c03e6ae3ea7c2e88285bc7c3522054d7d201698ec2188badf5fbdf683ba200d7

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 18:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c03e6ae3ea7c2e88285bc7c3522054d7d201698ec2188badf5fbdf683ba200d7N.exe
Size

95KB
MD5

4accea9b4aa60207f06a5618b4cf3aa0
SHA1

ee297e5e5644e3fe52a3b28e43e85a9cbaeda51a
SHA256

c03e6ae3ea7c2e88285bc7c3522054d7d201698ec2188badf5fbdf683ba200d7
SHA512

59401daf9d2813ab647f65a0739ea2ed4dcf5bcd505de157e291e10794c6b8d85bbcb66b7e3f2c3bf15740129e2d925bdb2c2f2a2eff197af1927033c31bfda6
SSDEEP

1536:wRHDlEETnqsYj6zPrxhFgGfUlRO80do8djGSrOM6bOLXi8PmCofGV:wRHDlJcCPrxhFxslw/o8dySrDrLXfzo+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c03e6ae3ea7c2e88285bc7c3522054d7d201698ec2188badf5fbdf683ba200d7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe

Executes dropped EXE 64 IoCs

pid	Process
4840	Nlaegk32.exe
548	Nckndeni.exe
2372	Nggjdc32.exe
4156	Olcbmj32.exe
4632	Ocnjidkf.exe
3776	Ojgbfocc.exe
3100	Olfobjbg.exe
3620	Ocpgod32.exe
4948	Ojjolnaq.exe
464	Olhlhjpd.exe
2472	Odocigqg.exe
1368	Ofqpqo32.exe
1476	Onhhamgg.exe
624	Odapnf32.exe
4176	Ojoign32.exe
4172	Oqhacgdh.exe
3488	Pcijeb32.exe
3880	Pjcbbmif.exe
4640	Pqmjog32.exe
4620	Pdifoehl.exe
2684	Pfjcgn32.exe
2488	Pmdkch32.exe
4432	Pdkcde32.exe
3756	Pncgmkmj.exe
1452	Pqbdjfln.exe
2960	Pcppfaka.exe
4040	Pgllfp32.exe
388	Pnfdcjkg.exe
4356	Pgnilpah.exe
3632	Qnhahj32.exe
2356	Qceiaa32.exe
1856	Qnjnnj32.exe
5004	Qcgffqei.exe
5112	Qgcbgo32.exe
4484	Ajanck32.exe
640	Acjclpcf.exe
3580	Afhohlbj.exe
3780	Anogiicl.exe
996	Aqncedbp.exe
4816	Agglboim.exe
3496	Ajfhnjhq.exe
2480	Aqppkd32.exe
1756	Acnlgp32.exe
3748	Andqdh32.exe
1400	Amgapeea.exe
3380	Acqimo32.exe
1080	Afoeiklb.exe
4456	Aminee32.exe
3812	Aadifclh.exe
4340	Bfabnjjp.exe
4508	Bnhjohkb.exe
3252	Bebblb32.exe
4460	Bganhm32.exe
968	Bjokdipf.exe
2896	Beeoaapl.exe
4500	Bjagjhnc.exe
2380	Bnmcjg32.exe
392	Balpgb32.exe
2560	Bcjlcn32.exe
3656	Bnpppgdj.exe
216	Banllbdn.exe
2176	Bfkedibe.exe
2088	Bnbmefbg.exe
3148	Belebq32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1908	4676	WerFault.exe	175

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c03e6ae3ea7c2e88285bc7c3522054d7d201698ec2188badf5fbdf683ba200d7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	c03e6ae3ea7c2e88285bc7c3522054d7d201698ec2188badf5fbdf683ba200d7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c03e6ae3ea7c2e88285bc7c3522054d7d201698ec2188badf5fbdf683ba200d7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 4840	3240	c03e6ae3ea7c2e88285bc7c3522054d7d201698ec2188badf5fbdf683ba200d7N.exe	82
PID 3240 wrote to memory of 4840	3240	c03e6ae3ea7c2e88285bc7c3522054d7d201698ec2188badf5fbdf683ba200d7N.exe	82
PID 3240 wrote to memory of 4840	3240	c03e6ae3ea7c2e88285bc7c3522054d7d201698ec2188badf5fbdf683ba200d7N.exe	82
PID 4840 wrote to memory of 548	4840	Nlaegk32.exe	83
PID 4840 wrote to memory of 548	4840	Nlaegk32.exe	83
PID 4840 wrote to memory of 548	4840	Nlaegk32.exe	83
PID 548 wrote to memory of 2372	548	Nckndeni.exe	84
PID 548 wrote to memory of 2372	548	Nckndeni.exe	84
PID 548 wrote to memory of 2372	548	Nckndeni.exe	84
PID 2372 wrote to memory of 4156	2372	Nggjdc32.exe	85
PID 2372 wrote to memory of 4156	2372	Nggjdc32.exe	85
PID 2372 wrote to memory of 4156	2372	Nggjdc32.exe	85
PID 4156 wrote to memory of 4632	4156	Olcbmj32.exe	86
PID 4156 wrote to memory of 4632	4156	Olcbmj32.exe	86
PID 4156 wrote to memory of 4632	4156	Olcbmj32.exe	86
PID 4632 wrote to memory of 3776	4632	Ocnjidkf.exe	87
PID 4632 wrote to memory of 3776	4632	Ocnjidkf.exe	87
PID 4632 wrote to memory of 3776	4632	Ocnjidkf.exe	87
PID 3776 wrote to memory of 3100	3776	Ojgbfocc.exe	88
PID 3776 wrote to memory of 3100	3776	Ojgbfocc.exe	88
PID 3776 wrote to memory of 3100	3776	Ojgbfocc.exe	88
PID 3100 wrote to memory of 3620	3100	Olfobjbg.exe	89
PID 3100 wrote to memory of 3620	3100	Olfobjbg.exe	89
PID 3100 wrote to memory of 3620	3100	Olfobjbg.exe	89
PID 3620 wrote to memory of 4948	3620	Ocpgod32.exe	90
PID 3620 wrote to memory of 4948	3620	Ocpgod32.exe	90
PID 3620 wrote to memory of 4948	3620	Ocpgod32.exe	90
PID 4948 wrote to memory of 464	4948	Ojjolnaq.exe	91
PID 4948 wrote to memory of 464	4948	Ojjolnaq.exe	91
PID 4948 wrote to memory of 464	4948	Ojjolnaq.exe	91
PID 464 wrote to memory of 2472	464	Olhlhjpd.exe	92
PID 464 wrote to memory of 2472	464	Olhlhjpd.exe	92
PID 464 wrote to memory of 2472	464	Olhlhjpd.exe	92
PID 2472 wrote to memory of 1368	2472	Odocigqg.exe	93
PID 2472 wrote to memory of 1368	2472	Odocigqg.exe	93
PID 2472 wrote to memory of 1368	2472	Odocigqg.exe	93
PID 1368 wrote to memory of 1476	1368	Ofqpqo32.exe	94
PID 1368 wrote to memory of 1476	1368	Ofqpqo32.exe	94
PID 1368 wrote to memory of 1476	1368	Ofqpqo32.exe	94
PID 1476 wrote to memory of 624	1476	Onhhamgg.exe	95
PID 1476 wrote to memory of 624	1476	Onhhamgg.exe	95
PID 1476 wrote to memory of 624	1476	Onhhamgg.exe	95
PID 624 wrote to memory of 4176	624	Odapnf32.exe	96
PID 624 wrote to memory of 4176	624	Odapnf32.exe	96
PID 624 wrote to memory of 4176	624	Odapnf32.exe	96
PID 4176 wrote to memory of 4172	4176	Ojoign32.exe	97
PID 4176 wrote to memory of 4172	4176	Ojoign32.exe	97
PID 4176 wrote to memory of 4172	4176	Ojoign32.exe	97
PID 4172 wrote to memory of 3488	4172	Oqhacgdh.exe	98
PID 4172 wrote to memory of 3488	4172	Oqhacgdh.exe	98
PID 4172 wrote to memory of 3488	4172	Oqhacgdh.exe	98
PID 3488 wrote to memory of 3880	3488	Pcijeb32.exe	99
PID 3488 wrote to memory of 3880	3488	Pcijeb32.exe	99
PID 3488 wrote to memory of 3880	3488	Pcijeb32.exe	99
PID 3880 wrote to memory of 4640	3880	Pjcbbmif.exe	100
PID 3880 wrote to memory of 4640	3880	Pjcbbmif.exe	100
PID 3880 wrote to memory of 4640	3880	Pjcbbmif.exe	100
PID 4640 wrote to memory of 4620	4640	Pqmjog32.exe	101
PID 4640 wrote to memory of 4620	4640	Pqmjog32.exe	101
PID 4640 wrote to memory of 4620	4640	Pqmjog32.exe	101
PID 4620 wrote to memory of 2684	4620	Pdifoehl.exe	102
PID 4620 wrote to memory of 2684	4620	Pdifoehl.exe	102
PID 4620 wrote to memory of 2684	4620	Pdifoehl.exe	102
PID 2684 wrote to memory of 2488	2684	Pfjcgn32.exe	103

C:\Users\Admin\AppData\Local\Temp\c03e6ae3ea7c2e88285bc7c3522054d7d201698ec2188badf5fbdf683ba200d7N.exe
"C:\Users\Admin\AppData\Local\Temp\c03e6ae3ea7c2e88285bc7c3522054d7d201698ec2188badf5fbdf683ba200d7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\SysWOW64\Nlaegk32.exe
  C:\Windows\system32\Nlaegk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SysWOW64\Nckndeni.exe
    C:\Windows\system32\Nckndeni.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\SysWOW64\Nggjdc32.exe
      C:\Windows\system32\Nggjdc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4156
      - C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        50⤵
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        68⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        75⤵
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        84⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        87⤵
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 420
        96⤵
        Program crash
        
        PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4676 -ip 4676
1⤵
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajanck32.exe

Filesize
95KB

MD5
2969c6afa5b902110a461e5d62c4bacf

SHA1
e48f75077ba42ffb042f3e7bb602b1ee626b70e5

SHA256
fc9748e3ca2b07670b9323aaaacbbf2f5024c3a090bebb914826f828d8bfa45b

SHA512
e5ad259bf9a35f6ff4981e4b44cf942194c3ae3f08f57b8eaec8eb6f7faa76abe4dc4c00c289889434b63a9e98a9eac7faf0f32fbdc5cd6acda8318037d2a6ce

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
95KB

MD5
5883cad3bf5b7b02de0d704e61cf0fc4

SHA1
221685863c49e837af4930c85409def79248c239

SHA256
5f0a4f1d95e551434c20e77332e5afad9dc71c8c5fa45bcedd3e7ab14f670aef

SHA512
98431a431c42d7cc04874b8f14e2e8e40df79bddd175e7db257608a86142e9d89fd211f2d1b87288924ae8ae5f2158888a6990872dc830f6f56ddef1220f0fa6

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
95KB

MD5
455b1a84d3185e9b3c8745eba092d016

SHA1
e7640742399a2d5db10c118404c77125dd393db3

SHA256
c71002f9bd79110e8017493f0ae26b8b97b7050c542785ab8bd1929436d14df4

SHA512
8a9caae5a23bbe7197d4fd19c5fe2716c9c58d42f72720de94fc9abd5b51f5d4e13aad6cc6ec3e2f0452bfaa2d2a971fe92a5eec2fc8a940045a84cf3e4f1e06

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
95KB

MD5
7cd13afe8da00387f99d3c5650992acf

SHA1
b59b271ccd8332b505e03df3d965de1737e6dfed

SHA256
be6d8e6028e3f92d3ca3e2fd6bd3331aa86c920ead77f8d13bc778d6b34ee526

SHA512
f24ab4677b102696fdb3179b68218b040f62e80e110f2a64fd81193a991e03bf45fb975852d71d48ba211a518d229170481f197fb8887e9593116b9efe02aec5

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
95KB

MD5
6bede651289ce9365ba08fb6c52ceaf2

SHA1
3d4ceee972c66c342fbb3cce53d8a970e08483cd

SHA256
9250f49dd464d984672335bc48f47596823253a15677c070d1d11bf8110a36cb

SHA512
13b4dc1a6be5b28d0f191d1d1ac63b88a393c6971b1623ee3dcd86c354f61d2d42fc4c743416b0d323c4ba429cd377084e85f30c0cbc6abf1663360f4bd27184

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
95KB

MD5
0d3f19e7537ef3c4c65aa2e5bb1b6397

SHA1
0804449bdbf83d7ba2aa917eec3bde126d65dff9

SHA256
2378b2d7f9eb4bbaff8735368ca4913686495929c4de9d3384b1a07b09d80bf1

SHA512
d5b0ac86c7fccb6e1e5c3be669f73dbc72b2b7efc49d6138e3c052998130a9f331480345fadad131521564266aea41dc79f21883fc22f90cb1610a6f52ab7413

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
95KB

MD5
b4d27e176547b2ff091328443cb0a077

SHA1
a876fb3676f5dd047a2f371b7f12192ab6378aad

SHA256
be34a2a1532d730bcbded9ddab3fc49cd86c8d320afeb1677216873537cf94b8

SHA512
416ddd60b0cddd13412ce561c88e58c501b4dc3cf9d01603450152615d987877e7643c831bc192ed608a1a45d9a6af6f335423767bee8e40e5ebedd34100d0aa

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
95KB

MD5
3dcf01b11aa93c077561c3f80e19e95c

SHA1
2d800f840a2cdd1f926591dbb80f9ce84b780d4e

SHA256
2d99be361a431c43f5c1bfce369da45dfa49992151ced6e7d8ee77e7caacc4a2

SHA512
3b9d5135581ce033f4ff40618a24acedc3e56e12a574a84e6c3536c985e512afb566b9aae35f4d5eb99bcfb4c2ed14b35b505fd943c164332d266205647f3828

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
64KB

MD5
daff924c75db205cd1fdfa626d2c8ad2

SHA1
bddc664e13ef44ea0773b09cfd4b16590e67e955

SHA256
c71c914ce61bed5fc9560d0e5a6119bad45d5344e5ee6dfa453de8f43584d044

SHA512
891c88e3b6e9e1a1e783c807da39768087a8beb4bdcee5943289eb555165d555dcdc7b2ee200d51f1a962616501214693e9baae90c859a0107e2a2b524eeabd4

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
95KB

MD5
43748d7a3613e74ee16a01176c91acfa

SHA1
b6430b96d9814f342ca2037ceb1dbf79ee31771c

SHA256
fbdef1b717dc59461cfa595f6dddd4af5a632bf1ef148a590f1b2ab7debb9241

SHA512
f441ef2fc7097c90b1f3c9ee8f35bdf9650da5163a776211fd60fedf50df5bd57a3e583acc48133c163312c770050bd60f7fc0fa9cbe0559e41c24f621b9f31a

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
95KB

MD5
83575a431d5f4df9f5d4f6b1e32906e7

SHA1
4d5d5a7053c8f9c2b276f7ff4148d49418a6923c

SHA256
c5737d0f46ed7c839b8058cc14b6564cb443e372ee1c2b27744ec8a466c706a6

SHA512
55330fa603cee1f347928bcd04e89ab2d814af8e5991a7f93fdfbcf0b2482195726dd7db5792c267c4d103089a43bdd3e782ea09f26a2f4c31bfca5b24880200

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
95KB

MD5
cabe0fb4ea55fabf8dfc651fd76921e9

SHA1
049a5622f465cb628f708479129c8aeffb2af3b4

SHA256
039fd7ec5b44a315a8bdd5aa2ca776a9aecd7ec1dc22e76da042cd46a6bec64e

SHA512
9aaee82888380ef6f29e4446ab90190bedce3d338cd81d9c92e683d6fb3a43bbf5eaa4ee4d4e89678cabdd680ab77046da4e076ef8a86055174cabd4c77dcde0

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
64KB

MD5
39994bcf0e209eaee0cfbbfe788088e7

SHA1
d34f6fd188820ce263703e52cb2c2b3feccb0ca3

SHA256
36ac53a6d9b6190323c15710c09ab88933da115f6a1f7d585e6ddf28066c5438

SHA512
e210751d705b566c9afc2f1713d061842d5c1fd2fa5d66f4bf7adc32ea5598b5ef0eed0117c246a8ff13517569668406ad9d74e96150b2a311f3975aa02ce468

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
95KB

MD5
6f0e5572488deae6e11918a798bb3221

SHA1
ba5a823c5edb52189b231518ef5ae5ca714770ca

SHA256
af3dfd1935c66fafa84e13fa35ca5e8503c12f0c4d7a03138df43fec1fa7fa92

SHA512
c7e4fe2c2b9442cf5c85463d4c83f5ccd755bdb15d2bd5ddd902c0b07aa544a79b67e801bf471d39cf1b16012725739fb0e215d1da497ab658aba4a1e42ecfc7

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
95KB

MD5
fae10d8d3d6625e956bab3cc5a2ea6e3

SHA1
2e8cd92fa2c18155c5fba1a075af6567817ea320

SHA256
c2663752289f38ebbccae0b036fa897aab80e54d388961b6bdee1be2db990662

SHA512
50a2e33c5348b07d6827a8c34644d0f86a4f9effa65ef686305f9ac11c9400046d487ca4bb03ac00912bd8a0e96e492052fb28d20840628f6a30bd6b8131b217

Download Submit
C:\Windows\SysWOW64\Najmlf32.dll

Filesize
7KB

MD5
9441693bf2248387e5441883a0762ccf

SHA1
7f78d889ce71c9769a5c488df28cc93a05048959

SHA256
edc60f45fdfd6737584448afb32b5cd9a3c07fd1eef779f8a41d3a49c4376485

SHA512
f4184cb5f22f5a27a79c35a733ac9d7561e24dcee589c6a62d5b2f5cf7f5cc60d4709b1372785629ebd0fe19f820e1f03c94c04d638a87701fff6769e5d43f3e

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
95KB

MD5
b3a762ffb31e13a2c1a0edb1833a5ef2

SHA1
e483ecb301ec6686d899abb81e4d94074078d87a

SHA256
21552d1303aede32f6bf32838f4e7dd185a73239cb26b4d0274dad91979b4773

SHA512
9d5574b865cac32d755ba27b2cb3c12d99a7b781a351b74096f57ad7e36c0a4f2afb40a63de9359c1a6218675692c65f4d38f2496a4a036e063daa5cfcbe6228

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
95KB

MD5
b1f7d7eeba8ec5247e5925e25e23c2fc

SHA1
cb27bcbae034ca4c2151e25e69b17f3d0c7f4a90

SHA256
75b6650290a99bf6663008d10311125d118ccfc2a236b8af25fd08ff1ee7b35d

SHA512
49aabb1b4c5e118ad1a6ef2c169cd237563142b8010619eb93d2b4a6321cdf924d94eb148682677db9a50bd72550dabad65e2cb32a79586f30af0986566214d7

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
95KB

MD5
5883a0a005c47e84bd832f72c9c8b216

SHA1
a4c2dd16b64d6378e2d51ed924819908270e99d7

SHA256
5e4e3f3d7a0506c1af815ef99e11cd8457a9a9299e32ce967a5672c6b689c1dd

SHA512
dde0935dc79de1cba3ae8e81c899a1099adbfea1e7c7f7e73b6b5c249477057849db080a57fbfc40b192d518f187fc17641ccb4a860e8ce854a8198c05612996

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
95KB

MD5
93c70b1f195be046a69f062d708f22d5

SHA1
46c15d9b8d42b2d51a0b1055dd4f1a17bc16d7dd

SHA256
f64a2eaefc48487d6ab23b0fb51a02556d8d4b524e2474d6086796700ca75b17

SHA512
2c6a951998cf3fef213d3120367530296f66d812654fac68bb85c3cdaf0b0a87a2b13a7c1ba8b7394d17c0004a21ad4625a7770ce7960beb8d25fa0f662aa404

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
95KB

MD5
336766d9e4a65cf333a3b21f9c960bb3

SHA1
97cb9e3154e0f46933a9b310eea5d5b78a547111

SHA256
3f22654308f57bbd67a54152396bbdb96bd97fdae099e57318964bc4b9efd777

SHA512
85c5e1cf3ce4f8ac7fd1189aefa52ffc6dd797d804c121f565592edd405396bdbfef6a51baf405924ece3ff7ba6c0da86147cb0cfdd129f5e04de2edd877a5f9

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
95KB

MD5
140acb8af53042ab094b744ed3b8e164

SHA1
9f8b385cdbfe14c0528dcc8794ae08064f0b1c57

SHA256
a8476ebd46a0e26430e6baaf9dfe882539ae836f991d2dcc068dff29dadd5402

SHA512
177361349ba968a5469df8b781fb07524d733b953b06c93c5131552cd02846df018284764dea8077f9f2e1560d1f6d1d6b49ab1b9317c65e5770ba46231ae738

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
95KB

MD5
019378f22dc1d7d73bf36211f45275cd

SHA1
19ea8f41ab35e0e8870ed4a031b7cedefed4c173

SHA256
3831fb7558f9a689346e55781e80ebe451f8c8a6254894e9ded29ec13e7dbb38

SHA512
9bec36fb788d470bf83961575c9797903d787227d02fd3f33e07a988c50299a953dac4bf8d50b33952e725d543cf7ad56f0c39d94baae882e4b54ed31438c0bc

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
95KB

MD5
6cb419c2d323cbdd80d5fd0dddf6982d

SHA1
53060728c24a28b0668766d62c000ead99cb2ab4

SHA256
dd3662595289ea42ff5daea3e4ccb1ed6e0c372b9709ee060789401387b997b4

SHA512
101a681193e4c7ba7e564bc9e6b10bc69cf31d3ad2156f704d231f3d87ab872828e5ef3cffd6f83e9a25ea1c32179d41c80e82e3e9c2bd50a4b9893ff16d33f0

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
95KB

MD5
ebd2005257758f4706e66c2a094ba1ef

SHA1
4c8e8561981424de36cb2db53120379cf581bf86

SHA256
281f61d659dee94f40f37e5886049dcd77762e92dd250e8c4df85dd559e9418f

SHA512
8827305530ecd2f91081d25aad30a06829830d952a2dc69cabae3ca58f3f175d66c5f2e26f8dd948efd08ecd74d2787c2eee98e1c4470fe6d56b820cc9c54007

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
95KB

MD5
4be31a7932b0bc0b2a6f9b7f89abf9be

SHA1
7c55c3ba99e8f31a9dce909adfd44294977d0de2

SHA256
67e557ccc9cc9f6ff75c3c0dbbaad504ab4926d5163cc75fa22f3f31e582e1dd

SHA512
b0749cb1b882390a56e44ec3a26fb029509e904b2e7419c0f19893df77dbc60a80d26807320a51023a156f2b874d690b12555c455cf1f63ad81fc60eb1998e30

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
95KB

MD5
c0e504520919201bb3592d42759af6a0

SHA1
744d1c8dcac548048be6060c1cc4ee0038997800

SHA256
cd35ef5500bf6a99e8dabc041f69ee1c981df9f4bacaed8a0ba067a8d56a3772

SHA512
d6079ec39a6f3dc9d14dfb5ffb451e89ce85d4035e1f6c5484525bd576ebada7fc71dca4347af24d1c61fcf2fcb499ac1f659a1b93b56b554a4524ecb0b7a18f

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
95KB

MD5
c2770311311ed13f55508c246f9e0ab7

SHA1
ccd7b80ee7920d981bbde8720fa997204e20f12f

SHA256
b4d4e95c28011dfa5904a14e0508b72bc6e06784cecb87af3f89c2f9b8dc4311

SHA512
d04059e0700086fccc24533e6f71e318a67774d459c63dc91957b5eb8096d7a3fcd059785498bd5616adb1cf452f963da1652b6ea413bd6a7e16546ffe308a15

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
95KB

MD5
d9ff50f9200ad55fe6af92fce8e756f6

SHA1
7748326db2abd4d518c73faeb8b497479a638423

SHA256
fc95023fe1b76acb47fecd9fcc06648c770e368b8a9aec88d1ce134ace609f89

SHA512
b04d6323138ca61d8d62bf2cd5511f7ecf750e2702a791ca3e5a6b61c7db7486a179e15e2ff26d38e2c54c5c09777b99a51e64cbad87649b2ae84c8646f29622

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
95KB

MD5
e581d1e256cae98a3cae78cf00a2ed9b

SHA1
223b67687ad353552060424cb16a75bef5ea999a

SHA256
95ba75484aa6f69e60bcf99be4eb4a439f048ffefc906c7cc708121e3e2956ad

SHA512
80178b5423a8af0100758fb8c7d5455213fe0939b66e2cda26776dedf6fcab4d2bf8a9ecb597b6f53e550668fc4d57dd64acd1f48991c23e2dc4f5763ac288ce

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
95KB

MD5
7c0a65ede2b4dd847cc38b5e6b882656

SHA1
10ab97cdab62525357047665c8bca0a3bc4ab009

SHA256
8b121ab6398c0874f67a6522dfa543050643967f9a5a57080eb6f9effcfc4fa2

SHA512
312cbc7eea2c5d7603866c682853993f415b6365a00cb7eb4358da54974c29c6f1423c6360e3198ceab77cee57448f61dee98414ca6caa576fa92889ed07fd1b

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
95KB

MD5
29bc3438e1881b5ca41b327d543b9d05

SHA1
357f355021837cadebf527840f14f6adcb8fc404

SHA256
4b6c137162ce17e032959db664810de6c3e81ace702cb5aff2871928518677d5

SHA512
271055c84d631c26aad337af455170d1b8a8451239a1109e3ea0b524867e0bf891e7bb8dce5d83f0431f1b2a0add46d924d33ecf8da212a7b3188f89d539f318

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
95KB

MD5
4f270df97370f1206f046ad457d66947

SHA1
81695be06e23aa5de80f8026c1722080a8208f7f

SHA256
8fa52c50cd65c1bd7718a89f5505b357bc788cfa77b26b248c041fd20416dff3

SHA512
1fd1435d4f4f03a9429dacd292465af92c3771eb652bfab5b0b8e53506ab5e0085bae8e7af807751834c39f4845a87958a5b1b4ad1c96f4edfa4b6885a86bcdd

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
95KB

MD5
e736e0601aef16a92a1f4958b9457298

SHA1
94394bff79267481a27bbe3dfa2068f43fb117d9

SHA256
2b79c5fd912825daf15a7a62e96f04356bfa5200e4ae20e89b8fe0b0f5c36b71

SHA512
57b3058b3340c99392849735b8f124960e79670b91fded600b4e319a7e46c6193efbfa83f38e2e8bab7e2cdfbad6ce71b3b31f831f987b504f41e2b3078620d6

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
95KB

MD5
fd31633692d93c366c04522029214197

SHA1
b217146e958e860d4042766dff0eedae59e0c2d1

SHA256
73344941523d5cacb74f617ffd41d419227e738192a1567f2e6c76eeeda19da5

SHA512
b6151813a1d5166e6c9a26ab86b8e4307ca2f86132615273a5edc4b68112fe0ed0ce29963dba963aede84b99a126f1bea7df20a597a55a322dd94acc4a79c3cb

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
95KB

MD5
139115479157425e90121678423b1d9f

SHA1
41621644b1534d0c70ca733ac2ae11338bc4585c

SHA256
67894580218a25b9e2bfade8ae2ea41159c30d944e74587805baef1c3c404f7d

SHA512
b993fb97ad617803803ee4638d6db65f4b203729305786ceaaf4e58f148c3d26874003b27cab4d8bb7aeb0ea20b842d4074461921184b3edb34aca04693a7cc7

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
95KB

MD5
0cc75d41bbd46621744f32f3921fc10a

SHA1
4653faf04525fdac5af946662053e44c1de2b81e

SHA256
bea8d04f24a77ab69d94a8beb70901e058681a38a8407d674b727aa222a4e0ed

SHA512
c8a253fda1edc2c94bb4029f28a8d377915c9cfa1853b1889cc6a2f2625ab7e1048f287df5bef7b01e8ae311bf20a00c99001f548489ba7fc8ac3cf5482c2a57

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
95KB

MD5
55e24fa6e0ee83418e533ea7d6e3ac34

SHA1
9069cdc126eed3dff3343803873aba549e5601aa

SHA256
6fd0dc2198088d226046602390dee17576f22fb725d5761f9458b2cb1cac9c84

SHA512
4828c68b5a4fd694824a3781138c47c3251f4f1821a3447d94872523a8e89e7bc4846adc2a874926d7179c5991ed636b2fff3da1e24a9712275de215ed3e0405

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
95KB

MD5
ffa3e7c9f80b01e5d040ba57d1fde022

SHA1
12669145c5cf8ec3b44765518a40f42b14b00d8b

SHA256
61e7e8cf2270731d152ae8b4ae6ce7f6d6beb5be833db7b184fc24ea42bda4fe

SHA512
03b03d21793a503c06b4c0f92c2b58ef9046d5d439577cc1a57bd626515181f7dd6a72f52d31fefde1dd08915685cb813829222811677bc4fd36923625801102

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
95KB

MD5
97b9ce2a1ff94dbf3cef69b89b867970

SHA1
29837699fdca257f4f13db115e8ebfbbe554aed7

SHA256
f6f1bf63aa7c0b568e4f0a0262cfacd34e5c4485f2aa09a9e4b7817823a69e28

SHA512
0d25b860a59e140a7cf7a4a7141af903eda67056470a6ead545d2969d154a8cb0d9971108e3e5c9ec2cc494c081946943782a0e589eec01ec404e316b51c9a3a

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
95KB

MD5
2f31aabc8a5d53373033dd300f2a36c3

SHA1
88a13f1ddf79b2b7ff7f960405c940bfd1b9a6e4

SHA256
9800e284f35b8bc7c4ba5eb53c2c968ec21bba88ad9c1785da7f09222cb12e2c

SHA512
e5028a2ad01dfbcfa1910879c45b9c5eff2317e4e9920325f7accb905173a7b089c8141feb95e404556162ec088ea9487972d76cb399656d09514cc931a7731a

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
95KB

MD5
ca59362e5e30c694c816e4873f75ab38

SHA1
8d675dad2ce7a97abd42552f83d17817e11f6e88

SHA256
1ae88fc2518039e311698c54ef4a7e0b88bc1964d53350dfe28d23a566bd104e

SHA512
9a239ceb5b67ed1ee4d523fd15b4af56d7f8b6e081b1adb924ebf648fc615212dd2de13282d91ff9a0b87e82c15fa7dffb80b8d1fe8195d0637654d82ea57f52

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
95KB

MD5
1d0500369f515aaa968ab1b9e1fdc344

SHA1
804c55fd9ab2819d64002e88ae5cbed5daa948cd

SHA256
4408b20762748d51477a2e302d2d4e12d32b4a83213f60d690ea824e01413d93

SHA512
f81017224eff5315088c1504838121ed9473c4187af99bf0cfe04ea69221499a390dcd1c5939b939feae50efca0fe1b6e13c40f90bbdd5b292f12dc6d8f9770a

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
95KB

MD5
7176d31e9fa2472c17a0d06112581581

SHA1
ec985f079de9c2798ee9d5d323c317e35763fe93

SHA256
3a486c005a590123b27dcd6ded2b036286c1b6f61b6d1e5e3f4d0f2f3814133a

SHA512
34bad6ad9f1e4b2cbbc7b4f7ff5ea384580f8623392a88937a6c8ca41cd82769d7809171e7f569d94f6019e1a71b80080f146c632bc917bc714dbada9f81553d

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
95KB

MD5
53a95e82ac098d961cbb138d459bf301

SHA1
f955627cd6934495bcc187778e20aa8b6fed5961

SHA256
58b343bccbac7c2ca583093eb87de04154a4d5e65feb73aa7255a501610f6543

SHA512
365db23da7749051a9c4b68ec78017e4a04e0d349967a88f5ea9e2b3b537edb287362d84b0ecb0dbbe7565c3453a27bb127758bbdee5bbc75fc645c23c6d7aeb

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
95KB

MD5
22bb61b21889b56ef4cc459f4ecd6bc5

SHA1
81c77cb68bae0d483995e855beb7b44301acf6d2

SHA256
a42e6d4f7b1538c6d6289d9208c63b9a1127817416cb737e8e81d7c390bdb988

SHA512
d22a79e96337076951a437d65299a8ec3b19121b608f6901b79dbccbea7b83e823582199fa3b3b7938265c8a1a3b8dc09dae5df8bc0c96b4f5e60e03d6d30c97

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
95KB

MD5
1f7af4b5a1ce39d16fa51e84827765a1

SHA1
e40e38eb40297d235907d2f7779ba931e2ebc0e2

SHA256
3dd90bceaa1d9cdbf071845bc0cc033fde73b1c93851c237d5650a76083d25a4

SHA512
78dd3ae13a040127f5dda4a2da5c227a58582d2e64fb7e0ea8580b7eb89c2efe38ad528ea6f76407712fc876cd8410fa6d080b45d0fdb1fab1b3dd03f03551fe

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
95KB

MD5
e9e35eec72ecd3d97ef6dbe4bb0fa865

SHA1
3ba434d6c71baf1d9c2fad8f81c579ac5a689486

SHA256
0498c92eb801d4dd185c9550f39a7a63a2486a7be1fd3f9b7e07d5de78de8eb1

SHA512
0900cca550591d6ce034daaeaec1d8582d802ea7c08c39b84c401d2c3531dd105aa8dfefad030c25642cb62659d9430e97c3d7bf0f170fc2b3813fcfedfd0af4

Download Submit
memory/216-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/388-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/392-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/464-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/536-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/548-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/548-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/624-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/640-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/828-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/968-392-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/996-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1052-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1060-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1080-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1368-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1400-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1420-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1452-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1456-560-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1476-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1564-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1632-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1756-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1856-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2176-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2316-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2356-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2372-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2372-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2380-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2444-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-488-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2472-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2480-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2684-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2692-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-580-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2892-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2896-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-212-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3100-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3100-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3148-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3240-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3240-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3252-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3380-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3488-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3496-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3580-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3620-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3632-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3656-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3748-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3756-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3772-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3776-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3776-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3780-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3812-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3880-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3992-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4040-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4104-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4120-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4156-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4156-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4172-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4176-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4312-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4340-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4356-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4408-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4432-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4456-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4460-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4484-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4500-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4508-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4620-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4632-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4632-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4816-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4840-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4840-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4900-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4916-530-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5004-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5112-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads