3adc25dd1cd198747a488f4bc2577c82615bef8a5b0906772607fb6d8e36883d

Analysis

max time kernel
106s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 18:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e415707a50d8f72e6a76500f502436f0N.exe
Size

320KB
MD5

e415707a50d8f72e6a76500f502436f0
SHA1

51487253f5ef41edd9b4450f252a5ce10cc41fe4
SHA256

3adc25dd1cd198747a488f4bc2577c82615bef8a5b0906772607fb6d8e36883d
SHA512

a96846bdd0be326e0fc86d6370beafa40951114b2cd6eaf2c1f9f523289ccfdbd01e86c79ab56adbdb5a7d45cb3c36a92c4f637af4f9f04b092d3479b606775a
SSDEEP

6144:etO8e9zVtqeVTjfHNGyZ6YugQdjGG1wsKm06D4:etUpGyXu1jGG1ws54

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e415707a50d8f72e6a76500f502436f0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e415707a50d8f72e6a76500f502436f0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe

Executes dropped EXE 64 IoCs

pid	Process
4256	Npjebj32.exe
3508	Njciko32.exe
3864	Nnneknob.exe
1912	Nlaegk32.exe
5048	Odkjng32.exe
2396	Ojgbfocc.exe
628	Odmgcgbi.exe
5076	Oneklm32.exe
4776	Odocigqg.exe
3192	Ognpebpj.exe
220	Olkhmi32.exe
3372	Ocdqjceo.exe
2216	Olmeci32.exe
1124	Oddmdf32.exe
1604	Pqknig32.exe
4240	Pcijeb32.exe
4828	Pqmjog32.exe
2852	Pggbkagp.exe
4340	Pnakhkol.exe
2196	Pncgmkmj.exe
5104	Pdmpje32.exe
2000	Pjjhbl32.exe
2816	Pgnilpah.exe
3700	Qmkadgpo.exe
1856	Aqncedbp.exe
4336	Agglboim.exe
3568	Amddjegd.exe
2540	Afmhck32.exe
2912	Acqimo32.exe
1336	Ajkaii32.exe
4824	Aepefb32.exe
3388	Bnhjohkb.exe
840	Bcebhoii.exe
3300	Bjokdipf.exe
4444	Beeoaapl.exe
5088	Bgcknmop.exe
3128	Bjagjhnc.exe
1624	Bmpcfdmg.exe
2044	Bcjlcn32.exe
4632	Bnpppgdj.exe
1184	Banllbdn.exe
3328	Bhhdil32.exe
2532	Bapiabak.exe
1400	Chjaol32.exe
4320	Cndikf32.exe
4324	Cmgjgcgo.exe
3976	Cdabcm32.exe
3136	Cfpnph32.exe
3140	Cmiflbel.exe
4884	Cdcoim32.exe
3536	Cjmgfgdf.exe
2788	Cagobalc.exe
4368	Chagok32.exe
2412	Cjpckf32.exe
1956	Cmnpgb32.exe
4888	Cdhhdlid.exe
2124	Cjbpaf32.exe
4216	Calhnpgn.exe
4464	Dhfajjoj.exe
3640	Djdmffnn.exe
1532	Danecp32.exe
1516	Ddmaok32.exe
4220	Dfknkg32.exe
3544	Dobfld32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	e415707a50d8f72e6a76500f502436f0N.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pgnilpah.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5372	5212	WerFault.exe	164

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e415707a50d8f72e6a76500f502436f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	e415707a50d8f72e6a76500f502436f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	e415707a50d8f72e6a76500f502436f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 4256	1900	e415707a50d8f72e6a76500f502436f0N.exe	84
PID 1900 wrote to memory of 4256	1900	e415707a50d8f72e6a76500f502436f0N.exe	84
PID 1900 wrote to memory of 4256	1900	e415707a50d8f72e6a76500f502436f0N.exe	84
PID 4256 wrote to memory of 3508	4256	Npjebj32.exe	85
PID 4256 wrote to memory of 3508	4256	Npjebj32.exe	85
PID 4256 wrote to memory of 3508	4256	Npjebj32.exe	85
PID 3508 wrote to memory of 3864	3508	Njciko32.exe	86
PID 3508 wrote to memory of 3864	3508	Njciko32.exe	86
PID 3508 wrote to memory of 3864	3508	Njciko32.exe	86
PID 3864 wrote to memory of 1912	3864	Nnneknob.exe	87
PID 3864 wrote to memory of 1912	3864	Nnneknob.exe	87
PID 3864 wrote to memory of 1912	3864	Nnneknob.exe	87
PID 1912 wrote to memory of 5048	1912	Nlaegk32.exe	88
PID 1912 wrote to memory of 5048	1912	Nlaegk32.exe	88
PID 1912 wrote to memory of 5048	1912	Nlaegk32.exe	88
PID 5048 wrote to memory of 2396	5048	Odkjng32.exe	89
PID 5048 wrote to memory of 2396	5048	Odkjng32.exe	89
PID 5048 wrote to memory of 2396	5048	Odkjng32.exe	89
PID 2396 wrote to memory of 628	2396	Ojgbfocc.exe	90
PID 2396 wrote to memory of 628	2396	Ojgbfocc.exe	90
PID 2396 wrote to memory of 628	2396	Ojgbfocc.exe	90
PID 628 wrote to memory of 5076	628	Odmgcgbi.exe	91
PID 628 wrote to memory of 5076	628	Odmgcgbi.exe	91
PID 628 wrote to memory of 5076	628	Odmgcgbi.exe	91
PID 5076 wrote to memory of 4776	5076	Oneklm32.exe	92
PID 5076 wrote to memory of 4776	5076	Oneklm32.exe	92
PID 5076 wrote to memory of 4776	5076	Oneklm32.exe	92
PID 4776 wrote to memory of 3192	4776	Odocigqg.exe	93
PID 4776 wrote to memory of 3192	4776	Odocigqg.exe	93
PID 4776 wrote to memory of 3192	4776	Odocigqg.exe	93
PID 3192 wrote to memory of 220	3192	Ognpebpj.exe	94
PID 3192 wrote to memory of 220	3192	Ognpebpj.exe	94
PID 3192 wrote to memory of 220	3192	Ognpebpj.exe	94
PID 220 wrote to memory of 3372	220	Olkhmi32.exe	96
PID 220 wrote to memory of 3372	220	Olkhmi32.exe	96
PID 220 wrote to memory of 3372	220	Olkhmi32.exe	96
PID 3372 wrote to memory of 2216	3372	Ocdqjceo.exe	97
PID 3372 wrote to memory of 2216	3372	Ocdqjceo.exe	97
PID 3372 wrote to memory of 2216	3372	Ocdqjceo.exe	97
PID 2216 wrote to memory of 1124	2216	Olmeci32.exe	98
PID 2216 wrote to memory of 1124	2216	Olmeci32.exe	98
PID 2216 wrote to memory of 1124	2216	Olmeci32.exe	98
PID 1124 wrote to memory of 1604	1124	Oddmdf32.exe	99
PID 1124 wrote to memory of 1604	1124	Oddmdf32.exe	99
PID 1124 wrote to memory of 1604	1124	Oddmdf32.exe	99
PID 1604 wrote to memory of 4240	1604	Pqknig32.exe	101
PID 1604 wrote to memory of 4240	1604	Pqknig32.exe	101
PID 1604 wrote to memory of 4240	1604	Pqknig32.exe	101
PID 4240 wrote to memory of 4828	4240	Pcijeb32.exe	102
PID 4240 wrote to memory of 4828	4240	Pcijeb32.exe	102
PID 4240 wrote to memory of 4828	4240	Pcijeb32.exe	102
PID 4828 wrote to memory of 2852	4828	Pqmjog32.exe	103
PID 4828 wrote to memory of 2852	4828	Pqmjog32.exe	103
PID 4828 wrote to memory of 2852	4828	Pqmjog32.exe	103
PID 2852 wrote to memory of 4340	2852	Pggbkagp.exe	104
PID 2852 wrote to memory of 4340	2852	Pggbkagp.exe	104
PID 2852 wrote to memory of 4340	2852	Pggbkagp.exe	104
PID 4340 wrote to memory of 2196	4340	Pnakhkol.exe	105
PID 4340 wrote to memory of 2196	4340	Pnakhkol.exe	105
PID 4340 wrote to memory of 2196	4340	Pnakhkol.exe	105
PID 2196 wrote to memory of 5104	2196	Pncgmkmj.exe	106
PID 2196 wrote to memory of 5104	2196	Pncgmkmj.exe	106
PID 2196 wrote to memory of 5104	2196	Pncgmkmj.exe	106
PID 5104 wrote to memory of 2000	5104	Pdmpje32.exe	108

C:\Users\Admin\AppData\Local\Temp\e415707a50d8f72e6a76500f502436f0N.exe
"C:\Users\Admin\AppData\Local\Temp\e415707a50d8f72e6a76500f502436f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\Npjebj32.exe
  C:\Windows\system32\Npjebj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\SysWOW64\Njciko32.exe
    C:\Windows\system32\Njciko32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\SysWOW64\Nnneknob.exe
      C:\Windows\system32\Nnneknob.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 416
        77⤵
        Program crash
        
        PID:5372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5212 -ip 5212
1⤵
PID:5328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
320KB

MD5
26478e6b7b3a0b066b2b1df5375b6a9f

SHA1
a73ac239aae7f360d3c60c94dd5a2ef97a7db966

SHA256
a7044c273bd2e3cb7f7059aca9999eb8b8c24ff5e60542a2bb41abecf1dd51ab

SHA512
4e7df307129d671224834179b469c2bbac71460b3f260a1998b83792a890bb57a65feb6d3824023f9979ff5a5f172b1383138316c94905d9139752daba7e4c5e

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
320KB

MD5
61f08683b8bcf49d2e01321f480cdd56

SHA1
d657407122ab73352af43c9bf12c6682919bb049

SHA256
cb90423cba9e3bcdcb1430fb6cd9915eac03629e86818ed19cdbfeb7e5983aee

SHA512
3a41d0a2cf93236c1b8ec45b504fa92cf8907e8b5e7f89444f5ca34fa25a9beab8d0ad93c1ce72ab8e85137a560b6f5c2d459946f66b3d47a54e4ff35e4c8adc

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
320KB

MD5
28f3461b4e67ffd907466b4273323208

SHA1
bf977ec15c6c33b594ce1d32246bbb64229ce27b

SHA256
17fcdccd79e120d63ee49440a1f81fa07d8f3d7151ff54ff345351da01721e08

SHA512
844323b8d55ed9ef01edd07fc5ed3bd0ed6db66373bce1810ee1f43f6fa374d54f1115bbc89cd057f1c381529194a7a77beb952038feb9b10c92c87820a67a7f

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
320KB

MD5
153a5d0dc2b51fbb30f4ca9c9d04628e

SHA1
f810b608855753f95ed95efa71b9e719c2b682df

SHA256
96db866c52f09830d3766adb748cd871f36f83b08fd189a9a616d3ccb3020836

SHA512
949d758e84c18ddd953e158a7864e68f7ab6e3e51995df4d6d76525d13909c7ad5c294892b94a5a8c73a534308536769586a4d4c5a997e82c96afb5193522233

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
320KB

MD5
242315ff9c7a2f9b3da7438a4c32dd89

SHA1
2c4a0c0906d514a3e228d8e6328d1ce6881a87f8

SHA256
6b1991a7c5b0928e4809fc69383a9f4c025969616c4bf396a673e93fbe317d80

SHA512
28e93cacf15a79e02bd151283843a780f072c915fb0292a02b30cdcaffa075d05dae4f696b970fedaa3ce3eca812b0d0c5a61cae111cb2586342ffbacd2ae0b3

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
320KB

MD5
916f53a19158ebeef5ff5af5bb4c699e

SHA1
aee2ceaf7a5d7414dca6d63b78d24449d4433703

SHA256
43a5447a551976a2ff88cefb42ba814444b7e91661bdd41a325e558601f021ca

SHA512
44978e2cc1305fea0aa01f585127ac6ea3b60df99977e3f8af50075e5062d803e65051ddc201fce6f49796b7910fc34e02e3ee84c5f9e3475d9462b417b01ef9

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
320KB

MD5
a1d7702ecef34b92ab631194a6b401b4

SHA1
f0d7ac0bb6aa1984af064cbc3b4a32d06094014f

SHA256
bc1955ad02f989552406acfcce8c463a537fbc6246fecf8701f4cb43c12d9fa4

SHA512
602957ebfeba75a52f647eb93869a51b492be80e1ff667a5c40125077a4537c09a6e0b70dc90744f5d0e4810c7557c7b2970228d757e3d518bf90a1c21ab6744

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
320KB

MD5
c37e65e5cb4be4354402e6dd62122e47

SHA1
124740abb37f524f5b83520451630c3fa3a19548

SHA256
fe30cca4fd809a2a974d0b565397e7bfa64a5db3eaad0066fdb4452dabb60734

SHA512
cb437117dce89b6193826b83d03f523e1fc43f2ef7c9e8616ccffe1316597b455eeffd9343634e2fbf6acc25ec6fcfc1bc81bd9f1292740ec592b5d750070a72

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
320KB

MD5
3d17a81da80a0d68f67dde335442a5c6

SHA1
0d3350edda3bcab5307644c903ae39a6365b3f42

SHA256
a8bb3f33907284f4b6b733960381351b3e1bc9abea35d102f7701e47ed4ada35

SHA512
31f2d997b1fc9e7eaeb79233bdfc2870f3836e5daf87081fd6d93f6bc2b3c01c47246d1dd0ca8e5f5160de42ccbacf4e2c1e694bb993fdfb63438c68caba141c

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
320KB

MD5
8311dc7d83f02e3de46cb985e95ef784

SHA1
457ebbc3e446de4ae7ae3fabda9adff9f02a0369

SHA256
b830e464deb2db65227c5676a425d16af255ea71a07934fff59acf3c9ba64438

SHA512
de2cab7edaf778faad89f26fc1eb7e8ba66e14bb04802393eb2693cdb5f679b28aad5132d4dcd5410649ead0016da445195ce5e74481781f3e9a3c6f6674447b

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
320KB

MD5
7e9a4d2459cea7c2ef7cdb5c3bef3a8f

SHA1
5250d72f6628776f92392e30c442140adf651cbf

SHA256
545bc5e5dfedb4328255de3e8925a75db49ea1baa84477ea2695d4901d616ec0

SHA512
ae946f7704061638236f259ca9f2c4a5da1e240d74cc395420075d0aa5da697d5bebbc0962d8f315d43a490104169d54d22df67ede1e223ef28a49a411f337a3

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
320KB

MD5
baf57b8698ed477f131ba32e2f9d235a

SHA1
eb9f34f6836ce8a93524a53ace94c88228aed439

SHA256
ae3de607b8711a3ff6367854c042f745e9dad7bc6350b245c1b4906cbd01a802

SHA512
a03d5d6ba53acbc6d16931bf7d7bc4074b48e1abc6aeb5d5599128ea9924db90e7aa0f4a1e483480128d47b5fdb005ed9cdc08328b6332501544113a1b122a33

Download Submit
C:\Windows\SysWOW64\Glgmkm32.dll

Filesize
7KB

MD5
c9d9cb2bbbe2db2ba2dbadcb724456b2

SHA1
44b33c6ffe0f3f4b89b2c691b76bb95281b442d1

SHA256
1ea46542baddf4d9b948c16ee06ddaa800bd120e78219a9961888a37b940e69c

SHA512
eb15d3dd47bdd6a364cf6dc5ed8ec50741f94cc9cc762bf3c58e4e6d84d191979f0d8c0acf626ea222827506990be95a52ff5af35b28a38175427a7668129b00

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
320KB

MD5
2a976662db3e863595d4697e0ff115f8

SHA1
e6cd58fbde97c0edd933bc8543eb4d689c819705

SHA256
544b14c4b62dedde8936f4d318a67f88f7465096bbbe54bf0fbbfa25316b48ba

SHA512
86016f4a110cb39c2b4dc974c8fddea000d419ec551f067ec97c26033bf2d0f627c9bf4532b2d3467780fb4162bc21aabc00daa65fe4d2f76ca929e8c3c977eb

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
320KB

MD5
f54bc20e9fd861d147ebbd2442a39bd5

SHA1
afc017485279d0ffe9f8469dfade63797eabc9ba

SHA256
bab6eb309f5e6b481fc0d67816daf853d119bdd91ab7cdcb7878ea96b5b585b4

SHA512
c8a45ce72401243df6b65520a65e84ad6babc9b1bb7981d46c45feccd3857fdf73738142aea7d1bf5b9a8f3b5c479be9e7d7c9e5df6a3d7282e65265b0ba5c6b

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
320KB

MD5
8f503b3e29134bb44b53eeb52e2fa440

SHA1
b1258e424e575fd01fafc018c126a01d03c31c5c

SHA256
398ccb0878b78e6c2c4c9fe660cf6220d0004479d6bc27d99068a55737a0840e

SHA512
19bfe54b39e47ddf443ac548d511dfe8c4ce658e070f6623e6e6b4da146ec32d5e052fc3934bc1ff080f82e6cbceb6c642671720b1f43094efdef80def833568

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
320KB

MD5
bec94429e3328688fee95ddd98ad35bd

SHA1
1b29631601bf7f76e0c6ab539da9eccea637216a

SHA256
bdd7b5e5c6e8e3f02089748e2df47d251ac2949c2cc7533a468607cacf3c812a

SHA512
c8b32bbc06f4bf74ff24ae9d260637f20f65a5058aa40402b222fc32d4d0c06cc56310f6f85418e055023bf718604108bd07e52f43f755bfed5c43ad187b4b82

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
320KB

MD5
3fafa52032961031f314e70f96d25236

SHA1
f97f0b366ca59b8fb62cd1380144ac34f2812a23

SHA256
db8f0132be8a7f83d707d59a2c5176678b60aee9b6ce484b0dbba7f778df9b20

SHA512
514e3c205aa6f55a49ffc0adca0e9dc024261654ba9ea4cb13a704fd7a06826da5f1ab8752011e0d848b6611d393cf87a4372f6249ba6d3e39ff41916c21ac61

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
320KB

MD5
a1a03f782647b05f80e72c8f32bcee01

SHA1
7f808e3610937f6174c0ff0026b11b7bef4b3266

SHA256
5d777c242962ce19b72764128ce979b581f433c32f2b0418e304be3a6f8e3df1

SHA512
8d423ced5b791ce306c00bd7180d2977e2b3d0ec6830149b9fa71d182ba3f96679a2c9f1a05a069e75d251d6070e6c75c9bdfec0e0d4fe68cb3a91cf55073589

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
320KB

MD5
d624bf1a6533480412aff0a38a775311

SHA1
315c48cdd58c7e3ad5e77563ec5594e9f5c92aa0

SHA256
fddda1ae5adcf4ecb55762c8ec4097b4a3046fea2cbb01cb9e983b8800f715c2

SHA512
1b36136c1fae10f67fdbd2868e72edf3a57866f95e1e1b646c29a6abb1fbde34f5603c90269903366c1f5081a72a86e31d2d51ec026e248c5c7415261068bcf8

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
320KB

MD5
7c11d36b3e78842fa1ecaee51b50d37a

SHA1
f824e605aa7c6a5dd5679c7394a01c924499c0d9

SHA256
a5988cc0b46f32a1d8b74b37541c4f5d02dec83856c5386bd67c9c1c24727d6d

SHA512
6b081ab410721764b0c276f8dce47df352364a1d84e400483382867b3a4eaf391546d648d9c106d96f9caefe13186cc7175a08f01593dcb4e0d98de810cda42c

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
320KB

MD5
a0b59abfb0329429ba2f648cee22d09c

SHA1
75e3c4441d921b614038c78e1e7a423451f98c40

SHA256
b91b3181ebd6cad5f64a853a64a3a9eed04df931a946c47624e381b8a65fbc98

SHA512
4385d6dc705b3c9f4a040c83f23cf3f3c7e85e128f00deee54237050523b229c7dccc7a1c6dc2f7278b0a2e2c991f8418c4c2c62a6d2f964efd276731339b1f2

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
320KB

MD5
693e92b4be5de758b074cc84fcb66172

SHA1
9dcd77a8edc1e868de18b2913064325df030817d

SHA256
acae29d62b687087bd1444caaed4fb2cf6a2d1dbfac27adba9fe365e16503a30

SHA512
aab25e14fa05111a741508db5a6d35717a4bceeceffd898f809f3a228ad146b8e1cf7241f32d3bf19c58a5c17587ea8b04c63ba0df50193783133c843cb0e003

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
320KB

MD5
91c37ba62e1f2974d70317f2d0487859

SHA1
77a0d6812f93d3766f6e7a8756f7bf2e16240a8a

SHA256
10326d4c59bd38f84ce3650d38cf8bd44089d66e4f99707428c63567d847e812

SHA512
011a663d399033415ce67ada0e8218d4b8a44148fe7b397241ba28ac749d07ee8fcbcd31a16bb27df92c5a8cc68294131adcbcd2c31e4b6aac5ab77eed35e886

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
320KB

MD5
6598897773471feb15b6a3fc9933c061

SHA1
856b1f61e303d494c8deb0dcabd4e205d323f407

SHA256
ec8795f2ef4e327852ce6fc195134b258921ff484186148bddc260f624942d4f

SHA512
95be4b576964538fc3729c438380575efcd22ea2ca90242f2117d43203e3e232e3ead3cc11438397281c05a5e081f4959e204d0b4d83b0c3ffefde6c98419209

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
320KB

MD5
9e3f2b4ab340da0436a1dd29ffc5acb0

SHA1
a9e1516f109df95f75008b40ac103efae703dfb6

SHA256
c7eb01bb1f43c5919d0ba1c16fadf5917bfa57d0e55e40f545359b8459920b45

SHA512
90e940700a5ef1e60346f0ba61bfa08ee886652c6743b027ab2f19b1a93afa8a9fb2e158ff789ed1639e1e3252cdc86062462819317988fc77ad5df33609a883

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
320KB

MD5
b1c55b1717f9fb0ca55ff8ff2f11774a

SHA1
1f942bc77fadfbbaa0b4d577ce31540af1182bf3

SHA256
ff7a99102a6a06e1e14dd51931a05eff4dacd19920febc30b6da76bb9284f2bd

SHA512
97637d9fd45aef54b552a398069fb5282af2d36e6f657d2887e28e178831362fdba069fdb1fa5aa14368ce5616f50c63a79e99d99ef261e48a01a4fd6b30159d

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
320KB

MD5
b019450eca339591d7035bd9692ffa1f

SHA1
a271d62ceba4f8e3fb261e110670b3b2cd7b3a9b

SHA256
8a4c6ab0cc47a80297e5417ad5562add37e4dc786991805f89c6197b4a95a342

SHA512
157189cfac9acadf5f805527acfc67c90609f98c747954b1b84c9e4889383d08fdbdbc22db9dd0822dff8908817d6f50d2dae3e59d59acc120912e542c48a6dc

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
320KB

MD5
703bcdc6a476e92bb85e1c59643130c6

SHA1
f5e17784ca1769962126e0cea3aa62a9fd9f61e6

SHA256
1d113633664551dd2c9e7bbd77b2207c8e04a8bd15cdbad98d9f77f77d191997

SHA512
2d24bc883077a73df6fc9889f59fdf56519c8e508b9a424b2db6a696f06ee6eba5adc4c7362f12eb8b34dc1ab99486b076c7f38fded6628f4d7d7ccfa21c6903

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
320KB

MD5
0e065ee0cc741fd9ed536c5e1a21f88a

SHA1
0b5f354c47fcab410cb36371c8499d1557079b9d

SHA256
37c580c59994fb4c26844f27643400cf47356d4983f69973b2e65c719b00f66c

SHA512
353a50621681904777b9fe6fabef9bc7e98e88148b5d95edc1e8abf4cd1cb2fd255577806ea6ae53a612efe50fa6f48863bfb93e5b2746df826808162d05eb7f

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
320KB

MD5
b19b2d6d50ebe5b74b6ad871626a32af

SHA1
b0e4e5f674a9435d8d12205d031ac39975d95dca

SHA256
7b2b038af5e39dbc12048d63ff21542e7b604e3595461ace4621b59014ca04fb

SHA512
02ead0c6db846c1281f301888a0fa838e0deb0e8b2365ecbec10095359c1624f9ff22da02b060a6e83c3da6f3eb2d917b9d4d8daeed9489ecc98c0490fa586af

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
320KB

MD5
32ebc607a61cfb5110c8855a00025dc6

SHA1
fe82ec4310436a8a7137ed561372762d8e9a2657

SHA256
bd70ab5799dae9f4033ff78738455d5cf696d8acce5e6a1b77402f6dacb36a09

SHA512
f679e91e47fd86005712ce87dfb459ed932b2cc5ca3ebbc2edba7ec89ff3f6b62180255c0873f730183e41bb987404fa18f049e234c6fb74ec95f253d838fbb0

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
320KB

MD5
3823a7e71549cc3e8204a2a101ef079f

SHA1
dcd00ff4a40c8a470582b6285ad2d17833c1616c

SHA256
bee0c3664be00a64f7d86b23b1c3d4eb5d982ca2eeb298272ff61d31da6a3b90

SHA512
27151ee6e92664998fba7c0d3776bac61e09ab70426ba5fe81fa0559e4e2aaf5d4f0dfe995af1f56a5a4a01ae875c59a5d2d6394875843a56e0c7c97bab69e33

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
320KB

MD5
f5ce4fc422f3c2e8b6d331ed08f3a018

SHA1
033baa9761428df646b62c9f59a07f044d416d1e

SHA256
752de5df49ec234a2ce207b2a09b47c2155b5856df9b3502fb05555f5cd6d3b5

SHA512
ada30a6a38154e0556ece2ecdf38cfcf1bbfd3660d69a6649ea4d4bd1066ddfb5a37e00309c1a9614b6de92e1bcad87352357b2ae397189696c026e7e60ccd02

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
320KB

MD5
6cd957bc20e2c98be6b776bed2beb96a

SHA1
7d2e71b2a1712b253a81aa5105e12ea4e0d1cd7c

SHA256
5aea17381545059472d21b83b3ebd0593892ee67721c14b4069076a8e8292f7e

SHA512
06d83fdc3272e19c659a7348f31045a7d5ff2f5f6c8ea46babbaf276db3726d0244d6fd1bd2f1a8a22b6c088fcf5514fe46993c03a46da470b9fe6a9a475bc96

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
320KB

MD5
b993c3919051f2c719e8fb6ace42e989

SHA1
9758c9375d9c271ff68751b7d41227e0e12bfc3f

SHA256
4714e49d92d1a701b701a6c9fc976ca59ba757d709ef72ba26c83f0650cf0b35

SHA512
1d6325327e207c744e4d25e0285cfbd9c474a7fa34010bb423bab53ac5631cb3ec3b344b322d69ed70464d28da57ba4757346e85cf7ff231406d5e898ce339b2

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
320KB

MD5
e047b2c0a101b796c7dc915aa90d2459

SHA1
24ea11850ddcdffd9d43e468e91d8f0e93c7ea79

SHA256
69c40434eb976396d9c62faf3a480aec6929d2c4dfdafed49212b188438ec761

SHA512
a38f93053c9d064a063fcfd09693d5fac83c477227e3473d5b8c36686a3ae287c070d78feb32957366b613b10424e561ed7d800ab9ea4da65281385aa60c63fb

Download Submit
memory/220-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/664-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/664-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/832-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/832-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/840-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1336-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3300-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3388-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3568-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3976-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5168-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5168-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5212-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5212-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads