bea2deb22a3eae5d626328e7e1c620034947eb7f60e3795cadedeac682f151ec

Analysis

max time kernel
112s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 13:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8e1008eb5f8ad939c33dd97c3341d070N.exe
Size

378KB
MD5

8e1008eb5f8ad939c33dd97c3341d070
SHA1

9b53d6e384a87527c002546a5eae683b574d3d92
SHA256

bea2deb22a3eae5d626328e7e1c620034947eb7f60e3795cadedeac682f151ec
SHA512

939caf654809e80d4e9e1b89b482979451e2a4875c028f58da3bc8403550c0c27ca3bff2f6fb010c6ea5080a658a0a13b8af622d5f6b3453b1a4e0f764bef3c9
SSDEEP

6144:s7TwV1oZ+2prtMsQBma/atn9pG4l+0K76zHTgb8ecFeK8TJ4u392vVAMR4/5V0lt:s3MCzRMsEat9pG4l+0K7WHT91M52vVAe

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe

Executes dropped EXE 64 IoCs

pid	Process
1148	Qddfkd32.exe
5024	Qgcbgo32.exe
3972	Adgbpc32.exe
4832	Ajckij32.exe
4788	Aeiofcji.exe
4300	Afjlnk32.exe
800	Anadoi32.exe
4716	Aqppkd32.exe
3420	Acnlgp32.exe
3880	Afmhck32.exe
384	Andqdh32.exe
2440	Aeniabfd.exe
4592	Aglemn32.exe
2128	Ajkaii32.exe
4464	Aminee32.exe
4548	Bebblb32.exe
3472	Bfdodjhm.exe
3400	Baicac32.exe
2828	Bchomn32.exe
3976	Bgcknmop.exe
3160	Bmpcfdmg.exe
2108	Balpgb32.exe
3396	Bcjlcn32.exe
4688	Bgehcmmm.exe
3200	Bfhhoi32.exe
4312	Bjddphlq.exe
1004	Bmbplc32.exe
432	Banllbdn.exe
1048	Beihma32.exe
3584	Bclhhnca.exe
2300	Bhhdil32.exe
4996	Bjfaeh32.exe
3520	Bnbmefbg.exe
1172	Bapiabak.exe
2984	Belebq32.exe
2516	Bcoenmao.exe
3180	Chjaol32.exe
3668	Cjinkg32.exe
3952	Cndikf32.exe
2776	Cmgjgcgo.exe
5028	Cabfga32.exe
4352	Cdabcm32.exe
3836	Chmndlge.exe
3884	Cjkjpgfi.exe
1680	Cnffqf32.exe
4368	Cmiflbel.exe
2596	Caebma32.exe
3356	Cdcoim32.exe
2364	Chokikeb.exe
4240	Cjmgfgdf.exe
2284	Cnicfe32.exe
3744	Cagobalc.exe
3844	Ceckcp32.exe
3876	Chagok32.exe
4612	Cfdhkhjj.exe
2796	Cjpckf32.exe
3144	Cmnpgb32.exe
3172	Cajlhqjp.exe
408	Ceehho32.exe
3108	Chcddk32.exe
2380	Cffdpghg.exe
1492	Cnnlaehj.exe
3772	Cmqmma32.exe
1720	Cegdnopg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	8e1008eb5f8ad939c33dd97c3341d070N.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5136	3404	WerFault.exe	165

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e1008eb5f8ad939c33dd97c3341d070N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 1148	804	8e1008eb5f8ad939c33dd97c3341d070N.exe	84
PID 804 wrote to memory of 1148	804	8e1008eb5f8ad939c33dd97c3341d070N.exe	84
PID 804 wrote to memory of 1148	804	8e1008eb5f8ad939c33dd97c3341d070N.exe	84
PID 1148 wrote to memory of 5024	1148	Qddfkd32.exe	85
PID 1148 wrote to memory of 5024	1148	Qddfkd32.exe	85
PID 1148 wrote to memory of 5024	1148	Qddfkd32.exe	85
PID 5024 wrote to memory of 3972	5024	Qgcbgo32.exe	86
PID 5024 wrote to memory of 3972	5024	Qgcbgo32.exe	86
PID 5024 wrote to memory of 3972	5024	Qgcbgo32.exe	86
PID 3972 wrote to memory of 4832	3972	Adgbpc32.exe	87
PID 3972 wrote to memory of 4832	3972	Adgbpc32.exe	87
PID 3972 wrote to memory of 4832	3972	Adgbpc32.exe	87
PID 4832 wrote to memory of 4788	4832	Ajckij32.exe	88
PID 4832 wrote to memory of 4788	4832	Ajckij32.exe	88
PID 4832 wrote to memory of 4788	4832	Ajckij32.exe	88
PID 4788 wrote to memory of 4300	4788	Aeiofcji.exe	89
PID 4788 wrote to memory of 4300	4788	Aeiofcji.exe	89
PID 4788 wrote to memory of 4300	4788	Aeiofcji.exe	89
PID 4300 wrote to memory of 800	4300	Afjlnk32.exe	90
PID 4300 wrote to memory of 800	4300	Afjlnk32.exe	90
PID 4300 wrote to memory of 800	4300	Afjlnk32.exe	90
PID 800 wrote to memory of 4716	800	Anadoi32.exe	92
PID 800 wrote to memory of 4716	800	Anadoi32.exe	92
PID 800 wrote to memory of 4716	800	Anadoi32.exe	92
PID 4716 wrote to memory of 3420	4716	Aqppkd32.exe	93
PID 4716 wrote to memory of 3420	4716	Aqppkd32.exe	93
PID 4716 wrote to memory of 3420	4716	Aqppkd32.exe	93
PID 3420 wrote to memory of 3880	3420	Acnlgp32.exe	94
PID 3420 wrote to memory of 3880	3420	Acnlgp32.exe	94
PID 3420 wrote to memory of 3880	3420	Acnlgp32.exe	94
PID 3880 wrote to memory of 384	3880	Afmhck32.exe	95
PID 3880 wrote to memory of 384	3880	Afmhck32.exe	95
PID 3880 wrote to memory of 384	3880	Afmhck32.exe	95
PID 384 wrote to memory of 2440	384	Andqdh32.exe	96
PID 384 wrote to memory of 2440	384	Andqdh32.exe	96
PID 384 wrote to memory of 2440	384	Andqdh32.exe	96
PID 2440 wrote to memory of 4592	2440	Aeniabfd.exe	97
PID 2440 wrote to memory of 4592	2440	Aeniabfd.exe	97
PID 2440 wrote to memory of 4592	2440	Aeniabfd.exe	97
PID 4592 wrote to memory of 2128	4592	Aglemn32.exe	99
PID 4592 wrote to memory of 2128	4592	Aglemn32.exe	99
PID 4592 wrote to memory of 2128	4592	Aglemn32.exe	99
PID 2128 wrote to memory of 4464	2128	Ajkaii32.exe	101
PID 2128 wrote to memory of 4464	2128	Ajkaii32.exe	101
PID 2128 wrote to memory of 4464	2128	Ajkaii32.exe	101
PID 4464 wrote to memory of 4548	4464	Aminee32.exe	102
PID 4464 wrote to memory of 4548	4464	Aminee32.exe	102
PID 4464 wrote to memory of 4548	4464	Aminee32.exe	102
PID 4548 wrote to memory of 3472	4548	Bebblb32.exe	103
PID 4548 wrote to memory of 3472	4548	Bebblb32.exe	103
PID 4548 wrote to memory of 3472	4548	Bebblb32.exe	103
PID 3472 wrote to memory of 3400	3472	Bfdodjhm.exe	104
PID 3472 wrote to memory of 3400	3472	Bfdodjhm.exe	104
PID 3472 wrote to memory of 3400	3472	Bfdodjhm.exe	104
PID 3400 wrote to memory of 2828	3400	Baicac32.exe	105
PID 3400 wrote to memory of 2828	3400	Baicac32.exe	105
PID 3400 wrote to memory of 2828	3400	Baicac32.exe	105
PID 2828 wrote to memory of 3976	2828	Bchomn32.exe	106
PID 2828 wrote to memory of 3976	2828	Bchomn32.exe	106
PID 2828 wrote to memory of 3976	2828	Bchomn32.exe	106
PID 3976 wrote to memory of 3160	3976	Bgcknmop.exe	107
PID 3976 wrote to memory of 3160	3976	Bgcknmop.exe	107
PID 3976 wrote to memory of 3160	3976	Bgcknmop.exe	107
PID 3160 wrote to memory of 2108	3160	Bmpcfdmg.exe	108

C:\Users\Admin\AppData\Local\Temp\8e1008eb5f8ad939c33dd97c3341d070N.exe
"C:\Users\Admin\AppData\Local\Temp\8e1008eb5f8ad939c33dd97c3341d070N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\SysWOW64\Qddfkd32.exe
  C:\Windows\system32\Qddfkd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\Qgcbgo32.exe
    C:\Windows\system32\Qgcbgo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\SysWOW64\Adgbpc32.exe
      C:\Windows\system32\Adgbpc32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3972
    - - C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
      - C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3144
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1388
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        70⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        78⤵
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 396
        81⤵
        Program crash
        
        PID:5136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3404 -ip 3404
1⤵
PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
378KB

MD5
155b0c5ac90d0e9083de4ba4593ac5a9

SHA1
24332f819b8cf2c13353c6f690f6bd9a3347095c

SHA256
d9fb76e0f4a154eed1c82525f869a875b3be028b44579968a45d8791be47cdc6

SHA512
66a9914637e52756beabc3c02b4913bbc20cbe9c5ba04d3e63f206ab72b0fcfef52abe079651cc20dddc6ce8bea76da031ad16c6907d33d875a7d8fee1a82a9e

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
378KB

MD5
3ccceb3f1de8fbe0b7896469407d654e

SHA1
b891a35ac37e3ab5f9aa92297841284db191aaad

SHA256
294995d8ea4b6c7660ef97b7e3f6fed19f4f76a782c2dfb40f0032d043485d40

SHA512
1937e2ceda69c5132fd8aed0c64a804caf5cd5d0957196fac3b390a132afc2a0181b396167a7f91cc4c5986befd598d4ba593df09ec5592feb804549e34cf729

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
378KB

MD5
df6fe30db3e81b8d6a17e4e5bc8df418

SHA1
16d78c8a250119a530b7f7d7244a1a700ac7f5d8

SHA256
a992acb9484c5c238231b6a6a2778475ebb88dc8b3b625a61296e3e6eb5d64ca

SHA512
77ffe2c1dff94ef45c90fa91cbc8ef4ade35243df05a97157faaa3ba366d485abc910dc6d5134ade92e8a516b84ccebc8a8c57277422d568294fff58e0c1b5ca

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
378KB

MD5
b8a1087bc4c935bb8d4a64af82331ab6

SHA1
fdce227f4a14c8d99f8060968e0d2a7a8ad5b254

SHA256
052b68519b1588f9ff953979bfd69e6d324535865f535ab2d41035948bf7b1c5

SHA512
dc76edf1c8abaee194cd60b6b0bb951117d009910e1bb7c70e169ce1397af706188b17a2db926539a7820257a1858d63638d7ec37ee6609ba987a3ece1599baa

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
378KB

MD5
f113ae01ab43dc5149081bd2766488fb

SHA1
f3a2ebe4340c805aa9eb5dd6005b61658e558434

SHA256
a1b9f00118945336a31ba55696eb344ef87e227cfb3d6f4e69764f3c1d895d06

SHA512
6f3d7897cead8939f777e938b9f0c4981f5aa09a3b138e884ec3135871573854b3fc8fbea64f9ff3cf4829a43abdd511361f0d8e27e9abede63cc8288cd69c87

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
378KB

MD5
17ad837730e9f19892899a30695473f5

SHA1
7e32dc37bf615d6cf14ae89b242b272d0d418719

SHA256
b7518c87857c119d67f70bae31cf666e6fde2b44a110da453247597aea9eb4f3

SHA512
e3da47b6347b8d4fe5ae4b42baa2262992212afd8eeefc56337f761869b168429eb6256526605461fea0a1afc90074e88ea7b4a7aa57c80e89cd74d2cb9df79b

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
378KB

MD5
63119bd47a5b2abdab8a9d70f7ca9a71

SHA1
db1c2ddc60c2bb2ea76c262577e9d620130699d6

SHA256
732d983778fe98410204a170cc40ecc54ec3237f7a1514b518f6e420b45a84d9

SHA512
087c339cdb61307bd7c6d9029d20601083ed8c70dfe14bcc516a73c0b46e987536529dc23eb35e0f7afde48706b498c325e31f8d350e56ae4207c8c5edbbb444

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
378KB

MD5
87ff1581a22d480957393e09f4538c89

SHA1
2c18f89d843e086dbf186e13da266496c255349a

SHA256
7400c7c8789434d147ebff9aa3e410eef00d95f788c5a56977e27981da2598c6

SHA512
eb0488b9d7a844b89b46ecad6d973df84573b548e7dc1f7615329c751b315281e2289e4b394849f70a19f0bbc48e16fb137f838de8a2364e077fc3cf897466a1

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
378KB

MD5
0ad3bead6b22983a4a69c2f1192b8106

SHA1
3d5cda31b940df74c71d1b4406a4d9d7ca4f3330

SHA256
35133ac33604b9ead084861dbb842beb36b514a03bbde0e641fd698869d82983

SHA512
fdd0241335b738bb8c3fc821e26251e66ac489f0938abfd478e93290dcdf555296ead9e388db14bf862854bc1f25fc8f3c9e8aad9e9c6a7183d8944c1738efbb

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
378KB

MD5
4f17aff563dde02d6282d4f46512bb0b

SHA1
ab75a82b8c3c6186a675bd6baa7c44f2fed070c1

SHA256
1df2f053cd25be6b0303809cb831c423359fcf634eda3a1f843018d8bd7a7732

SHA512
cb875bb68210a25fa6bfcf1c79cfe9e9c64d02dfcb4ed497feef8f60e6e4644ed7faddc4428949d7e53c6272e2c07307578d5ad22f05464e1d06d566514e1404

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
378KB

MD5
5fceed27bb447c0f12296502a959dfc3

SHA1
e89bf2826908dc9ac02b366bccca915c6f7cc5c9

SHA256
3cc451b67b5dbf3b7cb09ad736c15d82e1043097b03b3817bbabd7a50db22bc3

SHA512
895081326f853fd51af8227c8bc2c141af5c8231c980cdd30ba3fd021461fbe3e8a9d3feb83027a90141bcf331fabf553496ed49d280727489987059208b2f7b

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
378KB

MD5
ec847b015b116e4d30c86258af295e74

SHA1
34ca6cfc4bcba3d21f87eb7dad03b0dc2838e2d7

SHA256
b73cd42ab99e87c459df1428cabf768741686096d350bd307078c8daadab8427

SHA512
83f7b68e7b4179d97af4b30c3253874baf4415fbc132e5ce2f7d08fa8d39d21ac01c53bc457e2d54e9287d9af205ffab2a60f102a2101eb00a6cef3d480d733e

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
378KB

MD5
38ef4ad37d0947e853d172973b03c734

SHA1
db13dee3aa52dcb86c8a43890909bcf429c20192

SHA256
5b3d0c7e965d3cad0bf26efcd133085617ae3e618e6f18d4b7108c6699458af5

SHA512
bf9156f459037badf1a04650f6c6ae9f656d34ea414e1363a141a303d748dc29d774006e2df7dedd55d3340fc929c1275b246f1a6b71556287fc2942bb034ca6

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
378KB

MD5
de4e215e080a00279e1fba2070934fed

SHA1
2639352de5150b4697c5e4b3df79d8ea2f115471

SHA256
3a82586c3e31d83ef2722c6e35f3fe4a52c9dd528c4aa23d6d5a6289d573dc4f

SHA512
5da0ccdc10f0d8d65cfa1f93c1fd3778c8b4c7286cd111634a3a3d1fb7487fd1e02e2e49d091a196f1524df509657abc18bc3dd963b8bba3f4e2ea97bf895441

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
378KB

MD5
81e1cf21082644d9c809a60c459ca2da

SHA1
388bbcc6c01b84fc80cd54ef9b8c1860ca274999

SHA256
d193526a21bdb037df33452cb61222948ebe147c34e0a63cf1bdfbec578ca929

SHA512
21f833b47d003a32ce4d143b0c87f080d8687f350f80401258a02397ac01530c515c7b178473d9326c2a2940e99a85f36dac603cd6cb7755a84432b60c6536e3

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
378KB

MD5
2c7b4d21ea1ded6993573a748e059028

SHA1
72741d52f6ef91b6fefb3b57e68926f2b0ecb7b7

SHA256
0e59d7c9d0534d847c32daebbc33e2cd428054cdf9dbfb4630e369dfd658d8c9

SHA512
943fcd6e38b4b737fe01b145a16605fa697a04d06127ddddec4aff6e6d0ea64da31ae2412770ecf0bc901f7ad8b5d63b9a371995aa7448e15f6e1ff93750d662

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
378KB

MD5
c4e5491e27296434ac197de2dd17404c

SHA1
287f8c65b01d94f551006129439effecc1eb2bfc

SHA256
cee4436edef8c3dfeab2b2fa52256726c474e57eaf520a70166bce188c4a29b3

SHA512
83b5c1036ba686c833ab742392d0224bfc44fa3fc48b47ef6f6c9860dbc677710f95050dd585d81dee79fb3f5537402888e132f820ad8da9cd5df3df8f2a6674

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
378KB

MD5
9f5a477861b1b55660140030dd71a569

SHA1
4b3c682cbedfd0b01ffd2a1767fc34c9edc3f701

SHA256
d56fa672a46fe393553d8a7b3242264b4c37bed1bbc27133969fe0dc32606b8e

SHA512
e9ffd55e28b5fd0b791e9d385568994e5c087d86cc268be512116133d806f07d7f9d9ebda2e0b3d26358d1f6ae0f41e3f1aa4bb31e025fa49e3d5eb131cdab4f

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
378KB

MD5
410d5f913a0601c3d5953fd54465fe63

SHA1
aa350ea3d1c75a925d1e5bd69119ae6c258c11b4

SHA256
0475652be7ea5b9663446b8e9600e5e61779ad91eab3b56315f8e6058d12da8d

SHA512
442ef73dc537c97cf3a52e6cbb4ca9c8244bf976129c74eda5c2bff8613b7aca4ce46d86a2e189639e6eca6e63f8593dfccbb6cbaa05b25aa0f4b49618d9e922

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
378KB

MD5
df1c8a04066bac4bf51d7b96481b6de0

SHA1
8d41044e82a3683f084959944cc2f43101131851

SHA256
dc3223b568d8374b4b152a777d5314aa5aa2982c924c17e243024edb3942f4ba

SHA512
dd5485f38cad4d7fdd0d3882c0ebbba39cd6aa005a483afab9ebe8c001f825af2fbd32b11c52fd5f3dc7fffe511ce2a31bf494d6c1d4bcbb23bca47547eb8b18

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
378KB

MD5
1db4891ac27c5a4a164c10ddcb75683f

SHA1
ea0b4d1e77a2c53983fcb296fa6a13e9bb3a4449

SHA256
3085ee6db0a33e491e09077333a15cf340e247564736ca252545e0f429e870cf

SHA512
79b75670babbbb36e67c21d281601a392e79700bc90097812a32b1f7856714b01784aec196ae298ac67b1b5593213faf882455df49d52f53b69c94ccacce1eb0

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
378KB

MD5
3264d48d6ac53850f45a53d3e6ecfc56

SHA1
b855bbfa2073ce19eadd16ab2f50eda928701783

SHA256
9c06e345f9239a8bbfe68f83be668638ce475af7b0977fad47c7a020daae2c2e

SHA512
27c3f93e447a86ea0429b6aaf894119760b189982d9e6863d290bcc097920a67bf55d6aaa303499a5ad611e6794f89ffde78900792db491b037543096f3716ce

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
378KB

MD5
adb9a0435bc59de8ab9e8f898f644ef1

SHA1
d3e6d3a8f3bf4e09b5b68852b2892b787ef0f137

SHA256
6880d21cbc670e702f0aca8c745984e7c9aef20481f29d1414801cf2751649e7

SHA512
7238871fd4fbae038f983361577be155231305508b5809bc4b5b58e8652d6f05e64269ea5c2e4a29653d14c00bda9a4775203030c5e911cacfd6a40c9efcd083

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
378KB

MD5
4bd41c6a6bb8a70617a2ea4443e4efaf

SHA1
c877ca7dcf60b45d2d6fc893238668ce7c6ff466

SHA256
4af4198a65d1723e2b12ae2ff7fe335fdc5ea2b816a51467b2fcba01d99feeca

SHA512
2a51925d266cd52a039ae044e4e9ab863b27b97b220456702ecbea41cec9cffc8ecd6f458bb663d45db7540922094d0c208b126b342b24edde84e09518f7b798

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
378KB

MD5
b6dbfe06e4bc752271742d1c03cd94f4

SHA1
0188f0cb8dc5459fe4cb4cde1ca83b9c5731e5ff

SHA256
de94813c6dd4e66eac7b5b53063e53f50d7a7a0c21da34f24060aa3a0d4f22ad

SHA512
8228712c3cf37336806e3f5f1d6690c893f7a66b1d7fa744072e040638ae68a37a42dffbfab5e7e86cd5122bd5a50a8607e750536dd24dabfdc8a29f4ee36535

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
378KB

MD5
8402c8f9e1f8d2979f50f5b9232865d6

SHA1
f6da8da2ff6e7aa0f9d15e37be49e3585d6bde73

SHA256
d78324027e64097b1e9854af3c21eebf322783bda8ba9e4b9150303961c8d5fc

SHA512
97523cff83f1c3c55c94d4bca446f7206d2dcecc3f37bfd7ad7dc255bc9faf3b40e409b33dc060a2ffed8ebec75820ab1d6d68e726a57c9095323a4b3044cdcf

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
378KB

MD5
59b259f9cceaf5ccef37a57aaa1d9980

SHA1
486b735125d57fffc9c46cc0e27d83a7a167528e

SHA256
b123d103f5fea93432ab08599128645997e34eee83e846317914691a40e35caa

SHA512
29d837d3124e700b10ef43a352349d0e094f7f0ccfe2ab5528560b36fb8ffa6f55f13a96451347df852ca5c70d6d897e9530cc286d305ab5d5a745bb62904c65

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
378KB

MD5
4c300aec1dd93fb865eaee1016d9f72b

SHA1
55a41c68457c347c40f074519e09392f86b80ed2

SHA256
86d531b82163d23012380afb99fc64ba73fb5fa11ca3c78ae64c534e55520b68

SHA512
9abef2198f1fec372ace92637067c2ed67db80d459c6cdbeaf355c2f2c5483b122c40ccf4788609fb9232373c80f422588282d382824210686c57be49590cefe

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
378KB

MD5
df030a7d21dc3a82dfa1a741d033b7a3

SHA1
579ef117702010867798ff4df2c2f7166f11d034

SHA256
4a21b743b4341838036bda474b6e58039a488c1e2ee1d5a7353945951a4cca9d

SHA512
884fcfc300585ccc6e05edf7dea0ba3d6d92d79c790f88c29c3c7b8a03595fb368b058e16611f290b52585813d6b3699358f8106b274268830b53904816d2bbd

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
378KB

MD5
ba7e77899571cb899df24f08c3f72983

SHA1
2a9fc239bc2e72e773a660090f39ebda917e6303

SHA256
8fd332c5c0a01d9e34adb00d68dfd5a9734233ad2f10681dc870e82864b229d3

SHA512
87cbece79938f6345c891b680e172a2b7157ebcee055c1191bd863679a7826f23e720315bc45cbc6c741fb0ef34695ea3f5e0b562c2996b78f5ac30325ac3dc2

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
192KB

MD5
a6362968ad87a803f88a257550f74491

SHA1
18fee9d8719fa953dab7139e08f8bf85d39c4a5a

SHA256
94f2d5175fe528bd2a57e7dae6af1e1111039dc7737d4f68f96ed07949f46898

SHA512
c860f7e2ec6d41f789d0f3bbca582981def3679204b85751206c69be6655125f7eaf991abddc7d4b5d345b58b57d9b7d2bded7dccf5f6dda89b748ab419627d1

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
378KB

MD5
117ccd120dbe25f63ad3c475f43e9b8b

SHA1
05b6d663ff06cb4e627f8c2dc9bbebfff3388c72

SHA256
5a347f84f8dae205c83024ee45ff19c2c7a75920ddf4c78e41a6aeeae9d17214

SHA512
b988f8a13de1e1b63f98ad9650cecf77d0400f66f0a266800997af2ca0794f2f05d5d8310a1c3013fd47efc1c8d8e84a0eca635feb1333dc1cc705bf052dd1e9

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
378KB

MD5
6ae954953cdb5b54f467c1e1547f1134

SHA1
a97ad330efa59dafa26c2c88c127023c906ef8e8

SHA256
17aae97d2452b6a38f6681b9f83544efdc09a4aae796aa39fdd04e267d23a2fb

SHA512
43d2251a7ebf6eddfd16926907149b7688a924f239bb86f2118b86b009373e59dd3d675303dc013e7c9235b8e45e0f07d31aa76a66000979199321e6c7ddfea0

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
378KB

MD5
0486107d5d3fc1f76cb4b7705bc3fb29

SHA1
795e68fd8ce27617390018ab169fe86010c034c5

SHA256
064fb4f0b3b3d8614cb7be743c894298b3cacea562160837cb1f3c830f8e9cc7

SHA512
9532dc9cf0afa7a1cfdb3a8d78627599fead66bf60241185929cd89335e57ac79cef16fa09c06079c397c7c749e3c0285c589bb139edfcf6e07276bcb661df82

Download Submit
memory/116-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/232-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/232-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/408-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/800-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/804-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/804-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1004-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3200-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3400-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3420-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3844-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3880-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3976-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4688-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads