68ceba6ae98f151

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
370KB

MD5
00dd69debaa78a234dafe20a49699e08

SHA1
af983a46effcb66d6e667e4df03a4399996dda7e

SHA256
802185d766664fb9bb7f4ad5824e6430846f04516481433bb33b2d48cbe401be

SHA512
6e1290adddf6fef0a1e51af0d1c8c4dafb3cdc09266a1edc977a8257c5bd6672af602b400d05f76a599e1733fb7c7d41ee9dcb49824c96ba9ffdc52bbd39b442

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
370KB

MD5
3d19fabde16b2577332d41b765a506fe

SHA1
ec2c71324631ad863b95590fcfe4928907eb7e80

SHA256
e6c458b3032cf12b7ae20d7a62999eb9eea304e2ec72586529ec51de609bd97e

SHA512
be1e25f155c7bca230f316677d205cfb8b222c9febb787b8977c8e6d96158235641f3628ea9e3a4a1f3375fd9c5d06de9b5c83b3c659b3d0868a732937d451fe

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
370KB

MD5
3fbd92c877a400ea2647668da1ff7239

SHA1
d264d159c555899e38bc701791d473562b4e7a46

SHA256
83ef8e0af54a142476d0d7471e0f76bf2214022c07de61fa2872ce534b108125

SHA512
be78eb8b6363b1c5e403c65a0bce6adb9fad5e6e38a30936b852e5e0b561a98e621b23aaae73c20cd4a1540850cfc54298e6300035f99170b7ef5d83786e6977

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
370KB

MD5
f7a3c13d20b7d95915f4a82399733192

SHA1
6b32932537e2a8c21f610543d3ef30b7feb86383

SHA256
c3cc26b8d5ee3f1ac574b88d0d454481666d8d5d3b2823367d8af933a42becdf

SHA512
aa80e3d06d18c3330e0cd9965581ea09570d848090bf8452efd580ed6bcbb045aa80c3ac0557e1b40f058163964725e54df8c2646f58838777de5b1d265dabb4

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
370KB

MD5
3d699a1cb7f422e8614c7d607eccafbc

SHA1
df147f245d7289d2890045c57bd381f26ff14bfa

SHA256
070afb34278e99a4f4151d6a6a82865f3f1c1d0e93ee27e530cb8643b440475e

SHA512
bc567524006991c836dfa6b7a718170d88f773a0688137337970d25f89cb20ee788ff3e9503aad5b818b7326d52f7b39cf8f28a23d221193b46249b01d5424d3

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
370KB

MD5
26c4107f4a6da7f40d8feac1ea981e1d

SHA1
0b9b4b03d57a6d95690944647a2a847af6fb5847

SHA256
91f52c8968e0e254b150befa8be840c4c18a35c87836c7872727c89a25f6c40c

SHA512
bbff4348ed11dd4a7788dc1b39838394da0c3fa25d9fb7070966501c361c2b85f28bd464fca148cc18be08ce42e6ab1deb825cba461284eca86a989e256bdd98

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
370KB

MD5
97bb09ed99843f43716dbca32ef04e72

SHA1
104f5bca210a0928d195450601064dd93610f0f2

SHA256
62db67ade5aceba8f5c443bcc0ccd0d9d4c918b97e6f30b7d8efc62902ac1e33

SHA512
7eea29825675a9f55ad373f0414d9c6bb5efb888cc1cdba60afdbb5dc140f6335617ac56c1f5b56b3dbd77d12174627229b330af3bf3abb7925028baacee6b3b

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
370KB

MD5
55b0c8067179ddaa42ffeb34fc3ce4c9

SHA1
5f80ac954958d0b6504605db99af298b78f3e5c9

SHA256
542abb1ac366c4524d2fca0e5dbaaa1fb5a3f44c7122403b087a2e7c0fe93ffa

SHA512
e27b543e106374b18b32731dab54ee37a9233cc7b69a2a0727c85954a822b42dfc2135a50d36a57008e6c54723801fe5e5b2b982e17a4be79dccad7641046ecb

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
370KB

MD5
4ce6c8c70cc10c0a819f69927475be27

SHA1
1004810fa3051e91c2646d247eff5d458cf0786d

SHA256
2f081708c592f3cb5a841622be74b7df396907a874fd1d74c18b9d9b26ed368a

SHA512
2f80acfe2d32c64d171e070e9f7a3141d29ac388d578aa8cf827def4103624b8a8c484085051b99c49abcae2749877fbb388dc5558c6e9de0d99f72170374327

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
370KB

MD5
e4768ff8c788251da96fb4901b70448c

SHA1
b8475b277392e7b14cba976b1bfacf28ad64210e

SHA256
94913a58a11b11cb77e59df2777f58597bc34d2782f60fe073795b93b8b0f187

SHA512
b221f2a5db585f944ee545d13466fe409cff52e8444be7db6eea37a60f5059fd19b32e44d0770477ce85941494e32cd5b7716e93ff265316a44b6e0410c19d6c

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
370KB

MD5
6db56d1fcdc46e20be0aba823041cbff

SHA1
acdcdd79ad10f4358b45a16073b34216ccfcff7a

SHA256
4ef3b62b7c1f396fa27f901c9f61216bf1a0549e05283849e6342867f19b7ac7

SHA512
1b3acd2d733b4b33ed685705e411b9b62bfda5f1c8da77bd96e10695ba0ad6417de3e01488050d8c6cb37f895050dd41759cc7607acf0e62f3bd05e39b841fdc

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
370KB

MD5
8b738c4e052d442c6d674fe5920a2f54

SHA1
472209bc37544dc9683aabaa0aa4f9c0c66ff098

SHA256
0dd66a22e1c07ffb8d27b71004e29e5e39df78f59ceaaa40b2911559d110f32f

SHA512
ace34208861d6fd6904e13fdb3a82fe05907acc6908379c2f3b52bb455bedf40efdaaceaa43b8131ebd7f90f72e072a3aa42e7d426ff5ceeef017779dc2a1048

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
370KB

MD5
b33c78039e03de8d7e09bd1e368486ff

SHA1
47da1869b74171d99f8a39f838b5f1cb67717866

SHA256
b6bdd456b1ef0c18451bd6568828bb19d4a30dc4f635454728c9d1231c9fbdaa

SHA512
9c96eb775e0daf431210e20340fbb678c7ee2efb8e5263388b747d9782388f6bcc0538d8ba78d5d739611b3d90215d2b79bc1936abcebbe6473840dc5dcdb62e

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
370KB

MD5
7b7364a9a88f54f5d84421ec172bfdbd

SHA1
58a216c83396e9df41714c864a24e02fc2e02150

SHA256
a65886b11aa9c87786e4c742ed6c4ae9d7921692e3bddb1310b8bcd2a885abbe

SHA512
e6d12a23c29105e52bc852047c9858dbd00be0aa959124fdcde4439431b1927882ab27ba73eee362f19cf22a9152fe6494ccaaa16e68f80c1b09503c8adb823e

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
370KB

MD5
0e6709c54b23bfd63e592bf34ffb68f1

SHA1
c2c19d232c4999625d3b091683f56e105c9618f7

SHA256
1b23d9409871def7dc6110893207df4d7972ce9f41fe1e412f8c4303675614b9

SHA512
e9402d1dc34b0dccba0c375e9e8abe91b75d12e5a5a058b93209d5f7a356e3bc86bb3fb2929c7549fd7846e34405c84d1d347d615c752812247d007cfa87de74

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
370KB

MD5
c7b7782e33acb86fc664ef9ef5ea93a3

SHA1
4177a5869e5113fc0721076049e91bd3ecf84a1f

SHA256
1995b588b8ff8363b8887485a4a89aa43554c525c24ed7779155394ca6a43711

SHA512
85ae3c325fcb32d7ecfe3ad464632f7954a9b1659509ef9ef1e0d88d1283fca4f41ddbe5eaf02aa48ccd67f5a6ca43ab576fe1b1f79c4cfc6d3def24979d2411

Download Submit
memory/8-573-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/264-579-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/264-40-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/384-299-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/392-248-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/432-594-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/524-502-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/624-351-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/696-269-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/828-371-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/868-395-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/896-48-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/896-586-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1008-442-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1064-383-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1264-152-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1348-572-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1348-33-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1356-332-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1368-587-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1392-552-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1464-539-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1484-472-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1528-144-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1760-305-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1784-584-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1876-538-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1876-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1876-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2036-323-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2104-96-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2172-436-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2272-120-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2324-593-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2324-57-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2420-341-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2472-80-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2492-128-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2496-407-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2544-287-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2588-466-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2596-478-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2680-104-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2704-72-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2736-364-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2740-176-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2888-281-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2960-508-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3016-448-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3020-401-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3024-389-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3036-173-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3180-559-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3300-377-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3316-112-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3424-365-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3440-454-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3452-496-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3456-209-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3512-256-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3532-353-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3536-520-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3548-16-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3548-558-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3580-229-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3588-65-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3664-240-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3684-729-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3684-317-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3740-413-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3748-514-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3892-263-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3940-184-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4004-293-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4060-161-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4100-566-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4256-545-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4304-275-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4324-315-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4352-136-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4388-193-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4404-536-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4448-222-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4460-24-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4460-565-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4484-233-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4500-424-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4532-201-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4664-89-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4692-484-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4912-430-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4972-490-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5052-551-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5052-8-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5060-526-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5072-460-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5108-335-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads