a68aa09316c7265e63b6ada0dd0291cbdd2714d84240f22f8a489c3cad3e3c8d

Analysis

max time kernel
26s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a68aa09316c7265e63b6ada0dd0291cbdd2714d84240f22f8a489c3cad3e3c8dN.exe
Size

128KB
MD5

e434a691f64f866e67f746512351d620
SHA1

1149f30eb452b4d8fc63485e0254fb4f1046ecab
SHA256

a68aa09316c7265e63b6ada0dd0291cbdd2714d84240f22f8a489c3cad3e3c8d
SHA512

61fddd077e3ff68e9b9a35d5a01bcc52e023d7a1e63e8dc710bbcb14140223460f6a0ec1566069f636fade6ab495cac6950d45f8c69017769ff112d5528fdc14
SSDEEP

3072:emlqVMI3W1bhAysNiUnWkIo8oJb1AerDtsr3vhqhEN4MAH+mbp:eml03ybXYxWno8oJb1AelhEN4Mujp

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohhkjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okdkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oappcfmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdipnqn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okdkal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjqcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pndpajgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Picnndmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmjqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiladcdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjldghjm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokieo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odjbdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afkdakjb.exe

Executes dropped EXE 59 IoCs

pid	Process
2132	Odjbdb32.exe
3012	Okdkal32.exe
2836	Oopfakpa.exe
2660	Ohhkjp32.exe
596	Oappcfmb.exe
2916	Ocalkn32.exe
2080	Pjldghjm.exe
1680	Pmjqcc32.exe
2976	Pcdipnqn.exe
2316	Pgpeal32.exe
2340	Pnimnfpc.exe
1160	Pokieo32.exe
1764	Picnndmb.exe
1580	Pqjfoa32.exe
2548	Pbkbgjcc.exe
2056	Pjbjhgde.exe
1900	Pckoam32.exe
704	Pbnoliap.exe
1748	Pihgic32.exe
1388	Pkfceo32.exe
2296	Pndpajgd.exe
924	Qflhbhgg.exe
1784	Qijdocfj.exe
1736	Qkhpkoen.exe
2164	Qbbhgi32.exe
1596	Qqeicede.exe
2856	Qiladcdh.exe
2612	Qkkmqnck.exe
1920	Acfaeq32.exe
792	Amnfnfgg.exe
1672	Aajbne32.exe
2508	Afgkfl32.exe
3024	Amqccfed.exe
2864	Ackkppma.exe
2772	Afiglkle.exe
2260	Aaolidlk.exe
876	Afkdakjb.exe
2252	Alhmjbhj.exe
1628	Abbeflpf.exe
1508	Bilmcf32.exe
2216	Bpfeppop.exe
1056	Becnhgmg.exe
1376	Bphbeplm.exe
1308	Bajomhbl.exe
1712	Biafnecn.exe
316	Blobjaba.exe
2120	Bjbcfn32.exe
1616	Balkchpi.exe
1556	Bdkgocpm.exe
1588	Blaopqpo.exe
2636	Boplllob.exe
380	Baohhgnf.exe
2980	Bdmddc32.exe
2404	Bkglameg.exe
2956	Baadng32.exe
2912	Cdoajb32.exe
2280	Chkmkacq.exe
2264	Ckiigmcd.exe
2152	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2840	a68aa09316c7265e63b6ada0dd0291cbdd2714d84240f22f8a489c3cad3e3c8dN.exe
2840	a68aa09316c7265e63b6ada0dd0291cbdd2714d84240f22f8a489c3cad3e3c8dN.exe
2132	Odjbdb32.exe
2132	Odjbdb32.exe
3012	Okdkal32.exe
3012	Okdkal32.exe
2836	Oopfakpa.exe
2836	Oopfakpa.exe
2660	Ohhkjp32.exe
2660	Ohhkjp32.exe
596	Oappcfmb.exe
596	Oappcfmb.exe
2916	Ocalkn32.exe
2916	Ocalkn32.exe
2080	Pjldghjm.exe
2080	Pjldghjm.exe
1680	Pmjqcc32.exe
1680	Pmjqcc32.exe
2976	Pcdipnqn.exe
2976	Pcdipnqn.exe
2316	Pgpeal32.exe
2316	Pgpeal32.exe
2340	Pnimnfpc.exe
2340	Pnimnfpc.exe
1160	Pokieo32.exe
1160	Pokieo32.exe
1764	Picnndmb.exe
1764	Picnndmb.exe
1580	Pqjfoa32.exe
1580	Pqjfoa32.exe
2548	Pbkbgjcc.exe
2548	Pbkbgjcc.exe
2056	Pjbjhgde.exe
2056	Pjbjhgde.exe
1900	Pckoam32.exe
1900	Pckoam32.exe
704	Pbnoliap.exe
704	Pbnoliap.exe
1748	Pihgic32.exe
1748	Pihgic32.exe
1388	Pkfceo32.exe
1388	Pkfceo32.exe
2296	Pndpajgd.exe
2296	Pndpajgd.exe
924	Qflhbhgg.exe
924	Qflhbhgg.exe
1784	Qijdocfj.exe
1784	Qijdocfj.exe
1736	Qkhpkoen.exe
1736	Qkhpkoen.exe
2164	Qbbhgi32.exe
2164	Qbbhgi32.exe
1596	Qqeicede.exe
1596	Qqeicede.exe
2856	Qiladcdh.exe
2856	Qiladcdh.exe
2612	Qkkmqnck.exe
2612	Qkkmqnck.exe
1920	Acfaeq32.exe
1920	Acfaeq32.exe
792	Amnfnfgg.exe
792	Amnfnfgg.exe
1672	Aajbne32.exe
1672	Aajbne32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Pjldghjm.exe	Ocalkn32.exe
File opened for modification	C:\Windows\SysWOW64\Ohhkjp32.exe	Oopfakpa.exe
File created	C:\Windows\SysWOW64\Hmomkh32.dll	Pnimnfpc.exe
File created	C:\Windows\SysWOW64\Picnndmb.exe	Pokieo32.exe
File opened for modification	C:\Windows\SysWOW64\Pkfceo32.exe	Pihgic32.exe
File created	C:\Windows\SysWOW64\Aajbne32.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Edobgb32.dll	Odjbdb32.exe
File created	C:\Windows\SysWOW64\Lnhbfpnj.dll	Ocalkn32.exe
File created	C:\Windows\SysWOW64\Qbbhgi32.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Ljhcccai.dll	Qkkmqnck.exe
File opened for modification	C:\Windows\SysWOW64\Aajbne32.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Blobjaba.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Oopfakpa.exe	Okdkal32.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Pbkbgjcc.exe	Pqjfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Boplllob.exe	Blaopqpo.exe
File opened for modification	C:\Windows\SysWOW64\Pjldghjm.exe	Ocalkn32.exe
File opened for modification	C:\Windows\SysWOW64\Qiladcdh.exe	Qqeicede.exe
File created	C:\Windows\SysWOW64\Plgifc32.dll	Ackkppma.exe
File created	C:\Windows\SysWOW64\Lgahjhop.dll	Abbeflpf.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Pnimnfpc.exe	Pgpeal32.exe
File created	C:\Windows\SysWOW64\Qiladcdh.exe	Qqeicede.exe
File opened for modification	C:\Windows\SysWOW64\Amqccfed.exe	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Boplllob.exe
File opened for modification	C:\Windows\SysWOW64\Ocalkn32.exe	Oappcfmb.exe
File created	C:\Windows\SysWOW64\Ocalkn32.exe	Oappcfmb.exe
File created	C:\Windows\SysWOW64\Pcdipnqn.exe	Pmjqcc32.exe
File created	C:\Windows\SysWOW64\Ipgljgoi.dll	Pcdipnqn.exe
File created	C:\Windows\SysWOW64\Aipheffp.dll	Pihgic32.exe
File created	C:\Windows\SysWOW64\Qqeicede.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Ghmnek32.dll	Amnfnfgg.exe
File opened for modification	C:\Windows\SysWOW64\Afgkfl32.exe	Aajbne32.exe
File created	C:\Windows\SysWOW64\Oappcfmb.exe	Ohhkjp32.exe
File opened for modification	C:\Windows\SysWOW64\Alhmjbhj.exe	Afkdakjb.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Amqccfed.exe	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Imjcfnhk.dll	Qbbhgi32.exe
File opened for modification	C:\Windows\SysWOW64\Qkkmqnck.exe	Qiladcdh.exe
File opened for modification	C:\Windows\SysWOW64\Amnfnfgg.exe	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Qofpoogh.dll	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Ncmdic32.dll	Qflhbhgg.exe
File opened for modification	C:\Windows\SysWOW64\Pndpajgd.exe	Pkfceo32.exe
File created	C:\Windows\SysWOW64\Koldhi32.dll	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Pkfceo32.exe	Pihgic32.exe
File created	C:\Windows\SysWOW64\Ackkppma.exe	Amqccfed.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Bjbcfn32.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Igciil32.dll	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Bfqgjgep.dll	Afiglkle.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Qbbhgi32.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Pjbjhgde.exe	Pbkbgjcc.exe
File created	C:\Windows\SysWOW64\Plnfdigq.dll	Pndpajgd.exe
File created	C:\Windows\SysWOW64\Acfaeq32.exe	Qkkmqnck.exe
File opened for modification	C:\Windows\SysWOW64\Becnhgmg.exe	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Blobjaba.exe	Biafnecn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3060	2152	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkkmqnck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjbdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhkjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckoam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkfceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Picnndmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbkbgjcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocalkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokieo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjhgde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okdkal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjldghjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpeal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnimnfpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pndpajgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnfnfgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oappcfmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdipnqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oopfakpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a68aa09316c7265e63b6ada0dd0291cbdd2714d84240f22f8a489c3cad3e3c8dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbbhgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflhbhgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiladcdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Picnndmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll"	Pgpeal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odjbdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipheffp.dll"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcfjgdj.dll"	a68aa09316c7265e63b6ada0dd0291cbdd2714d84240f22f8a489c3cad3e3c8dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdplpd32.dll"	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	a68aa09316c7265e63b6ada0dd0291cbdd2714d84240f22f8a489c3cad3e3c8dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbche32.dll"	Qqeicede.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmoilnn.dll"	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ackkppma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a68aa09316c7265e63b6ada0dd0291cbdd2714d84240f22f8a489c3cad3e3c8dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjldghjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnimnfpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odjbdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpoogh.dll"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a68aa09316c7265e63b6ada0dd0291cbdd2714d84240f22f8a489c3cad3e3c8dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	a68aa09316c7265e63b6ada0dd0291cbdd2714d84240f22f8a489c3cad3e3c8dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnfdigq.dll"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Picnndmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobcmana.dll"	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmjqcc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2132	2840	a68aa09316c7265e63b6ada0dd0291cbdd2714d84240f22f8a489c3cad3e3c8dN.exe	30
PID 2840 wrote to memory of 2132	2840	a68aa09316c7265e63b6ada0dd0291cbdd2714d84240f22f8a489c3cad3e3c8dN.exe	30
PID 2840 wrote to memory of 2132	2840	a68aa09316c7265e63b6ada0dd0291cbdd2714d84240f22f8a489c3cad3e3c8dN.exe	30
PID 2840 wrote to memory of 2132	2840	a68aa09316c7265e63b6ada0dd0291cbdd2714d84240f22f8a489c3cad3e3c8dN.exe	30
PID 2132 wrote to memory of 3012	2132	Odjbdb32.exe	31
PID 2132 wrote to memory of 3012	2132	Odjbdb32.exe	31
PID 2132 wrote to memory of 3012	2132	Odjbdb32.exe	31
PID 2132 wrote to memory of 3012	2132	Odjbdb32.exe	31
PID 3012 wrote to memory of 2836	3012	Okdkal32.exe	32
PID 3012 wrote to memory of 2836	3012	Okdkal32.exe	32
PID 3012 wrote to memory of 2836	3012	Okdkal32.exe	32
PID 3012 wrote to memory of 2836	3012	Okdkal32.exe	32
PID 2836 wrote to memory of 2660	2836	Oopfakpa.exe	33
PID 2836 wrote to memory of 2660	2836	Oopfakpa.exe	33
PID 2836 wrote to memory of 2660	2836	Oopfakpa.exe	33
PID 2836 wrote to memory of 2660	2836	Oopfakpa.exe	33
PID 2660 wrote to memory of 596	2660	Ohhkjp32.exe	34
PID 2660 wrote to memory of 596	2660	Ohhkjp32.exe	34
PID 2660 wrote to memory of 596	2660	Ohhkjp32.exe	34
PID 2660 wrote to memory of 596	2660	Ohhkjp32.exe	34
PID 596 wrote to memory of 2916	596	Oappcfmb.exe	35
PID 596 wrote to memory of 2916	596	Oappcfmb.exe	35
PID 596 wrote to memory of 2916	596	Oappcfmb.exe	35
PID 596 wrote to memory of 2916	596	Oappcfmb.exe	35
PID 2916 wrote to memory of 2080	2916	Ocalkn32.exe	36
PID 2916 wrote to memory of 2080	2916	Ocalkn32.exe	36
PID 2916 wrote to memory of 2080	2916	Ocalkn32.exe	36
PID 2916 wrote to memory of 2080	2916	Ocalkn32.exe	36
PID 2080 wrote to memory of 1680	2080	Pjldghjm.exe	37
PID 2080 wrote to memory of 1680	2080	Pjldghjm.exe	37
PID 2080 wrote to memory of 1680	2080	Pjldghjm.exe	37
PID 2080 wrote to memory of 1680	2080	Pjldghjm.exe	37
PID 1680 wrote to memory of 2976	1680	Pmjqcc32.exe	38
PID 1680 wrote to memory of 2976	1680	Pmjqcc32.exe	38
PID 1680 wrote to memory of 2976	1680	Pmjqcc32.exe	38
PID 1680 wrote to memory of 2976	1680	Pmjqcc32.exe	38
PID 2976 wrote to memory of 2316	2976	Pcdipnqn.exe	39
PID 2976 wrote to memory of 2316	2976	Pcdipnqn.exe	39
PID 2976 wrote to memory of 2316	2976	Pcdipnqn.exe	39
PID 2976 wrote to memory of 2316	2976	Pcdipnqn.exe	39
PID 2316 wrote to memory of 2340	2316	Pgpeal32.exe	40
PID 2316 wrote to memory of 2340	2316	Pgpeal32.exe	40
PID 2316 wrote to memory of 2340	2316	Pgpeal32.exe	40
PID 2316 wrote to memory of 2340	2316	Pgpeal32.exe	40
PID 2340 wrote to memory of 1160	2340	Pnimnfpc.exe	41
PID 2340 wrote to memory of 1160	2340	Pnimnfpc.exe	41
PID 2340 wrote to memory of 1160	2340	Pnimnfpc.exe	41
PID 2340 wrote to memory of 1160	2340	Pnimnfpc.exe	41
PID 1160 wrote to memory of 1764	1160	Pokieo32.exe	42
PID 1160 wrote to memory of 1764	1160	Pokieo32.exe	42
PID 1160 wrote to memory of 1764	1160	Pokieo32.exe	42
PID 1160 wrote to memory of 1764	1160	Pokieo32.exe	42
PID 1764 wrote to memory of 1580	1764	Picnndmb.exe	43
PID 1764 wrote to memory of 1580	1764	Picnndmb.exe	43
PID 1764 wrote to memory of 1580	1764	Picnndmb.exe	43
PID 1764 wrote to memory of 1580	1764	Picnndmb.exe	43
PID 1580 wrote to memory of 2548	1580	Pqjfoa32.exe	44
PID 1580 wrote to memory of 2548	1580	Pqjfoa32.exe	44
PID 1580 wrote to memory of 2548	1580	Pqjfoa32.exe	44
PID 1580 wrote to memory of 2548	1580	Pqjfoa32.exe	44
PID 2548 wrote to memory of 2056	2548	Pbkbgjcc.exe	45
PID 2548 wrote to memory of 2056	2548	Pbkbgjcc.exe	45
PID 2548 wrote to memory of 2056	2548	Pbkbgjcc.exe	45
PID 2548 wrote to memory of 2056	2548	Pbkbgjcc.exe	45

C:\Users\Admin\AppData\Local\Temp\a68aa09316c7265e63b6ada0dd0291cbdd2714d84240f22f8a489c3cad3e3c8dN.exe
"C:\Users\Admin\AppData\Local\Temp\a68aa09316c7265e63b6ada0dd0291cbdd2714d84240f22f8a489c3cad3e3c8dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\Odjbdb32.exe
  C:\Windows\system32\Odjbdb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\Okdkal32.exe
    C:\Windows\system32\Okdkal32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\Oopfakpa.exe
      C:\Windows\system32\Oopfakpa.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\Ohhkjp32.exe
        
        C:\Windows\system32\Ohhkjp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\SysWOW64\Oappcfmb.exe
        
        C:\Windows\system32\Oappcfmb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Windows\SysWOW64\Ocalkn32.exe
        
        C:\Windows\system32\Ocalkn32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Pjldghjm.exe
        
        C:\Windows\system32\Pjldghjm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Pmjqcc32.exe
        
        C:\Windows\system32\Pmjqcc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Pcdipnqn.exe
        
        C:\Windows\system32\Pcdipnqn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Pgpeal32.exe
        
        C:\Windows\system32\Pgpeal32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Pnimnfpc.exe
        
        C:\Windows\system32\Pnimnfpc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Pokieo32.exe
        
        C:\Windows\system32\Pokieo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Pbkbgjcc.exe
        
        C:\Windows\system32\Pbkbgjcc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Pjbjhgde.exe
        
        C:\Windows\system32\Pjbjhgde.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Pckoam32.exe
        
        C:\Windows\system32\Pckoam32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Pkfceo32.exe
        
        C:\Windows\system32\Pkfceo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 140
        61⤵
        Program crash
        
        PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajbne32.exe

Filesize
128KB

MD5
b2cdce8ad5c64a73539cff1e31fbaee2

SHA1
500127383bf3cea47f835743b7c37ab62c887500

SHA256
477c2fd9b64fa8de38a95f8b40a3dd8be4341ef92816b30490592e67b20a1919

SHA512
24daa29dd508e69872ed2373e4e51dbadb4586108cbc9314959f4d8e9f7786bff3355393c7251c76ced7631e7c97987a759404b72c4f9afd09605710433d8d8a

Download Submit
C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
128KB

MD5
2c5051ca362a7c37b0e51547b0b3a822

SHA1
fa330ccf8112015c1974e5d89bad93daf09304c3

SHA256
6766c2ea3b0a411fe5972cef52a8adee5d1d361599b9fe26cf5e9405c62a2ab5

SHA512
6623bd0c96db3a7aa80a0d75cb944c4dfc1c0718ddee45d665107b9f8b396fc061e94b9841bb4d0df6f65808ddd3741e52b811f176a8576604a7f8512b64cd5e

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
128KB

MD5
850b7152d3d9019aaca1d09514f5ca76

SHA1
fd905341268b9d4e0b9896b771220feb3f5bc86a

SHA256
ff4e0f49f4cc3a01254a53b141a79850b1f5e46bb1e9c681ee8986ecfdb75c0b

SHA512
7b1b3cc3dbd1f9f0228d0a35f38eec5faf84883015669f097142f9b5939aefd8ce611c911858fa06f5198879301253eccc0940795be86e2afaf30e1b0f317c38

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
128KB

MD5
2b01ccb44975c5dc71836d86142b8604

SHA1
a82927cab38d65db9e24a0079414e1d9bf232493

SHA256
23de309ffe350f3bbb88f1773d08fd587e28b6d8eca453ae7f3fac3a0844fb8d

SHA512
156465ed17e10106e4a47b132552dc024210b5df4aa64eb60b465c42d32c927c89824be0d7d86c216283971464b1f841ce49b00e5c561e41dcf512a6a3e0f303

Download Submit
C:\Windows\SysWOW64\Ackkppma.exe

Filesize
128KB

MD5
279f70fd488150aff78a76cbe01bdaec

SHA1
3cecf4f233a7489784a0a68322a9dbce40d03216

SHA256
7a61041341d8dff6ca1494aac3c627458aa2091c1ce57e1998e33283664e485a

SHA512
e09addbdbbe99dcfb902222b15a53b1295b80138d168f40a54a69cff390fde89dd33449158704787cf83c3c050dc13ce6e9de98fa0f588fb014fff7c11a1ae9f

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
128KB

MD5
7e7b34ed33123810815ca3c22a06d0f6

SHA1
bfea6947479b46c6169bac624543919c68f1a0dc

SHA256
bfe9ef065c687e15080a7b6a63d01bdf0d2ed736b8d6e532a1b5da9472f447b0

SHA512
1b6262d1afd7117b9ed4a9e6efdbf2606a24db2ac6f110a391698af0fbed75d801abf7b71b78f0453de91913e41279380274da034d75d27b283914be46e9677c

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
128KB

MD5
83f6ae3ec37406706365f64095fc2cd6

SHA1
0a57212fec8f76806e4fa7a0ef02a7385fd3746f

SHA256
fbcac7d62223568e1e90ef42af51c5747cc2a85c7eadb488102f6c6756ea8f86

SHA512
5738ff0c1dc3ae43fb4eb554eacae6e39ab004636d1cf50ff83d77b3b207524525ae2efd95c31ec45ba8403d007100d94dfbd5e3610882fea00d20a9f05f0d23

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
128KB

MD5
d3bfeae2a6b104db60db298794a434e1

SHA1
d0387f240a72a6f5cecd2343a6ea7e4807ab1189

SHA256
1a9caf0ea6f1bdf1efaae8f9844465ea3c56b05eaa9839a09fbe35a1c6cae08b

SHA512
814b64a745bfb32781b724208085e09a357a8075b197ce4acfacf94be77a71a2bd5bae9f3f7e7a95ccd768a6fb1ab457ffd5cfd06935d469edc3fdcb0fa02f68

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
128KB

MD5
d20d2d0b54417c5c5444244b4b4d0a46

SHA1
6abcf5b484f96e85a122f3de1f095b7d307a49ab

SHA256
cc2041eaf770ba96ee2cadd5dac134b875430239370848ddb9930ecbbb960f85

SHA512
03ced45b4e57981228910cbd0bca5e9a4a840ea4b135cc8213f0861b8e82cf4837d8b8b60d4c9f675f56c70127c1c25900f843ea4de5b2d02b5f507bff704d5e

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
128KB

MD5
c03821dc46197a1dd550a69ad93fe274

SHA1
bbd5c0791a706f79314d2b794077010730998ed6

SHA256
83bfda842ef28e98faaaeef565f54c60ea8f3bc251015728d390b18645963553

SHA512
f6d84e9b519756a186f0625dbff98c5a078165e4426a36ae5edec482b6192ccd41f52aa6dd0a751d8a254d713058f9c4fcc29c61985da6c22d9875c10db54730

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
128KB

MD5
131f614f96e29eac6f39723e7d8a839a

SHA1
60c857199269da4829d51468fd568f849a68f7ce

SHA256
281bb698c06279bb449bc2db80f0964e62cf88a9b09da2627786f7544db6a805

SHA512
8e9fff2ba2c304a594f57de9557a17dc1a581e7f678d6f99f4b4869dc4af69d837621418196e1f33e3d81c5382981fc5458b5e797126ec17953ec1d7563fea3f

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
128KB

MD5
071ed9d2db18579e77912d96d5c0b536

SHA1
8dd2c51add5dc455c76427ff3a48fec65d53150c

SHA256
2d4e77634e78569246cbe707a38e47e3db679263c9799c7d7e2f7b90c1f4fe08

SHA512
686b5112a16c44f059cccf18d160e243b1f40bed08577312cfe937c934b25ab8f0697171bacfec6f34a53ede8c57ea33678dba4112e01e8c12dee3db431b8f3b

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
128KB

MD5
7dac3306a712471a1416ddb9a6bdbd71

SHA1
1235465938fc5ce903233c706f2a4bafecfe466a

SHA256
58912855cfd29d03e985da37c9e93c5fc5cca9f102d02a9b9164c3dc6ea1f98b

SHA512
7cf3acdf59bd5cb64ec817adba6a0fb31e2ff1e462f425d5faddff59c1635ac1374f454c092d1afb5bba6e7e3269fe0b669979315b3dd684c29ef9094e18a167

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
128KB

MD5
822337875ecf8dd217bdc3e41187e04b

SHA1
a22873532a173344c5b18fa21c1e8906dfb8af48

SHA256
c229ad62b361f4cdd2ef85ea8c290ee90afa6989123999310a1e52424e04a3af

SHA512
052bc346d9ddef4c33011390df0e6c775837a9856a698d2589d8722c823fbf3a05cf214fc6dc6bf3c7c69bae1954e5673eff8e0362192d59688139d1544b8b69

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
128KB

MD5
06f230fdc351be4b6491ad4e2f019d1d

SHA1
fb34024ae09b9de5d5d86a188fc346c44009f4dd

SHA256
fe4833929c3f08390a5db5059b5b56038e3f5653c0b7085d93d143881a266e57

SHA512
162a7080948303f5d65afb2f49c2b3885a36ea96d4426ad26cbecc8c560e84870c53aebdc4e808a5e82f4a4842a05b7c089584240ac13f4d9ff4ea512573a434

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
128KB

MD5
1c8078f279a95c123708646324f26e28

SHA1
e212a92ba6ba9f44700709f8fd44fabc4ed032e9

SHA256
7b4128628cc886e2c30139c73ac29ea0dfb0b82df4b7fc97fc91f7395a6941cb

SHA512
fb39d46d9431df882977552053cc25825a887728d1520d745449bfdf95b39d6fc8972c93b048adfb52839f0db1de9fa7c70d60637b98bf45d1aa96ba33a714b8

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
128KB

MD5
8eb8c4d3e019ee1bdd6119ea638da150

SHA1
28f795daaf99b5654a28efe2d7db4d6b8c11771c

SHA256
0d67cc2d460127fa46bf681a6b67be146c2e334f8291bb58a3b327a2af283473

SHA512
285a43ad5f2d60867951005467e80abebce1acd1d8b60f2c7be6fb68d6b4d1dce2cb35a858055d808f45c134c0518d7693eb77b3a8f2271c521d1c294d7c1896

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
128KB

MD5
f0faf9bfe2e7106d8a9e8445a05337f1

SHA1
9b780ad3a85bcf209d8b22d2d34718f308dac078

SHA256
cf8a63f854ee796784b3063da2097770156c3288902628757562020490ce7bfe

SHA512
1e9f950186c2f34c1d49e1195c61b97a097b69ed9d0a5a5d39be171f17e05ba2ee35ea8a696e437644ca61c6b145c3ba4c356bb398e5ffeec545aca1c1a17e2c

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
128KB

MD5
b18fd9da05d9c1fe31406817fe024b9e

SHA1
c1697686bba542dcde32c1b5c918e6dbb4863409

SHA256
1f41e11025b81bfa79c6a599877f6c2041861932ac52354ac68527cc5883a4dc

SHA512
09121724aa77a92e001d7fa5c6821c54cec7238d69b3cde9ba75fb22d833765b6d40707a48578a4b90b3e2551556cc0b8633f802dc7282ce9c93576f59bc517e

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
128KB

MD5
209990dc69a404cfb4f648d7f7caaba9

SHA1
9fd050962eff6217bb670f0b22d6ae305b25bee3

SHA256
f5774fef2af6a92a5528680428af5094490f469b41672167e775878a0bbb2d65

SHA512
e248260e85592544a2e2baa382347bb92bdb8c41d89a0aa0b650be2e9c8e4cb444e5f06367869e6477d5b9973d5cda69ae00c245a12876a723cfe03fd98230cb

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
128KB

MD5
045590446a6f35f8079602790e867bf8

SHA1
18fe1e8348ace0ee0331ac388e10d909ab0b2f6c

SHA256
93f41b34f921aef78529dc5baec344d8aad19840e673c6593259ffce9fc20078

SHA512
692a299230c149499c3dbf78cd28b52f1544a5925eb60fc0130cce2cfee479c8d34ba302dea526b2cca6341266e5d81ad06f8e8e11cc68e8815b70b73641250f

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
128KB

MD5
b2c9e8f62d00273aa0d2c119ac56c5d3

SHA1
2314956cb2534cc03a3b1a3498e4ac96e43c358b

SHA256
85eb7617bbb8dfd6e086a367f314143c1a73dbc40cc3f0303ebf0086e49722c4

SHA512
5980e9aed71d02f4b8d8b8581ae506a1107c620f822a84360f2e74f7df27e4a43a3355b81667d890485141a2ff53756ef1d3a53ec805df4dea5f10a0b24af3ed

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
128KB

MD5
774c003ddf048e5d8de10476183d1556

SHA1
5f70e119bc1922651b82138e3c1b80cdf3723a4a

SHA256
ece7276d3a1230fe3385e22b0423ad8e786fe793b4eade16ee43e7226b2c272d

SHA512
5ed6d974e2b55f69951cc5e4698b1adafec7bdbfb34880f86d55b751229bb91df1a089fbc1ac693ea1c7e8616fc1cee72e9a8db874a054c2c70abb333d72a6ed

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
128KB

MD5
db6b35adaffdfaaeab5058a8ba2c2da0

SHA1
2877b2378dac8f450a2be8103ce00b7f879e01bc

SHA256
8dfc593a0dc7d2f947c1c4c0ef9d4243003bcc9146d5bdd707f19fa71719653c

SHA512
4f670d4a7e548a29cd99f5c3de824068166a13e9f86896d6bcd9250d0453807012bb32978c4f3fc95ac689dd15dccb8347db92f5ed0adb38c65aed0663d2e8e4

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
128KB

MD5
4a10163a40f9844fc92659a82c3b8f0d

SHA1
3360847683b63211876aa591c35714d498bc3d4b

SHA256
6ddfbab39a8433adb9f1173bd1cae931370ced9504bd67b378aff8e8a2795b3e

SHA512
006226fa58557cb29ff4f79bd42ae0e8a23f60ac344469e21bd4de90a1569b7e93aa91eb888609a677fee9705e8b4c75a6c5ec59a1746e89125fa4ff475407fd

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
128KB

MD5
eed5b429737dc86548406127ff308cfc

SHA1
0548cba6101f680d6d2f8aa118de95e56d4fbbb9

SHA256
c73e15e0388c6a42184bd05103071e5c3c2a2f5ee6728d9df62a5b44dba5b057

SHA512
bfcd33d1f6574fc9ee1289eab455b6e7932057fd2feb10dba05c6ec2e62b2afe15fa24864f51d1cecb787bed4745e2669fd9bdf6c5e6b7da214d64c86dea6e99

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
128KB

MD5
0af11dec5bb57b4356dde86fcd61fe44

SHA1
1088644cb14d1e173339dd905efc8866c0910891

SHA256
b0e4af411d8cd77395d1b267d5e40346c6110a92e3ced1480366cfe4309b7fd9

SHA512
9814cd77e293d7530df89a80e699b59b50eab8524c82a4fbddf9659a27cd64ccfa42b922fe6c53e34e250f75fd152e0244563749f1a5cf13110e6a30119777fc

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
128KB

MD5
a5c11e7e98c528b8ec467f28ecb1e454

SHA1
f95ce4b7aecd5850d39d992cc4efee29e098bbff

SHA256
9a58093d280d0d49e4b378e28b05f7f86ef7024c2b626fe67c6b830cedf2dbf9

SHA512
19d95fb1677823a525355e54dac14657853237840c3a4034b1c0fce028d3f2e16f4a25dec0167474ecf4d71b78dee03990a40ca8476d63bf4099c377e39d9836

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
128KB

MD5
f53c98980df8552e81d8e27d1142ddbb

SHA1
adb28f0bd598bd905a22a9b606f88c4ace598b5c

SHA256
49dc83b3b0df81d6b6cee280dffe36fcaf018363e4accb13aa63a503df3cb458

SHA512
120bd708599be7f2bcae9319ad4e5c0c795641d405b9d765da8c1dc2c316b828dad0bdeb1d73c45fb938fb4390e87b0c336a523ab0248b8360c0736d2d9dba79

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
128KB

MD5
417db8c32ef8c77a3c168dd18ee0b175

SHA1
f16c325beea52bc6b4a3c5ee1e32ceb172a651b9

SHA256
f36e73040216433922b81a7b2652739b0b92789a6ccb39b498b2da9015f5b28e

SHA512
be24c2242affc14c2604a284592eab67d66a5ff3e41337ea37ebe8f73a5257f911f77fe63e33614db49604f84e5679c1d0945625c62bff374197d21d9ee1ef0e

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
128KB

MD5
d87f1ab1282576358bfb04970d666ae5

SHA1
dde75339e46e8e3921bc11c2a98d49ea96024a8e

SHA256
f57b667eec7568c44230c16e3138946fd7ddf45a9828e008927906441973d0fe

SHA512
911152da85cd3646b8275cb1dd6d9e661c2d63a18dc04688f756fcdcdd294ac2bf3160766db82fbf87edfc46a8c898c1645b1bc87215bd9bebc77918eba6f1b8

Download Submit
C:\Windows\SysWOW64\Eebghjja.dll

Filesize
7KB

MD5
963b4ce2d23aedaba1e30e546bd85bdc

SHA1
a14c0361e8d21397bf13313da9bc125f493a20fb

SHA256
224a675bdc4f0d97e16061784eec0f5f9387898e78b85af8083475f71e1af420

SHA512
d8fe760d35a5697d5be203580c4142698ad1f13c7363e9901fdd7f541d2364a3c4d85e87cfe677f50ac605e0c3cc64cb0ab1494b876c84390b04859e2cd1a965

Download Submit
C:\Windows\SysWOW64\Ocalkn32.exe

Filesize
128KB

MD5
c08c934451319eaa4526f827d7d9d0de

SHA1
4dac1737bfc2483892f7b9ddd9d5d4e935cd004f

SHA256
95af45b096ec4408e9f2ca7523e25210379d2927dc10b9209800b3be126e97e2

SHA512
6528c184d0eb3a0030a42fa7486eac8c206e72e7a02ae2491c2ca6110654a4eff4ee24a4db1b6ec65db16253d460d700a4427b287bf2e5522787e55bc88febcc

Download Submit
C:\Windows\SysWOW64\Okdkal32.exe

Filesize
128KB

MD5
71975232c605a4b64c8e8df1c064ac3b

SHA1
c3218e3af5357d111a7149e4a4f850940336861f

SHA256
6b15a94eff081160f327fb873925e1fb84faad107dcafed9a7668130881c427c

SHA512
b6e7e0c69043613249e2bca70a13afb2cbe0d3d86dd18459e2b03e4778a43286344597cf18a092e90670036903a2e89ad08a856e40259443c1a5f77ca772da96

Download Submit
C:\Windows\SysWOW64\Oopfakpa.exe

Filesize
128KB

MD5
8cc71db8c4dfc6b9915aeaa5bedf5c68

SHA1
9531b473ef9e5d87e4cbd5b4a4b9491794a63f7a

SHA256
b8173d392cfc98a25312e5a6d3d6396268a9e64525b6f555ce4595dd5ede966f

SHA512
6733c37091ea6e1fa5a6253577f37370f1aac60e437ae62cd3347f1c498c5bd673d17c81eab13613538b443d84e762b9a2aa81743f349dec4b77ee2ddf018b8d

Download Submit
C:\Windows\SysWOW64\Pbnoliap.exe

Filesize
128KB

MD5
2678e26568067ef0e3c2ac97b22753bf

SHA1
d18db80146d83f0ecb3261477907f84f77018f0a

SHA256
77e965b1994563aaa5f56bfe77262624469efbe5867968f1712c2da8a3a3643b

SHA512
6df186cfc41325d0f0c370f023bbefcf719f534884297e0c1e9c31a63c0b86a33addf290927aa89cbd89aee0237d7a5ea3eff38f3680648a9532cc8580acc75f

Download Submit
C:\Windows\SysWOW64\Pckoam32.exe

Filesize
128KB

MD5
41f99bc269afc4f585b5cde78e197a39

SHA1
a842457f365f7b3457aae4308e1361d0a8a5e829

SHA256
ec871c47fb5d96154222e4ac664a3b575d8939a8595ce3e63e421723abf49918

SHA512
8fd71309112c3e32d0442e2b82bc5a3f5232f5dc328ae7e7c5a82b08efb87aef39568978c862f8efebaa1df5ea217227bfe096be6bf7fa904329f7f6eeccf6c6

Download Submit
C:\Windows\SysWOW64\Pihgic32.exe

Filesize
128KB

MD5
fc7cd4b414954c4b9921d046a58385b4

SHA1
24835ae93b60a3d0b925f2d1a368160b354cc47e

SHA256
a9a738895682d7e835a845a4c2a2a29bdce86ebbf6656aae8ac6cdaa2e4e27a3

SHA512
68a63869d442eddfe0d1bad7e2d046656495ea7c7dff4477eb2d3db8024e56a479f19c3452099077faf2bdb63b4ce6de4f0e292dca3dfe124c01e360c5c09202

Download Submit
C:\Windows\SysWOW64\Pkfceo32.exe

Filesize
128KB

MD5
fc617f42e24ed11fa146c4970203abfe

SHA1
830636082284e3c0856b96f844e64ba605acba4f

SHA256
7b69b41be410a5a472e7cc053b29294e8e39b8468ebf33eef35d92a69c112b6e

SHA512
4b1e50191bcc9ffd86a3f81c679a1975dbb7775f68b60d08f14921cfed30d315f4cbfb98eb68b53babb8e4aca1ba3b6f596a232127ab4524e605f6022fec7a19

Download Submit
C:\Windows\SysWOW64\Pndpajgd.exe

Filesize
128KB

MD5
89a60fb57e1a64f16e8b940dad7105f9

SHA1
5e2681a6957e8f404d9b873da9e8b4e139cc4242

SHA256
79f68e20f226bc1a10f1012027569884a424210e5fdf52b3a6ef592f6d7cf29f

SHA512
9db85e0a6317ce1c8a0cc6c0ef5053df762eaca706f5da4074328179e53442abe0e549b392524dc6262402f13e863ed7b54a130c38d31bfe5c184bbf82841e8d

Download Submit
C:\Windows\SysWOW64\Qbbhgi32.exe

Filesize
128KB

MD5
805f81f58d8966ae3948867bfc091278

SHA1
27105c1dd6a4d5a9637511c52f7feea05ca03dda

SHA256
2e8147c51017dd4a2864ce14ecd2721cf65af399c59ce6925b98a08abf97237a

SHA512
e3179e07005a89ed10ac91f480dce73feb39ca3b924b0ba63d4fc7e3b6fdbc169577b196ae9b929b17be9b0c15616f2887be13538600aabc34befdc6a1630477

Download Submit
C:\Windows\SysWOW64\Qflhbhgg.exe

Filesize
128KB

MD5
7d13e7cf1974532f7819b0e9de7dd537

SHA1
bfa09b5cc08f344909b3de6f058734e632678454

SHA256
db47b5a37f47970e4481591b7745d64180e23a5b2c1b47a954f3744f25553d99

SHA512
fd05d9273c7e4ce050e2cad17237554c72c6008760245fc92d4fe092b61019ffa4ad89d7fdbc099b2be96e9e86c57f8b21e8f924ee5010699e7c560676651edf

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
128KB

MD5
dbdb67e0f73951bd6a73c8d9bc9b5bbd

SHA1
e334cd35a0769440130a4b432bc41892edc5619d

SHA256
ee794684a7be5f5d6b0c53f73eca933e0a0e40768cd8077a84245f11a585dffc

SHA512
49cb286fd7edd2b9c7656f9d75638e867b5f28c13c547cf6a2a58c898051e41664a5a9e0f691ee48bb0efe6dbf64f3a6b0a4983833ed4b1433dadd50a0703bb9

Download Submit
C:\Windows\SysWOW64\Qiladcdh.exe

Filesize
128KB

MD5
2f47934e60695e40cab076adaa530050

SHA1
df310eb5d6732568a261a9705563c9370c890008

SHA256
c5fc1e005e3383e2430f1f3a6d9a594756632b3d0b704d38f0f7d6102cd76ae2

SHA512
017b42bead7aa1dfa5353848ea5731147b143a748e0e35dc3245ad02279f004b7e95de6162400979e245faacb8a1c62c58c785417ac09f70aecf2dc7a8e6e53e

Download Submit
C:\Windows\SysWOW64\Qkhpkoen.exe

Filesize
128KB

MD5
50147df181deaa53585569a7e0fb09d0

SHA1
b01bf8de5414b4b99ccead59a5cb3511b0a0c045

SHA256
bdf2d2cdb6952882dbf1cc930b97cd8770333579280f04eaca9ca3a82f179533

SHA512
b5406408a5b308687e476a415ffd52759b519bdbe9bddc930cfe2daf127b01596279bbb7f12a7c605b8ca736c628cd25962ef5a503ddc7cf5ee9eaf77e494806

Download Submit
C:\Windows\SysWOW64\Qkkmqnck.exe

Filesize
128KB

MD5
99ece838a7c584e1b03722824a012c14

SHA1
d0b6dbf9c3ed5ff25bc1dc3d3529785f9acdabe9

SHA256
6b660b1d18d9cbd3edc7d8926f5fe4b09f195e004d997ee95d153ae3be0ae42c

SHA512
289e5e187f60a97bb9efba8e7acf8c895a45e3338ba036cc6490620f79c3cb0d5cec0bef372b4f378a5672203cb99d7e4db776bc28821db73f27edeb33708005

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
128KB

MD5
447bf20d88d99168fbfe70fe00dff21c

SHA1
44b113e31418ee2ca525251dbfbeb13bdcaf272b

SHA256
4c6f9afbde0ec85241d44198a0994cf40e454bd9549325a57187705f6a59d05b

SHA512
a65edc3898ac944ab55710ba4f2084a56c0e51432d8ade1dd495c560d68dc7fc77e9d4357c7aebd762dda135f13a3aa5654e7580664c35c62216ff16f038ec6c

Download Submit
\Windows\SysWOW64\Oappcfmb.exe

Filesize
128KB

MD5
1370326a385cf173f15974b5fe76b589

SHA1
5ebe4bd4eac3627c353403628fc71235c4a7a108

SHA256
7f580819bf51906ace7cd5f18ef1f7f9b73b35dcb861966085d1ac52f2ee66b6

SHA512
ac0c381aad262f08827e5fc67830d813d71964a9d6c25844f3b96a9498dc45edccdf271906da9c5159bf8656019bbe9c357b6cd381b5222ae3a42fcf3ea0d26b

Download Submit
\Windows\SysWOW64\Odjbdb32.exe

Filesize
128KB

MD5
d39f01be9cd8ed86fdd8596a02423544

SHA1
17f5551b9ef4bdcb4598da1a2b11393057f084a4

SHA256
80d5cb83b3ad685654888ab5685eb8495ae7c10c3a1753a7e4acd18e95ac2cd0

SHA512
ffa41335eaec9b9d9bd9e82f25fb4683f74e57a5fcdbe8db4f15f1a24b23fc7bc2255e991293db8d6b433c8062123f45a28ace7e2e48e4ac2f40e3306fd884bd

Download Submit
\Windows\SysWOW64\Ohhkjp32.exe

Filesize
128KB

MD5
93acf2e62683290c203bd869ae9e383e

SHA1
3dcb0e3fd2f2973265d2c37d291be8cf021f2905

SHA256
27a1fe1f22d5e6f23329f9b69a283ee3bad88eff63b4ea97b6f9ae9c5bfe8013

SHA512
0374ad1433b2bd855d3b650feb2f681259138e0ef890feacf52817e55fc5f20463b00097be66c41e222fa4a66f1838f72ab34daee30220a7f3d97aaf37490a2e

Download Submit
\Windows\SysWOW64\Pbkbgjcc.exe

Filesize
128KB

MD5
81800080ac311335d6e2cae65ceafa54

SHA1
6e445e488e8deadc177282906f7ba24ee5f3448b

SHA256
8ec09892eba57cb5a150cb0a351a1f25243c1c81d3fd77bb8e3eade6b6866a7d

SHA512
3eefaf11b841cff859dc59d49f6ad0e7d51562ac6e37e03457f9b8f307be1bd6f4ffd58ca3351a198d8bf0e22c78e8f255a7906a46a7600a1dc819712dc2135a

Download Submit
\Windows\SysWOW64\Pcdipnqn.exe

Filesize
128KB

MD5
62b9f813430b9e4f25054adf288edac5

SHA1
e8f134b4e600d7a66d2418d549485c13763e738c

SHA256
08463de509d116d6768f5ff45860381a875ce58d4e5e6b4fc004126e33fa64de

SHA512
6e3d000e4a6f214c4edbb5f49ad2f51a02450d58c0165b351fd8f161956d582d3dc5a4cdb6a9ba80cc720f235ce9c42e238b7f9b4911f443c3ecffceb1c91b5b

Download Submit
\Windows\SysWOW64\Pgpeal32.exe

Filesize
128KB

MD5
27dbfa232eb89adeb50fcff56568d86c

SHA1
eecf57bfde4a96d1813fdff2e45c98bb5cce07b9

SHA256
fb8e41cc9ab1de6858d0b19ce757a475a9b69013347254ca205ce8511c73856b

SHA512
bd00aaa707331ebdfbb93d43d44576e78865cf876299c0e0d175f1772a14ccbb764a4246a04cdadc5e69bb79448ea37628fa5daa9e979dc42a637828e854fcd0

Download Submit
\Windows\SysWOW64\Picnndmb.exe

Filesize
128KB

MD5
429f636c3b7126fce98307755c4006f7

SHA1
c52e8c7083577d3bb70cc530521c25156eced590

SHA256
1609709863969fcc6b2d8ebaad784f238b6efeca54be1cd453c3efd6cfc8bd9d

SHA512
1fcf86157d2215c831d3a9afc60ad7c6e1264f4c272fd36bcf9237f25c19f75d074ab1ebb042aae1cb9de98d2d099a685c188fef986eb2f0eef8800644abbf54

Download Submit
\Windows\SysWOW64\Pjbjhgde.exe

Filesize
128KB

MD5
47003d87033ad133aecdf11adc8096ae

SHA1
9c9be0a05d2748aa00d522d3ae5f22a237d8b50f

SHA256
ca7784cedc82f0804b7461461874723c87db03bfbcba6157d63f41d9650063c8

SHA512
eae44bead7d1c65a84e213f13b6db1f8894909ea50df854e1bf67e03213fd20676e7386177d1bd6e652622a2cd14e747f086c9fbf9f604d3dcc8b6ef9e62e816

Download Submit
\Windows\SysWOW64\Pjldghjm.exe

Filesize
128KB

MD5
b2e7f51bda7f916c8532a83ac6b95367

SHA1
cda5e1589a6252d2caef74d499320c229331a2df

SHA256
a1997ec0fe0f53776ae4abab0d42e4363448bca5c28ba00dfa665b511986b085

SHA512
de0e9f4180134e39ab0d950dffc96fce8bbbe66c9103bea0b06df6e2c0769938528a834847ac71895c0704cc4203259e65c0390c93eb29592cc0b42782b299fd

Download Submit
\Windows\SysWOW64\Pmjqcc32.exe

Filesize
128KB

MD5
7f0019741c00d01156556999a9dbc83f

SHA1
96714d480505a2f811549549495b89fd59ce9302

SHA256
d9df22ec11612efd6492110014d9c840c35ca38bb7330e20c348ee270f2234b6

SHA512
02376960980957dbe8719d2f6c2b60f2c9ea132dd0b434ee179738203097d8e6b51c409e101c64c6e7aa6788e787a1cdbf52f2b1fad1a8962850b5a713d2b2d7

Download Submit
\Windows\SysWOW64\Pnimnfpc.exe

Filesize
128KB

MD5
62df8c2d622246000c666f8d77fbf92c

SHA1
986dcd07901a83d2aee068c54495635f2dd8eddd

SHA256
bafbb2d39c799fcc7141ad5700f4f5ce03a314a7a0acbb5ea106da521df9a4c8

SHA512
378712356ac2d8e9e9b4885564ae186d64117aae4bc41a79768691716622f57ec040e9d5ab1557107110b7caec2b141a0fb554981a69e6412f294c02343d0dfe

Download Submit
\Windows\SysWOW64\Pokieo32.exe

Filesize
128KB

MD5
59485f664be58f47623de2666d98a884

SHA1
687404997928affb9bfb4b236d554ea51960693a

SHA256
e26401882fed0478627b05099935c54154bc39feaa3064b201ffb5bc3b66a77c

SHA512
982ec052d3706a5ce995812af54acf06c94ce76371469c42c1a3e5d9a35ab8c74ffb03bdfcf6d0376816b379bc8f00ddf0570e27799638fe754d7bc4f9f5cc7f

Download Submit
\Windows\SysWOW64\Pqjfoa32.exe

Filesize
128KB

MD5
7ef296cf564bce506db721b68ff038be

SHA1
1d8d7bb2ec026f925dafefe4692f18ee1c8f3d0e

SHA256
86c7bd1caa77ca4bddd26db217d93d645f89c544d5f4f7187a4bf1dceaa4c1f6

SHA512
b1d4aad232f3bcc43796e30e650ab15bc36de5e026da104ac3c78ba3d09c93bd05e9cb0e03439b00486f11e6504d02d41a33b56b66b49d09d3fdad288c350cce

Download Submit
memory/596-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/596-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/704-243-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/704-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/792-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-446-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/924-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-280-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1056-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-491-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1160-172-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1160-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1376-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-262-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1388-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-477-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1580-197-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1580-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-334-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1596-335-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1596-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-383-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1672-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-306-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1736-304-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1736-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-293-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1784-294-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1784-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-359-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1920-361-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2056-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-224-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2080-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-439-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2132-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-315-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2164-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-316-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2216-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-492-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2252-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-435-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2260-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-147-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2316-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-216-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2548-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-349-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2612-348-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2660-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-63-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2660-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-410-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2772-426-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2772-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-393-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2836-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-53-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2836-52-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2840-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2840-13-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2840-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-337-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2856-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-338-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2864-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-428-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2916-90-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2916-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-123-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-35-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3012-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-403-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/3024-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads