50ab95a026f44859591e06cd46ec2da38be23448cd566e227bc722392de0fcd7

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50ab95a026f44859591e06cd46ec2da38be23448cd566e227bc722392de0fcd7.exe
Size

55KB
MD5

a1d8ccd70e2f932e0cf14eed76844071
SHA1

2d16e19796edb850c9f8c8eee83a25de916de7af
SHA256

50ab95a026f44859591e06cd46ec2da38be23448cd566e227bc722392de0fcd7
SHA512

8c820c21265e162b20bfa994d41a30e385180801a70e13551f18cefb5cb3461d6fba0cb0611784b58815e21d88e93e8271ebc0acf27e84e5ae5ca15b2e258982
SSDEEP

768:X100X+eNmIJ+TJO5TpDQ4mWVGGlmHHuLZgkJc1ROH5Gu4IaJZ/1H5KXdnh:X1tueoIPpGGUTkJsOZGJpq

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe

Executes dropped EXE 64 IoCs

pid	Process
2860	Pnfdcjkg.exe
4232	Pmidog32.exe
3168	Pdpmpdbd.exe
2716	Pfaigm32.exe
2948	Qnhahj32.exe
4460	Qqfmde32.exe
3300	Qfcfml32.exe
3280	Qnjnnj32.exe
5032	Qqijje32.exe
4532	Qcgffqei.exe
4600	Ajanck32.exe
5040	Ampkof32.exe
4156	Adgbpc32.exe
4376	Ageolo32.exe
2812	Ajckij32.exe
2544	Aqncedbp.exe
4576	Aclpap32.exe
2616	Ajfhnjhq.exe
2088	Amddjegd.exe
2768	Agjhgngj.exe
3232	Ajhddjfn.exe
4940	Aabmqd32.exe
2656	Aglemn32.exe
4560	Ajkaii32.exe
5000	Anfmjhmd.exe
2688	Aepefb32.exe
4100	Agoabn32.exe
940	Bfabnjjp.exe
2908	Bmkjkd32.exe
3376	Bcebhoii.exe
2220	Bfdodjhm.exe
4960	Bnkgeg32.exe
768	Bmngqdpj.exe
1984	Beeoaapl.exe
1168	Bgcknmop.exe
1304	Bjagjhnc.exe
2652	Bnmcjg32.exe
468	Beglgani.exe
3712	Bgehcmmm.exe
2660	Bfhhoi32.exe
1752	Bmbplc32.exe
4840	Beihma32.exe
1220	Bhhdil32.exe
2344	Bjfaeh32.exe
844	Bmemac32.exe
736	Belebq32.exe
1008	Bcoenmao.exe
4536	Cfmajipb.exe
2464	Cndikf32.exe
2852	Cmgjgcgo.exe
2744	Cenahpha.exe
3668	Chmndlge.exe
2312	Cjkjpgfi.exe
3588	Caebma32.exe
1644	Cdcoim32.exe
1568	Cfbkeh32.exe
2844	Cjmgfgdf.exe
2308	Cmlcbbcj.exe
4056	Cagobalc.exe
388	Cdfkolkf.exe
4832	Cfdhkhjj.exe
1816	Cjpckf32.exe
3204	Cmnpgb32.exe
3020	Ceehho32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5504	5400	WerFault.exe	175

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50ab95a026f44859591e06cd46ec2da38be23448cd566e227bc722392de0fcd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	50ab95a026f44859591e06cd46ec2da38be23448cd566e227bc722392de0fcd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 2860	5008	50ab95a026f44859591e06cd46ec2da38be23448cd566e227bc722392de0fcd7.exe	86
PID 5008 wrote to memory of 2860	5008	50ab95a026f44859591e06cd46ec2da38be23448cd566e227bc722392de0fcd7.exe	86
PID 5008 wrote to memory of 2860	5008	50ab95a026f44859591e06cd46ec2da38be23448cd566e227bc722392de0fcd7.exe	86
PID 2860 wrote to memory of 4232	2860	Pnfdcjkg.exe	87
PID 2860 wrote to memory of 4232	2860	Pnfdcjkg.exe	87
PID 2860 wrote to memory of 4232	2860	Pnfdcjkg.exe	87
PID 4232 wrote to memory of 3168	4232	Pmidog32.exe	88
PID 4232 wrote to memory of 3168	4232	Pmidog32.exe	88
PID 4232 wrote to memory of 3168	4232	Pmidog32.exe	88
PID 3168 wrote to memory of 2716	3168	Pdpmpdbd.exe	89
PID 3168 wrote to memory of 2716	3168	Pdpmpdbd.exe	89
PID 3168 wrote to memory of 2716	3168	Pdpmpdbd.exe	89
PID 2716 wrote to memory of 2948	2716	Pfaigm32.exe	90
PID 2716 wrote to memory of 2948	2716	Pfaigm32.exe	90
PID 2716 wrote to memory of 2948	2716	Pfaigm32.exe	90
PID 2948 wrote to memory of 4460	2948	Qnhahj32.exe	92
PID 2948 wrote to memory of 4460	2948	Qnhahj32.exe	92
PID 2948 wrote to memory of 4460	2948	Qnhahj32.exe	92
PID 4460 wrote to memory of 3300	4460	Qqfmde32.exe	93
PID 4460 wrote to memory of 3300	4460	Qqfmde32.exe	93
PID 4460 wrote to memory of 3300	4460	Qqfmde32.exe	93
PID 3300 wrote to memory of 3280	3300	Qfcfml32.exe	94
PID 3300 wrote to memory of 3280	3300	Qfcfml32.exe	94
PID 3300 wrote to memory of 3280	3300	Qfcfml32.exe	94
PID 3280 wrote to memory of 5032	3280	Qnjnnj32.exe	95
PID 3280 wrote to memory of 5032	3280	Qnjnnj32.exe	95
PID 3280 wrote to memory of 5032	3280	Qnjnnj32.exe	95
PID 5032 wrote to memory of 4532	5032	Qqijje32.exe	96
PID 5032 wrote to memory of 4532	5032	Qqijje32.exe	96
PID 5032 wrote to memory of 4532	5032	Qqijje32.exe	96
PID 4532 wrote to memory of 4600	4532	Qcgffqei.exe	97
PID 4532 wrote to memory of 4600	4532	Qcgffqei.exe	97
PID 4532 wrote to memory of 4600	4532	Qcgffqei.exe	97
PID 4600 wrote to memory of 5040	4600	Ajanck32.exe	98
PID 4600 wrote to memory of 5040	4600	Ajanck32.exe	98
PID 4600 wrote to memory of 5040	4600	Ajanck32.exe	98
PID 5040 wrote to memory of 4156	5040	Ampkof32.exe	100
PID 5040 wrote to memory of 4156	5040	Ampkof32.exe	100
PID 5040 wrote to memory of 4156	5040	Ampkof32.exe	100
PID 4156 wrote to memory of 4376	4156	Adgbpc32.exe	101
PID 4156 wrote to memory of 4376	4156	Adgbpc32.exe	101
PID 4156 wrote to memory of 4376	4156	Adgbpc32.exe	101
PID 4376 wrote to memory of 2812	4376	Ageolo32.exe	102
PID 4376 wrote to memory of 2812	4376	Ageolo32.exe	102
PID 4376 wrote to memory of 2812	4376	Ageolo32.exe	102
PID 2812 wrote to memory of 2544	2812	Ajckij32.exe	103
PID 2812 wrote to memory of 2544	2812	Ajckij32.exe	103
PID 2812 wrote to memory of 2544	2812	Ajckij32.exe	103
PID 2544 wrote to memory of 4576	2544	Aqncedbp.exe	104
PID 2544 wrote to memory of 4576	2544	Aqncedbp.exe	104
PID 2544 wrote to memory of 4576	2544	Aqncedbp.exe	104
PID 4576 wrote to memory of 2616	4576	Aclpap32.exe	105
PID 4576 wrote to memory of 2616	4576	Aclpap32.exe	105
PID 4576 wrote to memory of 2616	4576	Aclpap32.exe	105
PID 2616 wrote to memory of 2088	2616	Ajfhnjhq.exe	106
PID 2616 wrote to memory of 2088	2616	Ajfhnjhq.exe	106
PID 2616 wrote to memory of 2088	2616	Ajfhnjhq.exe	106
PID 2088 wrote to memory of 2768	2088	Amddjegd.exe	108
PID 2088 wrote to memory of 2768	2088	Amddjegd.exe	108
PID 2088 wrote to memory of 2768	2088	Amddjegd.exe	108
PID 2768 wrote to memory of 3232	2768	Agjhgngj.exe	109
PID 2768 wrote to memory of 3232	2768	Agjhgngj.exe	109
PID 2768 wrote to memory of 3232	2768	Agjhgngj.exe	109
PID 3232 wrote to memory of 4940	3232	Ajhddjfn.exe	110

C:\Users\Admin\AppData\Local\Temp\50ab95a026f44859591e06cd46ec2da38be23448cd566e227bc722392de0fcd7.exe
"C:\Users\Admin\AppData\Local\Temp\50ab95a026f44859591e06cd46ec2da38be23448cd566e227bc722392de0fcd7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\SysWOW64\Pnfdcjkg.exe
  C:\Windows\system32\Pnfdcjkg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\Pmidog32.exe
    C:\Windows\system32\Pmidog32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Windows\SysWOW64\Pdpmpdbd.exe
      C:\Windows\system32\Pdpmpdbd.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3168
    - - C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3376
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        45⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        62⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        63⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        75⤵
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5400 -s 404
        89⤵
        Program crash
        
        PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5400 -ip 5400
1⤵
PID:5472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
55KB

MD5
a2e72fd3e394b91cdb2119ec56789e4e

SHA1
05a281648676ce4a366ad5f8cf63f9d5c655151b

SHA256
02f748acab7d10eb795aaac25abd5aabcbf7bd616e42dec6447f5b2d7fa311b0

SHA512
11fb3ff08444a47d20c49806c9a77a7a471aa1ba7220a9b36775332fc646d50d7b890878ede291902597c6c555393a48a6de5cde7cf0dbd70f8ce4d86dd71459

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
55KB

MD5
8e39ad9ba04a628235068a7172207f61

SHA1
afc6c85c1a3add30cf978a9f09261f4cd96c0968

SHA256
e682416c0122373bbc4886c061a7358c8722fd5128a41b8ab4de14f45a8db6e9

SHA512
4d277cbbb0c193233918febcf348c04503738d040fe15bcf78c2a84942320287fd57bf426dc2bf4bcefa39e9f8b2874171e75ff06af9c6a069d9c1eb1027b1c5

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
55KB

MD5
64b8c46def0a85660a6e77d6a18259a1

SHA1
e7799910014a4d35dbedfb95861144deebfd1fac

SHA256
02d99084beb5edeccf62624efb54ec02e4b7feeef93e40c4bebdb99734cd424a

SHA512
3ee98ff1b3d194703a775431f22fade0a23cfc4792f960ebfa43742c388280ca4fbf88dc7d87ca9c8e211fbf4ac8f761df0303a0ccd18f3e68ffc589fbfb7497

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
55KB

MD5
3b68d1b5cc2dabe5c2e5f34cc8217fe1

SHA1
59cddaf858b9c37f51f1e0f9e46f31aff0040c6e

SHA256
b5a3755746ddc697fd80ff665dd1edb42332e064a1069287d7db148b1b863f24

SHA512
0dffc8dadde1a015fce7758594baa655a51d4e22e6d4d130bd6444728af55854726a486885a292721387791df091c57026838a9b60ef76a96dade0700e19e8d3

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
55KB

MD5
b6afa06979f4feb53263e25161156b56

SHA1
da1e0117d3691c7be39c5664eb2b8ac77c71cbdb

SHA256
bdfe89fdbbeb2350b4702e8c5d9e63ae67edb57cd786008c9bc9276449dae1df

SHA512
1703a593736cecda72da6e98e212419baf1bf8523547a9778288be67839a6c35d487802fd60b4f6f776db008a7566615ea4817985d8021c1501b581fc512c5ce

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
55KB

MD5
906d313e1cd88d1f57f8c228b8893b48

SHA1
7d2f51d6a946b1d758b1380d48d44fd20ac84001

SHA256
b92cfda3ad0b0c21603bac6e3ec358d958305d2e504b25a5043fde407e103724

SHA512
8399ca3db8c32047cdf3ed70668929e9011f8f57ae1fa4c5877047404bb200904058f10f110dcd545288d7eb5f3a07271b0ccb99ef73d62f28c65bbde72be405

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
55KB

MD5
5f594b50451e2eb00437e39e0f8b74bf

SHA1
572b945f3653041ad1e060dbd9c324886e6fe918

SHA256
a3d1fcf4fd617a8ff226cb196d0c4808cfe7b56c46b0f136e6ff7f138551da2b

SHA512
020484c685848e43d837e01f6530c689844f0756360ff8c96a8a7e2f075786fe86012fa25d22b36a477a5fb81bd99fdf23cd4089e681368c6dec86c8a4a10dd4

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
55KB

MD5
693345e6a62b0555ade93c22f6e3808c

SHA1
cea781f066e512732ee9141d77c360d01c0c6e1f

SHA256
bcc1e4c1d520fd5681995502469766f4b8256693a70cbce7653565c86b5007ac

SHA512
79c66688e46e75c448074ea4f5863e015b0a08fca26b27ad18776f98a0c1373061ba91c22f134369d164f5dc2b28748a9bc69098591aeea2e9451cd1ea1b15f9

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
55KB

MD5
63b95d4debbb77d627c725219f629390

SHA1
95da9760a8c799f2499b2cf466077240bf911b04

SHA256
25eb9ebdb44f3088157483e014ab69f813ff14674aebbf5b07c39c5806257a47

SHA512
d19503fcd37049821ddb44937993f34effe0d82ebb8602640372a36292dc55c9b934b3850e30f22fde42d7e4ce0b2f0948f3c55724822cd256a1ef71b22745bd

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
55KB

MD5
ec0d06de1907e72a364e641b4e1b147d

SHA1
0cfa1a3ae51c38626dc931d108d6a9e7adf94075

SHA256
51f25f413c7c5117ab2971dd7fe4fbc2a3d4f5702d83a121f2ebfdaa3dab6d0e

SHA512
eb32d4f2c57794b43ba9396057d3fdddd1dacc38a0193ac14432000ef5b7d91db3eb14df6c104a8047d698f004830e231fa15451fe8597a18369580c9e8a6b13

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
55KB

MD5
1967a9dc8f7a9dd7ee6b370fde2430fb

SHA1
94d6b226030fa6e5a1dab64940ae8385517fb5c8

SHA256
2617fb3095053081698c3fdac9c0db4f1b7d610244d38939f7cc41acd75b979d

SHA512
191fd8a10727795e016aaa13f3017732f5d090ebe4eb4e9c2d6587f3cf34f4ed3e9a6f5d1463061722a61dfde3b390300db33bf1c3aead951fa813a7c1623025

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
55KB

MD5
f9cd4bf2423d70fed23d39fe8aa2b0f5

SHA1
3357a0b6e134961c5c4edfb48174b012abd343f1

SHA256
24e3c97762c3281ee2f7adab1d347abb661c29bd503ce2b7ff8b0fdb2e9871d3

SHA512
0c9c287da42fd43cac64e060d73a8dc0f07a1a2ca71ac8d215948813b7ea23f4f1a7406f48ba0f683ff699625bd8c23aab9de4506ef5dbb0b0d900ad2f8f0822

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
55KB

MD5
ce607658a5b1b242c002e4e8ea5029d1

SHA1
937a1f016d3cb4b23f35a1a2274c832a8ab1dd28

SHA256
94b3fc71f590cab645eb8fe495c947c358c84ddf5c3f0a31d006198c687fc8fb

SHA512
4c703c94afe33e875110e258a3332b703d992af3f06e1fb08b15efabc9db36fdd440cc9b22a6120a2caf1a40b05dea0d160f64ba6d803adc0486369dacf528b2

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
55KB

MD5
6b4dad7a0dafe6e6a80208c56f634cc7

SHA1
b9884b1c09380e94e24ae6b4b0dbc47b932a9c29

SHA256
e44d8dbe22f7c63792198ab21b12fc820283055a88d91c0a38c06d6680d8b224

SHA512
16f22866285eea20401632bc935a269e08858fe8b57ab186ff2901ad9eb57d555ec8203fca26a8ceda0e30ee3119b69bdd715a97841aa8e34de2a6e5a40ed8e5

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
55KB

MD5
e9bf7343960e1b1d109c3a33eb21ccc3

SHA1
f16662a074ed42abaa4711515f57b94f0fbe4c78

SHA256
632f9ea9a9b82422802b108639ebd595763353e6b5677f61e2c92f8b4b91bfb1

SHA512
cb1de241e34d6bb681cabb7bcd359428ab533a92c73aa8ae1728c4c0a6a08633b163818ce1dabc1ba40671c980295cd19eb35e596f3c737f7b5e5fc57632d5d7

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
55KB

MD5
8ab8109b613ea8bb182b3dfaf4cce022

SHA1
d7fe404339faf61203ace9bc171b8723cffb5ed3

SHA256
15b16ced0bc6c3619c63d489681f7dadaeeae62a7dcf1aad06476e280c9a7b03

SHA512
a2340044b8cad2cb3dba54cad380d74080f7f6e14cc7e17dad7824ed442916be26f9e29c0a13341cd3ee62460f2a3057fdeb015603846fe61f1527f6dcf6f55d

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
55KB

MD5
6194b6fe8d6787cca5b8118aa8202bd2

SHA1
0ed55caba738ee403eecae134b5b45619415ec8b

SHA256
ffb9259aa02edad9eebddf3043922bd1ada0ec0d4c8cc6f3145660754e1d789e

SHA512
2cf27a55be4b795291f36d726cf92dcb6b0bd0e2d001a882da1ebc53413515096a539786edd2d0e6c2091add3ee0c23314cff12ae4b2f0e6a036bf3c79752619

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
55KB

MD5
adf18c75a179cf60f6dd2381bb298eac

SHA1
272deda4bd28c3d4bfd3dbf857ab9344cb0a5e5a

SHA256
48eb5a9fd592c6e23efe9a3d343e8e833cae5113599bf7f8159c08185b32eb3e

SHA512
25234ac0b5d402a80fd4e3b8627fbf019ad56bc255898506f2a0bdb78e6e16945d4f016d78c1226857dff38c06e97fed12d1b08aad35a585acca777f127a0007

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
55KB

MD5
581ce64db7b78b685720022b65e50fb2

SHA1
b3517792c7ba91ae22ae4cf5fee77ff8671c9798

SHA256
19b6fe91bed9627b2c1995b2e0463323e2b9e2f6bf568d3e31b88e59695a0b06

SHA512
f6b368483bfddfccdc84327a9980ff8268781066d2cb7d1f8aa8618060d7595912b01f71c57610e06eeea69e68ac57a8c97f4c898f3617e5f468ee3eaab30b9b

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
55KB

MD5
e83afe3ce23e751cf1ff6193817728cf

SHA1
75acf7c6d141ba4e0fd9aa8eab4493f32dadb0e5

SHA256
0c714cdac02f6190f5487be5f99f7a39ed6f2da6348a1c88157ac7c2dac72087

SHA512
0c9e10d5043068fa902f96de70b35b7fdb2669386d82f169ea807f12444634985d8ae3a09a2361c8f150c6c25418c96dd576cc4f891a826e340e4b7b1dbf141d

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
55KB

MD5
92b87599076e6f901f35459615e3498d

SHA1
0d72a68785f5e5dd4a5a6d7d6f0b6d4a9ff34eb4

SHA256
26706d9e41c9d6a91101f82465e3b906257d5c845b0be4cc1b5f79327fa42af4

SHA512
ad3ef30a150999e61cf6983717a6a3d9f3160826b2454ac134d4652208c3cddb69faa4ecb9cc3b454985fda4fcd9cc710787afef738667e2a763f304e3525016

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
55KB

MD5
5fa662e08b4adcd10fdd5cd06e516fd0

SHA1
a32399058eb5a6fce21e2a89536a74781588f477

SHA256
2b6e36f411f976d1fb7bfdb79a649d171173605a4410157bdaa5106bd97d93b0

SHA512
e1e9e2cf67eac3cef357710e6279be34ed5cef5ad6a679e6f73d5c45c772b690510f57dbc7cfe1cc8a054aefb208c0424ae6ff4833990a4a0c604a1947ff9b58

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
55KB

MD5
9bafab41bbca3b190a7e61fc06e9e437

SHA1
dde2bfada4127952ede5d1690de6d4a54fef6d8c

SHA256
22fd86dec9124e190c7cd4665c1d3f97e44b30b12f58639deb0c32d20484cca8

SHA512
7de83f491f47bcabe044bbc2def26fac07249420a9164a458cafa59cbe5a70a18d40a09ba32b5fcb88e548530fd66f66f0e6c158f828c197c8e43631de4158bf

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
55KB

MD5
d0826d9c42d7640d37f741cbb0d9f58f

SHA1
202720f039b759f228ef163e99dff0157738772a

SHA256
175970447f350c60f465cb4f6d7f56c877614314e99f9701c09a4babbaf2aa57

SHA512
8ffc9988b8b947cda31d4a187c1f3ef14e194e479b305d8e2919961dcb8a66420643295488b3e024bc5cded5441bfcc741805d530a9cd6ae0a54fbdd37bbb150

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
55KB

MD5
cd344087fcf55cd7f71507361ee83d4a

SHA1
bed547d555c60137d171f6782d1814bfc18501af

SHA256
cfad031b84031b01b0bda0f4ecd464540179f6c44e74e150f2eaf2e3d7f4b614

SHA512
7810a139b4e685cc935d5cc3476dd3df30a22c1b4400848fca79ffb133afa090284a5615813aeaef168130c8f249ac53fc0ad8a67df2c251d4f10cff5dc681e5

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
55KB

MD5
72639b258d8a6254cabc162b94566fc5

SHA1
6fddc0a55d51f398bcb8d73e0e99f5e56da4d208

SHA256
e8f52746b3a74ab1e367c13647c885de36d1018717647d2deb9ab6787ff70d00

SHA512
47baf2af0df8986baf7833a28500d8a7e7908be9754cbfa41c7be533288e3d24e1bb7a83ffdbf0bcb26195e3238ac851f6b05250d184a697d532a44363ed9a88

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
55KB

MD5
b29c874ba0d738a3e9ee096568cc365d

SHA1
0ad5df2177a3b223a7d1ef5e8afd4e9b037fefed

SHA256
c7713b0fece21ec8692ca39f5443bf671cc6c338fbed851811c315b8509290f2

SHA512
ec0ec8d312ddc22562fee1d45760bc2854d3a13e7848f3cf2d8669b3b0145d6af81c1d709a61e8060130b4ae0862d2772892a7ee003b7f9add5f5161bbbf8f21

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
55KB

MD5
31f1f92294ec3671949ecded09dbabd9

SHA1
9bf79c1b68a4802579b2607e996754aae11b1a05

SHA256
bb83ca2f55cfa0aedef0258f3b0961649b61eb356cd234425de9e05dadf42e33

SHA512
204365584b6e90d8cd334ba9be5152444d773674afd11979045637e1d9e7788640e00d56d5f330ba40410d491a34693e2480d35dda88f8704449e9ce6f49f25e

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
55KB

MD5
e8a60d797ee41db9ac728918ed88aa1d

SHA1
53a66215d7453082449d24f428591e13328e32c9

SHA256
263e1b87fc501f36a3ddc0d58c88653e18344e7a808cd84ffbb9d41bcc5e51dc

SHA512
a17b3a51dc8e68713ea59846baa53a69d1421578b70f5d8e74582bfb908ab42598905d80bcf04ef830211f00705a7dabec6d62b43cbcf7d36e9d824af9e3a936

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
55KB

MD5
8a4e642b330e4f3b2cd35deb07218303

SHA1
5472990be7bd25d6be4cfc30313080051e76bc29

SHA256
1916f40de29bf8eb305a583f85e99910de56adb02d0a832f2f530e608beb5182

SHA512
61bf5d2994472653d5f70cd7e91b0168f63ac4faef017bde38a90cc91e3fead498f00d3fa0a29fcf2903e63d95239c42753f12f513818ecc26bbad94a904136d

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
55KB

MD5
cc8ace12d10e64bc90826749eb730a2a

SHA1
685a4c72dc6658bf52e7231c19c16cf1521ddb37

SHA256
8c02c4fca094f01d6bfeabecfcc7e1f25c7f6e938d5d5a1a8d8e5d56f7abad74

SHA512
0635c534049f1642fc8cd613430878d4c2d5d99766aefe942b82f7cabbb39466353400478d68e09ce57367ca64a092a822ae66c9b17e2ff432b30da945d6cb65

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
55KB

MD5
c41d5acd631b35f2209875d4158ba211

SHA1
0cec253fb55e9844ba31fbfcb2285b83d88920c6

SHA256
2f55403bcb64e30aab6e27fba7af8489746ee2c704b8166e1cc289f6197a5b67

SHA512
2b283b0219b6129b2e98d0a5612b40cfb367de121d124058aa5c36cbb5c7a36b35514aa330e60a3969fd4d5853c691fb07ac83339ccca116060a1ecd424e9de9

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
55KB

MD5
cb0753441fe391fb0f077ef904f7236e

SHA1
c0cd79f07954886c83bd7a30ce396be46865169b

SHA256
75d18b9a87088f403308f8e10d6aad9fa702b20ec2a2739cd431a0bac0b7d18b

SHA512
25d8a95ade32bb8ff5c4acd9b343a6a7fdad8c802f3b2b73e306783e5687705e3783aa98ea54e03c066a65fd601ce21bca44d47dbd2a51491b430fb55c9e6679

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
55KB

MD5
a55c1a60193c68c78b342077839eeb0e

SHA1
91e9b0a080eb3460562c2cbd921e1a01053157ed

SHA256
1e9bf6a1a7544b678fa76c1370ceddca3e9af244961490c394539f098e754c8b

SHA512
c986f2c0309782a4d3a773987612af59397ff66e9b405679a171fbd06fa901e3a79b915545d4e744bd5c3bce906bd6fb201b3fac2736e281d6fbec0cf5085ba0

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
55KB

MD5
1a614e1ea0b4e54e0b01093b133595c1

SHA1
f09ca8ab3c8ebac67a72bff2adf722ac8d9957c1

SHA256
694032ad919fc42901bfcd8ef4eff6da249509d6dc7902123b031cdb48cd0ae1

SHA512
db5ad46e5371a2e4e4b99f519e4ddb8ce06b2a623513c87f5a24684c0e4eda1bece19f49f62fbfd90479e139f64d00b4d6bd4d424bf0dc9302f7fc0710100d71

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
55KB

MD5
ee5ba371d45471aea5e627fec6e0aea2

SHA1
d3950f9ebfa0c97e21b78101eedf620163ee0ccc

SHA256
2208d77accba7b92c9a9ec3750a822ad91c1be39a2d862fc5352eca105ec2490

SHA512
1a27c689c1d221e8fb13c99c98cee0b66a05da2fa81abcd733e55fcbba862b04ab4297e9a80279e4187b92a8e375baae682eb60ee5e22246576824d92012bf2f

Download Submit
memory/388-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-700-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4156-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-701-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5032-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5136-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5176-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5220-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5268-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5312-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5356-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5400-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads