507d63401790d0797fb494cb42fa4ee2c452dcb90bf02fd9e5f6f6dacf28b61b

Analysis

max time kernel
93s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2024, 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

507d63401790d0797fb494cb42fa4ee2c452dcb90bf02fd9e5f6f6dacf28b61b.exe
Size

80KB
MD5

ae20a25a0c805beb5bc9b188df1a8e39
SHA1

faf38aa146221fe6d4d5064e2cddfa0fefe5e281
SHA256

507d63401790d0797fb494cb42fa4ee2c452dcb90bf02fd9e5f6f6dacf28b61b
SHA512

bc431ac425f7f3e3417c9d1a15697a848794a5a045721f946b1f5cd88e593ff40bc46d85cf8529100b6091f2eb6543ef6db4d1aa0278c7ecd82c368fff1b710e
SSDEEP

1536:IhVtqkOyfVjH+oklY5ssartpRnqfJHXo2LjS5DUHRbPa9b6i+sIk:IftfOy9jHilY5sskpUfJHJjS5DSCopsX

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caojpaij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qacameaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	507d63401790d0797fb494cb42fa4ee2c452dcb90bf02fd9e5f6f6dacf28b61b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaqegecm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coqncejg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbcplpe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Conanfli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amlogfel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiblk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjbcplpe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cponen32.exe

Executes dropped EXE 64 IoCs

pid	Process
2172	Pjbcplpe.exe
4696	Pmpolgoi.exe
4480	Ppolhcnm.exe
1284	Phfcipoo.exe
3288	Pnplfj32.exe
3636	Panhbfep.exe
3464	Pdmdnadc.exe
1324	Qfkqjmdg.exe
3764	Qmeigg32.exe
1032	Qaqegecm.exe
3404	Qdoacabq.exe
3320	Qfmmplad.exe
1912	Qodeajbg.exe
1680	Qacameaj.exe
796	Ahmjjoig.exe
4692	Akkffkhk.exe
1548	Amjbbfgo.exe
2332	Aphnnafb.exe
636	Afbgkl32.exe
1248	Amlogfel.exe
2720	Apjkcadp.exe
4008	Ahaceo32.exe
3932	Aokkahlo.exe
2244	Aajhndkb.exe
2592	Baannc32.exe
3276	Bgnffj32.exe
2960	Bmhocd32.exe
408	Bdagpnbk.exe
808	Bhmbqm32.exe
5052	Bogkmgba.exe
4016	Baegibae.exe
4972	Bddcenpi.exe
4000	Bgbpaipl.exe
4616	Bknlbhhe.exe
1940	Bnlhncgi.exe
2612	Bpkdjofm.exe
812	Bdfpkm32.exe
3344	Bgelgi32.exe
2900	Boldhf32.exe
1968	Bnoddcef.exe
1648	Cpmapodj.exe
4528	Chdialdl.exe
5048	Cggimh32.exe
4372	Conanfli.exe
2956	Cammjakm.exe
4784	Cponen32.exe
5064	Chfegk32.exe
3224	Ckebcg32.exe
732	Coqncejg.exe
908	Caojpaij.exe
2032	Cpbjkn32.exe
4832	Chiblk32.exe
1820	Ckgohf32.exe
3268	Cocjiehd.exe
1076	Caageq32.exe
2392	Cdpcal32.exe
2668	Chkobkod.exe
5100	Ckjknfnh.exe
2928	Coegoe32.exe
4720	Cacckp32.exe
2128	Cdbpgl32.exe
4552	Cklhcfle.exe
2000	Cogddd32.exe
3688	Dafppp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amjbbfgo.exe	Akkffkhk.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Cpbjkn32.exe
File opened for modification	C:\Windows\SysWOW64\Pmpolgoi.exe	Pjbcplpe.exe
File created	C:\Windows\SysWOW64\Hlfpph32.dll	Baannc32.exe
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Ipjijkpg.dll	Dkndie32.exe
File created	C:\Windows\SysWOW64\Ppolhcnm.exe	Pmpolgoi.exe
File opened for modification	C:\Windows\SysWOW64\Bdfpkm32.exe	Bpkdjofm.exe
File created	C:\Windows\SysWOW64\Cklhcfle.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Pjbcplpe.exe	507d63401790d0797fb494cb42fa4ee2c452dcb90bf02fd9e5f6f6dacf28b61b.exe
File created	C:\Windows\SysWOW64\Okddnh32.dll	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Bgelgi32.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Fmamhbhe.dll	Ckjknfnh.exe
File created	C:\Windows\SysWOW64\Pdmdnadc.exe	Panhbfep.exe
File opened for modification	C:\Windows\SysWOW64\Ahaceo32.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Olaafabl.dll	Cammjakm.exe
File opened for modification	C:\Windows\SysWOW64\Ppolhcnm.exe	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Godcje32.dll	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Apjkcadp.exe	Amlogfel.exe
File created	C:\Windows\SysWOW64\Baegibae.exe	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Qfoaecol.dll	Coqncejg.exe
File created	C:\Windows\SysWOW64\Pghien32.dll	Ckgohf32.exe
File opened for modification	C:\Windows\SysWOW64\Caageq32.exe	Cocjiehd.exe
File opened for modification	C:\Windows\SysWOW64\Ckjknfnh.exe	Chkobkod.exe
File created	C:\Windows\SysWOW64\Bmhocd32.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Eepmqdbn.dll	Akkffkhk.exe
File opened for modification	C:\Windows\SysWOW64\Amlogfel.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Bghgmioe.dll	Cogddd32.exe
File created	C:\Windows\SysWOW64\Chdialdl.exe	Cpmapodj.exe
File opened for modification	C:\Windows\SysWOW64\Cggimh32.exe	Chdialdl.exe
File opened for modification	C:\Windows\SysWOW64\Coegoe32.exe	Ckjknfnh.exe
File opened for modification	C:\Windows\SysWOW64\Dddllkbf.exe	Dafppp32.exe
File opened for modification	C:\Windows\SysWOW64\Phfcipoo.exe	Ppolhcnm.exe
File opened for modification	C:\Windows\SysWOW64\Qfmmplad.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Ciipkkdj.dll	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Cpmapodj.exe	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Akkffkhk.exe	Ahmjjoig.exe
File opened for modification	C:\Windows\SysWOW64\Aphnnafb.exe	Amjbbfgo.exe
File opened for modification	C:\Windows\SysWOW64\Chkobkod.exe	Cdpcal32.exe
File opened for modification	C:\Windows\SysWOW64\Dgcihgaj.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Dahmfpap.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Ehojko32.dll	Bknlbhhe.exe
File opened for modification	C:\Windows\SysWOW64\Boldhf32.exe	Bgelgi32.exe
File opened for modification	C:\Windows\SysWOW64\Cpbjkn32.exe	Caojpaij.exe
File created	C:\Windows\SysWOW64\Mmlmhc32.dll	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Aamebb32.dll	Coegoe32.exe
File created	C:\Windows\SysWOW64\Mnpofk32.dll	Dgcihgaj.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhbebj32.exe
File opened for modification	C:\Windows\SysWOW64\Pdmdnadc.exe	Panhbfep.exe
File created	C:\Windows\SysWOW64\Baannc32.exe	Aajhndkb.exe
File created	C:\Windows\SysWOW64\Bdagpnbk.exe	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Bhmbqm32.exe	Bdagpnbk.exe
File created	C:\Windows\SysWOW64\Bknlbhhe.exe	Bgbpaipl.exe
File opened for modification	C:\Windows\SysWOW64\Dkndie32.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Ckgohf32.exe	Chiblk32.exe
File created	C:\Windows\SysWOW64\Pipeabep.dll	Caageq32.exe
File created	C:\Windows\SysWOW64\Qmeigg32.exe	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Fmbgla32.dll	Amjbbfgo.exe
File created	C:\Windows\SysWOW64\Mgmodn32.dll	Aajhndkb.exe
File created	C:\Windows\SysWOW64\Adnbpqkj.dll	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Jkmmde32.dll	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Ckebcg32.exe	Chfegk32.exe
File opened for modification	C:\Windows\SysWOW64\Apjkcadp.exe	Amlogfel.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1372	624	WerFault.exe	155

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahmfpap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgibkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmdnadc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baannc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckgohf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjknfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbgkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conanfli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phfcipoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmeigg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfkqjmdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmmplad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpmapodj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahmjjoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boldhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbjkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpolgoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppolhcnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bogkmgba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnplfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpcal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coegoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbcplpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baegibae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bddcenpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjbbfgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjkcadp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknlbhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpkdjofm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggimh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panhbfep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodeajbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahaceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmbqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiblk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	507d63401790d0797fb494cb42fa4ee2c452dcb90bf02fd9e5f6f6dacf28b61b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qaqegecm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphnnafb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akkffkhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokkahlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhocd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdoacabq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdialdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coqncejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajhndkb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll"	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll"	Cogddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll"	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobifpp.dll"	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll"	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioghlbd.dll"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgaeof32.dll"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boldhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbkofn32.dll"	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmamhbhe.dll"	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddjmo32.dll"	Panhbfep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamebb32.dll"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmijpchc.dll"	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaafabl.dll"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjbcplpe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coqncejg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmmde32.dll"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll"	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	507d63401790d0797fb494cb42fa4ee2c452dcb90bf02fd9e5f6f6dacf28b61b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbgla32.dll"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll"	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppcbba32.dll"	507d63401790d0797fb494cb42fa4ee2c452dcb90bf02fd9e5f6f6dacf28b61b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aokkahlo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 2172	4840	507d63401790d0797fb494cb42fa4ee2c452dcb90bf02fd9e5f6f6dacf28b61b.exe	84
PID 4840 wrote to memory of 2172	4840	507d63401790d0797fb494cb42fa4ee2c452dcb90bf02fd9e5f6f6dacf28b61b.exe	84
PID 4840 wrote to memory of 2172	4840	507d63401790d0797fb494cb42fa4ee2c452dcb90bf02fd9e5f6f6dacf28b61b.exe	84
PID 2172 wrote to memory of 4696	2172	Pjbcplpe.exe	85
PID 2172 wrote to memory of 4696	2172	Pjbcplpe.exe	85
PID 2172 wrote to memory of 4696	2172	Pjbcplpe.exe	85
PID 4696 wrote to memory of 4480	4696	Pmpolgoi.exe	86
PID 4696 wrote to memory of 4480	4696	Pmpolgoi.exe	86
PID 4696 wrote to memory of 4480	4696	Pmpolgoi.exe	86
PID 4480 wrote to memory of 1284	4480	Ppolhcnm.exe	87
PID 4480 wrote to memory of 1284	4480	Ppolhcnm.exe	87
PID 4480 wrote to memory of 1284	4480	Ppolhcnm.exe	87
PID 1284 wrote to memory of 3288	1284	Phfcipoo.exe	89
PID 1284 wrote to memory of 3288	1284	Phfcipoo.exe	89
PID 1284 wrote to memory of 3288	1284	Phfcipoo.exe	89
PID 3288 wrote to memory of 3636	3288	Pnplfj32.exe	90
PID 3288 wrote to memory of 3636	3288	Pnplfj32.exe	90
PID 3288 wrote to memory of 3636	3288	Pnplfj32.exe	90
PID 3636 wrote to memory of 3464	3636	Panhbfep.exe	91
PID 3636 wrote to memory of 3464	3636	Panhbfep.exe	91
PID 3636 wrote to memory of 3464	3636	Panhbfep.exe	91
PID 3464 wrote to memory of 1324	3464	Pdmdnadc.exe	92
PID 3464 wrote to memory of 1324	3464	Pdmdnadc.exe	92
PID 3464 wrote to memory of 1324	3464	Pdmdnadc.exe	92
PID 1324 wrote to memory of 3764	1324	Qfkqjmdg.exe	93
PID 1324 wrote to memory of 3764	1324	Qfkqjmdg.exe	93
PID 1324 wrote to memory of 3764	1324	Qfkqjmdg.exe	93
PID 3764 wrote to memory of 1032	3764	Qmeigg32.exe	94
PID 3764 wrote to memory of 1032	3764	Qmeigg32.exe	94
PID 3764 wrote to memory of 1032	3764	Qmeigg32.exe	94
PID 1032 wrote to memory of 3404	1032	Qaqegecm.exe	95
PID 1032 wrote to memory of 3404	1032	Qaqegecm.exe	95
PID 1032 wrote to memory of 3404	1032	Qaqegecm.exe	95
PID 3404 wrote to memory of 3320	3404	Qdoacabq.exe	96
PID 3404 wrote to memory of 3320	3404	Qdoacabq.exe	96
PID 3404 wrote to memory of 3320	3404	Qdoacabq.exe	96
PID 3320 wrote to memory of 1912	3320	Qfmmplad.exe	97
PID 3320 wrote to memory of 1912	3320	Qfmmplad.exe	97
PID 3320 wrote to memory of 1912	3320	Qfmmplad.exe	97
PID 1912 wrote to memory of 1680	1912	Qodeajbg.exe	98
PID 1912 wrote to memory of 1680	1912	Qodeajbg.exe	98
PID 1912 wrote to memory of 1680	1912	Qodeajbg.exe	98
PID 1680 wrote to memory of 796	1680	Qacameaj.exe	99
PID 1680 wrote to memory of 796	1680	Qacameaj.exe	99
PID 1680 wrote to memory of 796	1680	Qacameaj.exe	99
PID 796 wrote to memory of 4692	796	Ahmjjoig.exe	100
PID 796 wrote to memory of 4692	796	Ahmjjoig.exe	100
PID 796 wrote to memory of 4692	796	Ahmjjoig.exe	100
PID 4692 wrote to memory of 1548	4692	Akkffkhk.exe	101
PID 4692 wrote to memory of 1548	4692	Akkffkhk.exe	101
PID 4692 wrote to memory of 1548	4692	Akkffkhk.exe	101
PID 1548 wrote to memory of 2332	1548	Amjbbfgo.exe	102
PID 1548 wrote to memory of 2332	1548	Amjbbfgo.exe	102
PID 1548 wrote to memory of 2332	1548	Amjbbfgo.exe	102
PID 2332 wrote to memory of 636	2332	Aphnnafb.exe	103
PID 2332 wrote to memory of 636	2332	Aphnnafb.exe	103
PID 2332 wrote to memory of 636	2332	Aphnnafb.exe	103
PID 636 wrote to memory of 1248	636	Afbgkl32.exe	104
PID 636 wrote to memory of 1248	636	Afbgkl32.exe	104
PID 636 wrote to memory of 1248	636	Afbgkl32.exe	104
PID 1248 wrote to memory of 2720	1248	Amlogfel.exe	105
PID 1248 wrote to memory of 2720	1248	Amlogfel.exe	105
PID 1248 wrote to memory of 2720	1248	Amlogfel.exe	105
PID 2720 wrote to memory of 4008	2720	Apjkcadp.exe	106

C:\Users\Admin\AppData\Local\Temp\507d63401790d0797fb494cb42fa4ee2c452dcb90bf02fd9e5f6f6dacf28b61b.exe
"C:\Users\Admin\AppData\Local\Temp\507d63401790d0797fb494cb42fa4ee2c452dcb90bf02fd9e5f6f6dacf28b61b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\Pjbcplpe.exe
  C:\Windows\system32\Pjbcplpe.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\Pmpolgoi.exe
    C:\Windows\system32\Pmpolgoi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\SysWOW64\Ppolhcnm.exe
      C:\Windows\system32\Ppolhcnm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1284
      - C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:312
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 224
        73⤵
        Program crash
        
        PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 624 -ip 624
1⤵
PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajhndkb.exe

Filesize
80KB

MD5
a90028b2b236f9e8fd13e2da5445557a

SHA1
55b55719c9bfeeb4816881b41198db5d2b7edf3e

SHA256
50dfdee8e9f7a0c714cf43012cb80be1192e29ebe1fe41e00818e1c1a50879c2

SHA512
1f4682b0b1c9ba71248324637e77f0663ebac91f642edf502bb39bd1a45aebd4eda892e393114383f08eeb0079b177af18105504dd648cc3ce89ca2dfee0d474

Download Submit
C:\Windows\SysWOW64\Afbgkl32.exe

Filesize
80KB

MD5
fb854fbdc97bded065504b64c72dd5a6

SHA1
f9e33cc9c80706d8bfecd337fbfb45f2e4d9ac43

SHA256
76e440e8172c3d6a5867b992c28e46c5b7f4300bf3bc4dd28dab8b529e7a0850

SHA512
2b98d6ae4296c13515338d47d12ff58e45c6d3a92b1a25d718e24855b4002961a160da47b331846ac8b2f82bc2495c2c18f1f3a85583798e8b2d49fbe21c49ef

Download Submit
C:\Windows\SysWOW64\Ahaceo32.exe

Filesize
80KB

MD5
8c0862ef47e010a9d2b37b9a6da3b492

SHA1
880de73e94b25fe85907b6aa22d8608124319613

SHA256
8b4c5545f32f46ae0b147ac145cdb66b7ffc7f761741c2413ef67faf4f2270ff

SHA512
6d74848e157d86749298fc70b26d7fb2526b3e8954c396982ea0113640f4b8a369bf8051ab80fe74f31a5d2d3b4ed21288f03611d6ee344795c99bc78621fbd4

Download Submit
C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
80KB

MD5
553d3d94335f0e7a13de51a8f384d63b

SHA1
15132bfc133cca1f00e3f48e9a4ac520d293da4b

SHA256
c79fcea22c4beca0889f09e8a546945f17c60b9456ec11e979f7147c84d90268

SHA512
217bad433a06b75c54e07c1d645f97cc48f9d6c2f5d229c7b32c494e2641337faaa50d53ccc74e576e5245e43b80c59a36c6ac4d7cb7b1d5d5faa6a6b07dee35

Download Submit
C:\Windows\SysWOW64\Akkffkhk.exe

Filesize
80KB

MD5
f6c811be82731b9c9dd409aa6b3b54c0

SHA1
7ff20345906db1707f30dff9f3997c829d40faa2

SHA256
12108d6039fc6ac639069fe4d049aeab80a2ed9101e527808a40930552800358

SHA512
adedc5bf5dec63357d60810099c12d091851cd8f7ae178f6d7ffeffed4e880f659b4ff5f0bcc90799171873c05e1b376c5d7501c7186210b1020c161d2cb9782

Download Submit
C:\Windows\SysWOW64\Amjbbfgo.exe

Filesize
80KB

MD5
61d625aafa5cb919515fbb6b8dc028b3

SHA1
6db2a1b001f51471b846e668fb1646a8268919b8

SHA256
07520eb43c3f509bbabe814dd2e145b848bb8a47057f85a7fb7d21b2e495e32c

SHA512
d2baf8cd313fd7ecb00030a92be4f1a6a07014a34edb844123a2509d6f5c8c47976bfb6fb37de5c9919ec9b01d0a586b28da2bed85ee418763032d815dc0c803

Download Submit
C:\Windows\SysWOW64\Amlogfel.exe

Filesize
80KB

MD5
b1c38d6cfcacfeaebcce373e5fcf4c4f

SHA1
cd9a47ee5448a6e4e74c58d6a0ad3ea365aca450

SHA256
403f658c43752a3361a4599f2f46be6818531536f41b7fa24c87f3ca8e9657c6

SHA512
846593f993a86525134ad500c2e4e403f8a999a26f1553cf6d39f5ca0cede6f6cbe81dd8246accea36a5e25fd4164eb7bb9923a6396bf0d2566c8854ed1c0d5d

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
80KB

MD5
9c3658c947b979f0a939b2b42160af76

SHA1
c7104597db390db34fb2c16c49fafb341e9a7c1c

SHA256
92d3c059f959434c80444430e7286004b93a5a8105f648f659d437f056218a5a

SHA512
9dff2d4bed7943cf27d5246b2dd41684daaa19db4e2d2fb9293cc4defef69b513111db64403686e36e634e1a7b34e5d8a595f7d3826d1cba6a529165058814f9

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
80KB

MD5
e4317e5fa4da0549b14f9a8c91bce941

SHA1
c0c78ff287581f69fbcb0c6181fb568b186efa35

SHA256
2443acef25d2810f3f5a55fe83c847cd5293f3a728cf463ef1a3ae0ebc6307b8

SHA512
03a4a230beb201678407e26ab4929a0f4559915a012420bfcc68b4bf3b0c9a71082eb9abe07b62d6f6a23eaefce050c9a32836d6dbece115c7dd2a3df952e290

Download Submit
C:\Windows\SysWOW64\Apjkcadp.exe

Filesize
80KB

MD5
efe0eff4a00b245d5c5bd5228b249fef

SHA1
a1724e81d9db199c3e17383a21a46cd73e57bcdd

SHA256
94233bd7af25cf5fc8b63855884053977c5e62c80f7cba39bd68e18dd8a42f4b

SHA512
4f023d8ed94a16d9b9645e92cafa95c14afafb81b5263ae698b67900d92b26d5f5dc8132707e30d6b47cae0fd46a67592ad5876ebe23d274d7a99cd1fedc46ca

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
80KB

MD5
01bbb18c149c449e23347e8b942e186d

SHA1
abf2731749fcfecc0ecea4e324fd856e099befe1

SHA256
bdfaaaee4084b293e87b1b42bd2e9bcaccd97ba7e2c438f33930053402b8ef00

SHA512
c41ae05e386d41fcef68e7aaa6fa478a901a56a1ad6f889f79dd1fcdccfa0f08f47048235da3e2796251821bf2058d4b5d5e1d9b55c3a7e07fec39d5d8ce9240

Download Submit
C:\Windows\SysWOW64\Baegibae.exe

Filesize
80KB

MD5
515a6c3ccfcd12863885c23ae17419f6

SHA1
42160163fa23b6298be184cb77121c91110a91d7

SHA256
8b9160d7656587f520c7e3baa84efb447b62bf3cb9d9a5cf7ebbd6b22572f4ad

SHA512
3ff9970b74924b88c89a2c1ac70e3278c9540624b36843e280f329c82517f134a9f75019002633dc4745bcf7e8631353f0dff2fac3300aee78e598c745a5eaf4

Download Submit
C:\Windows\SysWOW64\Bdagpnbk.exe

Filesize
80KB

MD5
6dc140a8754ce64a792b4d9b267f9b82

SHA1
e1c58fc2a6029d911b585faa0a13caf37eec142f

SHA256
006f973504aec0086da810e635eebd2b3dae1b22bf07bde6ca4d3895b8da28f7

SHA512
fffc5d45a2d2b157452371f663d3779ee8cf59cc3322e74fc0277e09dca42764ee45bb72691a65a5fa0fad3ac591f05481b1205ef9b1af5b7124881c2add2ee8

Download Submit
C:\Windows\SysWOW64\Bddcenpi.exe

Filesize
80KB

MD5
3bba308ab9089526ff4dac902a96ab8f

SHA1
bfc1d07b48f2785a1bf7cc1862ec8e67c4af8e4f

SHA256
b128ee87924217c52d74f050129ffd2401dc6fd1e194db3ac7bea9853c8004b1

SHA512
ce653b5c7d09c111acc8044ab3ed92759414e3badeba5deff60175728ab554960873a462cd6250c96f85bfb53e6ef64834655b67a9d1242ccea33d6fe60c7131

Download Submit
C:\Windows\SysWOW64\Bdfpkm32.exe

Filesize
80KB

MD5
f99af115e930d3d0e783f2340cba52ef

SHA1
215b9357e9428c9ebcc1002a641553761c1b591c

SHA256
06d8bd63c0e62d2ab4f09528e0d32be3e13d5bdc9bd36d80666bb85985e2c013

SHA512
26722a14d7d8ab808ca82dc196d9f8aae2c080f96c0484a2568c4382b61643cf9847003f923a61ca63bdf4f84cd7fd6a185c27a1007e134108ec7d89124afe6a

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
80KB

MD5
f5d32376cf46a9e8f0ee9f57bf5f1846

SHA1
f8557c7b0e8354c165d3e7e2ccd8cd34b58b1b85

SHA256
ab74d533c308a80005f0c0f42af02173e86729a879b6eee4859095bb73f63edb

SHA512
f32a2c32e1873d713344dea800aa5d83eac8c2e5fd468f06042e9446d4ec510437c8674c2db933c2032efd1b1befa76758d7558815fe06f86eeeea74ee09134b

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
80KB

MD5
5e5c466cd8a91b62af8603bd7043ae54

SHA1
ba2cd036f75156ebac869a0a9c763f43cb43cea5

SHA256
1341cb2952bc34dd1ed07f43a306ca13d8216dcf5cb8a13ef93586e49fe07a6b

SHA512
346c62d2e60d171a870e2bd050cc6ccc7912fe3cd431394b970efadbcdb7edeee4237021669b1f30fd582b304fa98c8e8b090501bdb8d108face0a49c70b3d9a

Download Submit
C:\Windows\SysWOW64\Bmhocd32.exe

Filesize
80KB

MD5
6d598b919a43ad6e436c15b98e24da74

SHA1
08fee3dae8d32f9e815cc5ba7256b1a812cf1dea

SHA256
37e821210a390a1e692dbfbd8bc4db1bf1d74129e9b5097235d568bde2dcf88a

SHA512
d31c7de38f4187b6d00b2d97bfe553a1c04868fe1133a54b4316892b573617eb93ee960031f40d618fb0b60e25454e8ff0395fbe4aa7f580b0e3f68bd0d8f726

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
80KB

MD5
e00c9e0b3483e768038636d7aa018a13

SHA1
8f5e8dae3eaef00610a9840ea2dc4aab979ddb16

SHA256
82b7bb0742e5607504c14585e397d9ac75a19a668b7c069fa3f60c7918a4b3e0

SHA512
7998d1fbfa08f0270d37c03b2ecd0b2d941a8ebeb5448e11012f9c1add6752c3b299f5474f397c9750c0f161a382b5f696f64e97cac6d6d2efc6d683718ed60c

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
80KB

MD5
932c8fc0a2fb1f99fda2c2e5d5a4e48e

SHA1
78efbb37eceba75e3510484de492631ffbc6a591

SHA256
7050dd962c8c37eea78455d07919d8b3b0edd8f127e2fbcb7e75f91548a443cb

SHA512
3262baebce8bc59f928a1f9397971b172d3025b6b66c2cb3e15a9ffc4b22eb51d38a2915190a506e7a16429e9879e93d8e1d6236ebf03b20c470f7474f85b5a5

Download Submit
C:\Windows\SysWOW64\Boldhf32.exe

Filesize
80KB

MD5
5c0607ad8d5c171c99368bb1647a7295

SHA1
d2fa42edd6e41c4b5f3352cafe56cadf60e5c812

SHA256
8272963e6fb55fc48252ff955501f02d4610e7363d4d6edc01ff02a80a9ac1ba

SHA512
82c136425efcf7cb6373a9a035beb3e41cdc59b18bd8cc0ba005cc323cd09a7dcd6ea3e9b224869d0152bc039cddaaf022f7fae93ddce48001ff9720aa9bce63

Download Submit
C:\Windows\SysWOW64\Cacckp32.exe

Filesize
80KB

MD5
ef00f8ff237c7e1b72421b478148b7b3

SHA1
3245a40f91b536f1ba96e0ad2e16298e9e05ce9b

SHA256
310e9633800caed05c2b07be9240473340d21c73db673c048cecf31cc8de01f2

SHA512
806c31d64a76001facee752e1d826a770a0ea4c5476f557dca53848fb0163c23399e722c141c1bad742c5fa83e85bb911c23f4cc432410574ea4a57ef16d7a4b

Download Submit
C:\Windows\SysWOW64\Caojpaij.exe

Filesize
80KB

MD5
7f5be958c9e16dad17ed1eba891ffd74

SHA1
ed3ccfb32647074e6b240dda37ca2386b8e37965

SHA256
1bc9a63029c46c35cd96bbf2db3767b0f1719d0bf014e9f7c6923ad3748e1388

SHA512
ae7f1270b38d072fca4e5b7e0d61c3af8851caf8b8f493f90ca4ea40b1dadc89b0c856002795ce1737b19f0e0c66de3da58b06ad97a00e5aed86bdcf63bfac69

Download Submit
C:\Windows\SysWOW64\Ckgohf32.exe

Filesize
80KB

MD5
e37422c891107e2acde26384f957edc9

SHA1
6510e15078197c787dc3713adee6a47c1910c963

SHA256
7f79021928dfacbf966135850af0ec83c1cee48ab3f0d38d6a92d32616e611c5

SHA512
275923f76fab986e0254a99083e1dfbd3aa32355433072f8822b29edbd89921176111e036244fd85baea8ce738cefe6c2581250746af7ca7913d84d74bf5db3d

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
80KB

MD5
f55086e12fc8fb768e49601bff8db58c

SHA1
9d4ff55f7aecf4349e3b2f6d3ab624bf17a985cb

SHA256
3c95eb951af6f4a5fdec4867bc71b06a2fb5b1502e90d32a46434faa3414e64e

SHA512
c492fd385b9023c9684c1b7d780d7d345290c9c5826a71dbd1d7c1dc7919ac0d4d6b0b6943fa16ce51dff4acb638630521d1e1e09e4f09526e5a01d7810c50de

Download Submit
C:\Windows\SysWOW64\Cpmapodj.exe

Filesize
80KB

MD5
87eead93f286096e105045cbd6fbfb64

SHA1
05d93e5e001f96033e58d9acc3e0df53e4886fb0

SHA256
61cab674c77aa27021954ea6c6bae1697e120dee3f1ef20fa57a0bfe926e72e1

SHA512
09bc3c9dc11d77b8aaa785ba7db0824f577ff4cd287ce021e38ccef9d35addcf40a2a72b23394b6678e149e194b150fb0a8ad43b7c8e545c42a9642dde914caf

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
80KB

MD5
5d6efcc6ef5ec179190bd4f2c8004744

SHA1
1a1f7db88f691d5f281135c1626bde64fe6fb69c

SHA256
a3aeed62e6650a957c8fa78fd639143e75cc36c5b58e46c617b7cfcd08469d2b

SHA512
4543a18d45337eca50f805c70a8f3d8bc4204162bb9aaf9d49e446b3804db8d457be01a0b0d83791fbc8799fce9caf728994401edc7a5e596459f6569a4ec1a6

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
80KB

MD5
010d13bff3574fa73fe7aa9334ad4581

SHA1
acd479ea82b934e15520de48ea51b45d982f6c34

SHA256
730821af847a538be8e7a8e3b1d3315c012051e21c28651d8bc25335ff26b161

SHA512
0350e3da374347a8e11ddb1aff72ca20144cc87736687811a147e9424c50204e272b8b27693ed64f5035ce1c6403f0a3d48432591e5a0e1603c1dc722a183a5c

Download Submit
C:\Windows\SysWOW64\Panhbfep.exe

Filesize
80KB

MD5
8f9973751d3edcee240c9bef4ef7917c

SHA1
30bbb2f9b63d691b72c27e840058a4eaa05189a6

SHA256
1002cf5bb379d5454d4866bf98d26889ca0e374178de91867144dd0535fbdb83

SHA512
3108486bbbbfeb7ec11308e9d47e50947dfe77d6791f9f748711277c07a094a672516ea9e72c769b864ac39659e3588c5396f63624afa02fe5cc8633ad7b199c

Download Submit
C:\Windows\SysWOW64\Pdmdnadc.exe

Filesize
80KB

MD5
75fcd976fcaefa2740963cd9db5081b9

SHA1
49f95c72b2df210a2c9a38f3c4a1f40f8a054cc8

SHA256
c487a9af9b99bb03e74606c16eaf62fd2769afe59e43c96075a0c1228979402a

SHA512
15b49dffa20255d236649c157cbbafe064adb2fb8f2a00b111dfcee26ddc93df9257b7f65032109254c68c9271a05d456630e811cb8cdf639213940864fb5747

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
80KB

MD5
8556535405a657371de3d98017602412

SHA1
0ac3deabba8cdb73dd85c273c3d089fe094343ae

SHA256
6d9fac15afee1d3e33ed563e69588d0de266494bad7844815d32513d726118cb

SHA512
d7118eae6bed962ab885d62df7d388f8ecc210006fa4abc92d2b9bb7dd6f0a487404768f4ac107a435ce40acf5a9ba2f91c824606011a69bab504e78f2ddaeff

Download Submit
C:\Windows\SysWOW64\Pjbcplpe.exe

Filesize
80KB

MD5
89905969b257ab5ef8c263df6ca8ba1c

SHA1
5dc008eb74e0085575b599e6c6334de85bc71a92

SHA256
555168b20634a6d5b199d045ab5c26d8a3eb528ef3132daa8d8b4001b038c5b6

SHA512
b172f5d81242385d2f8231bcad788d0c7327a1861d16a084725df0575e19dfacc86b3824b6a17390c6f04960bc19d690f4977f90e2a49f056d16a4953046a81d

Download Submit
C:\Windows\SysWOW64\Pmpolgoi.exe

Filesize
80KB

MD5
97abeed26096d20e0f2eaafcdab0416a

SHA1
6b0d9a58220d2115c83ac1e4e050f42b8015c8a4

SHA256
9ed1ea1cb86d94d02af671143b0df5a91964dba7ab81a4d03e8976d1bb295080

SHA512
c628a40c92aff478556ef83ee009a133fa9c0dd652c056ada2b27280e53e229e94b81c931c18a337d8fda8339bd85514d03847d897214f5dfb498ed465cf5223

Download Submit
C:\Windows\SysWOW64\Pnplfj32.exe

Filesize
80KB

MD5
45cb6b366213ed903d690599c4ae3bde

SHA1
6a9d35fd0202002c2dc3d5fc828a45fc83bbf9e5

SHA256
985967d708850e636a09ac259a6d57a309808d274d5562385cf09c2b3ec61c16

SHA512
f2f14ed96025dbce3d8d71fcfae5c2aa8fd1d3093490edbc7756fada009f13835f7289e9236140e0dec6cb2af458bf453f1181761ff48b7afd6f6fe1286a306e

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
80KB

MD5
6d16232598ffe53f396a8f2a63b44032

SHA1
2f127fc306d40d7808bb08dbf6ae50d07f38ba4a

SHA256
b6b05fe388c8c1154dac0732e4cfc78a3894ab1d98324e9e8f42f41812eebe10

SHA512
d419f731c185cd8e75b3b4a6ca8d1fd4308142ec69b75d2c376f29e567147614bc0c695a56a04efc0fce1a7f71ae8eeb490d783a271e8c2c9c5b164a95161c5f

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe

Filesize
80KB

MD5
d15bc3cdaba3a6bbdb1c2ab1f5c3194b

SHA1
f8e0f5f12d6bb16acd911804f0d994f17fb8ab7c

SHA256
163613f5370f23c4af01fc61245a89c0010da8931764f637707debd25f412c5d

SHA512
879bfea0f463a4de5f3868f7b1ad034ca5bed4a4a1888b212625212d1e4eca5d14b1ee4acdcba908cfcb5a8b832dadf4d232d8c8c44083d007cf13930372d647

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
80KB

MD5
fc7f0e1f973ac02d3bf73ba55ac8265d

SHA1
eba1b93d1862f35fa7274377564105d59006768c

SHA256
40618b25927fe24883cda11c49d08f7a4d962c5744c2a0e851dc2fc4b35cddc0

SHA512
bccbf19274c978c1612243313c2975c70b1f5afbfe84f8696282b9b32be918f2b6008105b90a13db0348bf54ba0a8faee24a6555110bf6bc34550cc8c62ec7ef

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
80KB

MD5
214cdf91a9dd46f5f94a9a7a4197563c

SHA1
1a9502ec2017977e63ffe9f9f203b37cd3ab15ed

SHA256
e4239b3a76faedd2ba30cd9575361975fb3dc5c19106a39b69a1327bb7c55e69

SHA512
458369c6b213d874e031f1f250e2df3a647854f1fe8a588e0fe68663d53fd19dcb4c7dbfe998d091e3ee1c7fb259adc52b1e75fbc4c2dff445aa02754944092b

Download Submit
C:\Windows\SysWOW64\Qfkqjmdg.exe

Filesize
80KB

MD5
1ada4cea22433d6fc23e7684da18b843

SHA1
be62e954c2979f2cb3438665b9fbb451aa2c11ea

SHA256
bed9f2973061be98172365388970a1eba5048eac591e9bd0c9f27256e50cbdfa

SHA512
30d1f56f1184edb436d271ff9dcf488614510135aac1d76d51125fbbcdf7adeb8c53a31ae81f065589b086843ce487d46fa2b40296a84f580c2651a40754d96d

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
80KB

MD5
d8fd900cd27f480d2c482936434b842b

SHA1
3d5855f172b0b5dea543e42b6cba05f487b0e74b

SHA256
a4d27477c334f2b45972b3f6191cf75f6c5592d76bd69827f31850ab02d6f8b1

SHA512
50b6ba9dde6e034eba75349753d8ea43216f361302dc55254b328449a4a9c8755809b5170ff4ed5c96db807aa8268233c79379477501bafc8ac8ef86041fea4f

Download Submit
C:\Windows\SysWOW64\Qmeigg32.exe

Filesize
80KB

MD5
0730bcadd1e630a96aeb313056519521

SHA1
95a116f6e7c51db6be4afaf07a0d367eb42a164d

SHA256
0b376748016547315f8bf2b9b1ef4b39b48659333c2d2cfa19fa4082a61cb952

SHA512
84c6208cb2f61ff5ef1e079edf9965758e329e99ace380756cf6a99ea29997edd30421e11f458b5cb0603d1b99a897c57febc50e99a6ee1b8747f2b7498dcf0f

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe

Filesize
80KB

MD5
2b486e47c040619e90475e88496ca2ff

SHA1
b7b73b15d409f9dccb96a8ca85df5c351e4298c9

SHA256
7778b075ee7b61ae0c45d6f28045c5feba00a013c7350822754c51a2779e101b

SHA512
2be2b076c514f20e980c8a6e45343fcae64286af59e35f9ccc6570ff736a8485ec41744b8b13fc61a48739b1386678f184930c4353157b00f2c4997e924688bd

Download Submit
memory/312-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/312-494-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/408-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/624-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/636-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/732-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/732-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/796-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/808-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/812-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/908-369-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1032-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1076-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1076-498-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1248-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1284-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1324-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1548-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1648-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1648-505-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1680-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1820-387-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1912-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1924-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1924-493-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1940-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1968-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1968-514-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2000-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2000-507-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2032-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2032-513-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-499-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2172-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2244-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2252-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2252-496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2332-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2392-405-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2612-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2668-500-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2668-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2720-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2900-303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2956-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3224-510-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3224-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3240-465-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3268-393-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3276-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3288-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3320-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3344-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3404-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3464-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3620-495-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3620-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3636-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3688-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3688-504-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3764-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3932-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4000-267-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4008-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4016-252-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-501-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4388-492-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4388-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4528-321-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4552-512-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4552-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4616-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4692-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4696-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4720-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4720-511-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4784-506-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4784-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4840-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4840-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4972-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5048-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5048-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5052-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-502-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5100-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5100-508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads