8f21227413c9ff9d61ee4062d40905aa9230ebef9e382ee587e666e508ae8711

Analysis

max time kernel
106s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83d79c84bf2ac6b118a828fe5d6a0900N.exe
Size

64KB
MD5

83d79c84bf2ac6b118a828fe5d6a0900
SHA1

d67c64ab452bc602170fab376e3e3c45b6facfef
SHA256

8f21227413c9ff9d61ee4062d40905aa9230ebef9e382ee587e666e508ae8711
SHA512

94283592e7fe6516a74e78d7c98135df46632a93aad0ffa6aef64e2bcf01e26c03bcc682686c953da3e75ed53a77b3d738ff69871cafffcfb0f111ab7eb57064
SSDEEP

1536:owfbxb1gbveWwv4vRSIbI3y3sQ6+5LtBzpR+LWyPrPFW2iwTbW:owjxb1gbveWwvaPICB5RBzpIXbFW2VT6

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	83d79c84bf2ac6b118a828fe5d6a0900N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	83d79c84bf2ac6b118a828fe5d6a0900N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe

Executes dropped EXE 64 IoCs

pid	Process
2188	Pjeoglgc.exe
1716	Pqpgdfnp.exe
1976	Pcncpbmd.exe
4132	Pjhlml32.exe
4660	Pncgmkmj.exe
2808	Pqbdjfln.exe
2952	Pcppfaka.exe
3084	Pfolbmje.exe
2868	Pjjhbl32.exe
3000	Pqdqof32.exe
212	Pcbmka32.exe
4480	Pfaigm32.exe
1464	Qmkadgpo.exe
2980	Qceiaa32.exe
4868	Qjoankoi.exe
2056	Qddfkd32.exe
868	Qgcbgo32.exe
4088	Anmjcieo.exe
4356	Adgbpc32.exe
2976	Afhohlbj.exe
4036	Anogiicl.exe
876	Aqncedbp.exe
4548	Aclpap32.exe
3852	Anadoi32.exe
4256	Aqppkd32.exe
2260	Afmhck32.exe
2136	Andqdh32.exe
3924	Aeniabfd.exe
1448	Aglemn32.exe
2200	Ajkaii32.exe
2300	Anfmjhmd.exe
4808	Aadifclh.exe
3200	Accfbokl.exe
2064	Bjmnoi32.exe
884	Bnhjohkb.exe
1848	Bmkjkd32.exe
3960	Bganhm32.exe
1224	Bfdodjhm.exe
1160	Bnkgeg32.exe
4896	Bchomn32.exe
60	Bgcknmop.exe
2720	Bnmcjg32.exe
4368	Balpgb32.exe
2692	Bcjlcn32.exe
4260	Bfhhoi32.exe
4804	Bnpppgdj.exe
3572	Banllbdn.exe
3532	Bclhhnca.exe
4832	Bfkedibe.exe
3120	Bnbmefbg.exe
1700	Bapiabak.exe
4740	Chjaol32.exe
4280	Cndikf32.exe
2824	Cenahpha.exe
404	Chmndlge.exe
3716	Cjkjpgfi.exe
4916	Cnffqf32.exe
5024	Cmiflbel.exe
1576	Cdcoim32.exe
4828	Chokikeb.exe
1176	Cjmgfgdf.exe
1128	Cnicfe32.exe
1712	Cmlcbbcj.exe
4292	Ceckcp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	83d79c84bf2ac6b118a828fe5d6a0900N.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	83d79c84bf2ac6b118a828fe5d6a0900N.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5532	5400	WerFault.exe	172

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83d79c84bf2ac6b118a828fe5d6a0900N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	83d79c84bf2ac6b118a828fe5d6a0900N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 2188	3576	83d79c84bf2ac6b118a828fe5d6a0900N.exe	84
PID 3576 wrote to memory of 2188	3576	83d79c84bf2ac6b118a828fe5d6a0900N.exe	84
PID 3576 wrote to memory of 2188	3576	83d79c84bf2ac6b118a828fe5d6a0900N.exe	84
PID 2188 wrote to memory of 1716	2188	Pjeoglgc.exe	85
PID 2188 wrote to memory of 1716	2188	Pjeoglgc.exe	85
PID 2188 wrote to memory of 1716	2188	Pjeoglgc.exe	85
PID 1716 wrote to memory of 1976	1716	Pqpgdfnp.exe	86
PID 1716 wrote to memory of 1976	1716	Pqpgdfnp.exe	86
PID 1716 wrote to memory of 1976	1716	Pqpgdfnp.exe	86
PID 1976 wrote to memory of 4132	1976	Pcncpbmd.exe	87
PID 1976 wrote to memory of 4132	1976	Pcncpbmd.exe	87
PID 1976 wrote to memory of 4132	1976	Pcncpbmd.exe	87
PID 4132 wrote to memory of 4660	4132	Pjhlml32.exe	88
PID 4132 wrote to memory of 4660	4132	Pjhlml32.exe	88
PID 4132 wrote to memory of 4660	4132	Pjhlml32.exe	88
PID 4660 wrote to memory of 2808	4660	Pncgmkmj.exe	89
PID 4660 wrote to memory of 2808	4660	Pncgmkmj.exe	89
PID 4660 wrote to memory of 2808	4660	Pncgmkmj.exe	89
PID 2808 wrote to memory of 2952	2808	Pqbdjfln.exe	90
PID 2808 wrote to memory of 2952	2808	Pqbdjfln.exe	90
PID 2808 wrote to memory of 2952	2808	Pqbdjfln.exe	90
PID 2952 wrote to memory of 3084	2952	Pcppfaka.exe	91
PID 2952 wrote to memory of 3084	2952	Pcppfaka.exe	91
PID 2952 wrote to memory of 3084	2952	Pcppfaka.exe	91
PID 3084 wrote to memory of 2868	3084	Pfolbmje.exe	93
PID 3084 wrote to memory of 2868	3084	Pfolbmje.exe	93
PID 3084 wrote to memory of 2868	3084	Pfolbmje.exe	93
PID 2868 wrote to memory of 3000	2868	Pjjhbl32.exe	94
PID 2868 wrote to memory of 3000	2868	Pjjhbl32.exe	94
PID 2868 wrote to memory of 3000	2868	Pjjhbl32.exe	94
PID 3000 wrote to memory of 212	3000	Pqdqof32.exe	95
PID 3000 wrote to memory of 212	3000	Pqdqof32.exe	95
PID 3000 wrote to memory of 212	3000	Pqdqof32.exe	95
PID 212 wrote to memory of 4480	212	Pcbmka32.exe	96
PID 212 wrote to memory of 4480	212	Pcbmka32.exe	96
PID 212 wrote to memory of 4480	212	Pcbmka32.exe	96
PID 4480 wrote to memory of 1464	4480	Pfaigm32.exe	97
PID 4480 wrote to memory of 1464	4480	Pfaigm32.exe	97
PID 4480 wrote to memory of 1464	4480	Pfaigm32.exe	97
PID 1464 wrote to memory of 2980	1464	Qmkadgpo.exe	98
PID 1464 wrote to memory of 2980	1464	Qmkadgpo.exe	98
PID 1464 wrote to memory of 2980	1464	Qmkadgpo.exe	98
PID 2980 wrote to memory of 4868	2980	Qceiaa32.exe	99
PID 2980 wrote to memory of 4868	2980	Qceiaa32.exe	99
PID 2980 wrote to memory of 4868	2980	Qceiaa32.exe	99
PID 4868 wrote to memory of 2056	4868	Qjoankoi.exe	101
PID 4868 wrote to memory of 2056	4868	Qjoankoi.exe	101
PID 4868 wrote to memory of 2056	4868	Qjoankoi.exe	101
PID 2056 wrote to memory of 868	2056	Qddfkd32.exe	102
PID 2056 wrote to memory of 868	2056	Qddfkd32.exe	102
PID 2056 wrote to memory of 868	2056	Qddfkd32.exe	102
PID 868 wrote to memory of 4088	868	Qgcbgo32.exe	103
PID 868 wrote to memory of 4088	868	Qgcbgo32.exe	103
PID 868 wrote to memory of 4088	868	Qgcbgo32.exe	103
PID 4088 wrote to memory of 4356	4088	Anmjcieo.exe	105
PID 4088 wrote to memory of 4356	4088	Anmjcieo.exe	105
PID 4088 wrote to memory of 4356	4088	Anmjcieo.exe	105
PID 4356 wrote to memory of 2976	4356	Adgbpc32.exe	106
PID 4356 wrote to memory of 2976	4356	Adgbpc32.exe	106
PID 4356 wrote to memory of 2976	4356	Adgbpc32.exe	106
PID 2976 wrote to memory of 4036	2976	Afhohlbj.exe	107
PID 2976 wrote to memory of 4036	2976	Afhohlbj.exe	107
PID 2976 wrote to memory of 4036	2976	Afhohlbj.exe	107
PID 4036 wrote to memory of 876	4036	Anogiicl.exe	108

C:\Users\Admin\AppData\Local\Temp\83d79c84bf2ac6b118a828fe5d6a0900N.exe
"C:\Users\Admin\AppData\Local\Temp\83d79c84bf2ac6b118a828fe5d6a0900N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\SysWOW64\Pjeoglgc.exe
  C:\Windows\system32\Pjeoglgc.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\Pqpgdfnp.exe
    C:\Windows\system32\Pqpgdfnp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\SysWOW64\Pcncpbmd.exe
      C:\Windows\system32\Pcncpbmd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
      - C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1176
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        67⤵
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        80⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5400 -s 396
        88⤵
        Program crash
        
        PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5400 -ip 5400
1⤵
PID:5464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
64KB

MD5
63d291ef9ef26177fedfddc270ec897b

SHA1
b3e0f44fd3745b8c750ad517868a55dc0397c5b6

SHA256
9d61ef44b50ff3c9e509c3eb5a56f3a6022725fca29c170129ee2db1842da8a0

SHA512
e0d3ced9056a57fa661381d070c07845d8bc5e1d1dd9bb6dd913398605f60c2d7e66723022560d7b5bc1c5693b14b264065c1d74294470112d3ebc3b896a8df7

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
64KB

MD5
1ecfa4b856dee97b69faea3a794edd47

SHA1
2350cf0482f097dc0326be8b9938ec9c2773b674

SHA256
eabb72daa37863fdc418edbd878f8d560d93b3f69a3659a3d9766f709d3e9160

SHA512
acb4afcbc390123ae677b24ecd2cd9ec0875b7d1daaefa6b786cd08a69f0560d8f8112e7502cd4b9c6d3f63402a30efbc9ff9ff2f98f8b6c87fe67cfb5117e06

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
64KB

MD5
3204b911e9ec90c2576ab213df170cdd

SHA1
92b70d18d1708f440799772c506f63a58602d15e

SHA256
389f1745779f64985b2158ae13b3d1f40d83ddc4f6017be2878931b99088ad19

SHA512
e080f91ad731622bf05df33231526b9cf3fb5c7803168ff2100c56568f737cfdba3551f408745d16e29d4e463d61a5bc00d35ee1ecb4659c46d9f2139bd784de

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
64KB

MD5
2194cccd2bdc1cdc8e886b700ebaaf67

SHA1
05e326b57f98111bee596626815a3f5c967b972e

SHA256
c07cb887feb6f0990b2ac0e1a6cce803883d9ad57b77ee92e6cb3ed8d63ee1a5

SHA512
cb76b31b86071c529b30d0d2fb7740a2287797c2ee16ab112b49e03193b3d0f270139e01f7ed425c5283950a009b1efa75635b65385b0cd883fc40fd3ac4e031

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
64KB

MD5
d2d8a10c656cda478a6f6af5db4e4f95

SHA1
348a0cd0fbdd8c822a2d16035ef700738c7c412d

SHA256
98665b2c9272d6f8d949d8e61c0f13c2273aefbf9fc7cc323cddd369a863121e

SHA512
378e1617380c8ae8a8e3ca7c406943e64cf95151803bccd06dd3bab1e274fe8d130459f3c723b9ebf6c39e5de1f22ebbcec08279c0d76b3930eae6e133ce9c06

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
64KB

MD5
04d014376b255b6987f62da79ab6b71c

SHA1
af434af3815ae0871ebfed06f9df9a330328cb56

SHA256
5ce8e358d3482d40004041e11a158b8f51511793e01b7f0215b33208350d1a01

SHA512
b1d2ac2dd22e504a600f5979f1425c59a2b04ad2004749dfa4ae43be470c91aed6fec8e2f6e8f3aecf929a40038b7e365e073571defa778d51484958b07e1a07

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
64KB

MD5
2b0e3b4001643c6f9367768c57477b16

SHA1
0fa10f1d349e5e57e7c4a48c1cd562210fc14d38

SHA256
3c8c7b6835c44e0db973e57a906627fbf0f8f891129ec3a669b2c3ce5353f559

SHA512
c7e0cb0ce5fbf27b758fb7421700a697fd392d995db2baadb64deffeac1f843e072cb3a8641e81f06819d1aebee26ef6e4ec311ddb43a532838eee781ac4c01d

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
64KB

MD5
3b9298cc64588630d76ebe1429cb21fc

SHA1
c3b00dfa70f124d8c86c62b32c4fbc9bb72076ce

SHA256
019591335a2397bce931ac0d859a0019aade781e1646d08bea3fe066beb37056

SHA512
038d4206175708ed51f4d90b685147995c4d3f63540cf55347d5f31839de21965fefd5ec93deb3490a10606db4fef69fd68ea79417b7b1faf41af0eecb6f071d

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
64KB

MD5
566d5e100191b0902b2a5acbd2b3182a

SHA1
4f75af85444ad6b99c5db5d2d83598ffb7a43483

SHA256
cccf405c1b889183f928270f1ee744270cdafd86ff1844f5e5896004494fa668

SHA512
df4c700f0e294d568cd6842ace701d31a629d7ceda03d247003b0349a7403f25be9cd13df1ef2850da887f62bd5cf322db7f8a455e669c47186f09975bf27a6b

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
64KB

MD5
052bde7855a3dd9ee658b34971748825

SHA1
19c7d393da2ad42e2028acabdb88e4a7907905ac

SHA256
e7c348ffbc30a0d2a3991261635a7dcf4b7c7265acd4bf8ae54b68c8ad426ed4

SHA512
259034a49d43cb84e71aa3fde167c09d489f4bf6637f130af2b6de855e1240c570fc3e3fcca57d708e23b66b44f26a9027bb84c36e3604f5a8008513744c466a

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
64KB

MD5
ac272efa8918e60d3db9693f01408677

SHA1
63282d61fc8a03c076ea3e08861168194745878e

SHA256
aff184c608678546bbd41725bbeb1ac7493cd2b8b55b18b3ce0d7242e1cbbf17

SHA512
3c5e15fa81e2d21d8d9de13394ebd36c0044c1264b3219cab391b8299dd15cf081edd9ffdfd103b587f9cb13b824104c4093fc04279d2180fc40402eabe73df2

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
64KB

MD5
ffbdd3cf270708df27d476be770e28e1

SHA1
961f62618b44cb65a66c0d6f1b3bd6a83ce001c9

SHA256
151c5f87c86c3ba8e1b2638a87fed119a92c9301a401a345dcc67ee34eeb2f69

SHA512
5621461d05cbb576864a587f59a2129dede7a40df3ae2bff009903134094ae03dc94bbc89f1e8ce615fc7facda00a592db4d006597e9732168de85d2337e1c4c

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
64KB

MD5
e7ab911beb3b2045f25c5951c1c3be02

SHA1
2aa92245b3ac099c63acc24436cdf9685bb18bb0

SHA256
3b93b764ef701c7ee71f17d56e8d5f908a8070689034dd4a75e8343ea1e78df2

SHA512
8a3fd69d685f013277dac33a42ff92a5748a0353e101c6d15cb05415d37fad33683e2513778a8337851c9f645098e983c26166a93b438701992999df5ce92f4c

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
64KB

MD5
5f857ae022d11de0c66c65715621cc44

SHA1
d16f18b79d52f91665d79ff20c34672896b38465

SHA256
d429b258bd3d43bf9d7a68cb4aaac5dfe4fe29d15d9269de300905441ee1fc32

SHA512
bae2f4e1c358cd8590efb33ed0eb33d6c92d63f1693d6869d309adc449b6ffae93c49f8276aecfa42083bd9e8cf5429b4cff267f51c91282bc762bddb6aceb69

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
64KB

MD5
f7cbb876b4fe2f635571171dc2aebb65

SHA1
4b20c11dd6262151c94f6775e6d25841bdb20be2

SHA256
ef3969463ed1ddf0af854060e1a1ada5d62e68b3c2f8d3c931f3bfde58ef0469

SHA512
d88faadaf98d8fd39d5ba92a2fb112c2f7073af2bac932fd80b626cebb0d7a91ec94199a0ee592d291938b140c0defe99e10a3458651dc5ecb05aba255e61209

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
64KB

MD5
4237d6e90fdaa700aaae72e3ef79b30d

SHA1
2373063a569a9ecbc8a50e706dfc9ebed0808b68

SHA256
63c960fe1d3b708ff3736b29678fdc821171d047f4c80ba87a6eb6b0c81e8884

SHA512
14ae2a8d47b17b5f662d3da506796a14ebacc0bbf4d73c0784a7d0166fc23136b0b8be76cce9dfb281efcdb78c31e3ecd64079f1f0a27e7eee619b60746e58a8

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
64KB

MD5
87cd0cee945e7adb971195a5080fb43b

SHA1
22b0432c7a8d357757e4043d5ed08d1c648258bf

SHA256
e884e827b3d692c0fd1c5aba36d93ebf928ead8d905816ecec4b72de3e131e69

SHA512
7c1f38df60f19e88bb70c4e03eddcd52081408c1813c3332144a12e29716dd017521e7b844e24d462fd41832342896cf6b205a081007a81bd8ea8a89fd89c37d

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
64KB

MD5
23248dcf2da792b87d56f04c8967f224

SHA1
fd86aa8eef2b19501dff4c1eb84004bb59c5d1e8

SHA256
e8b1fd732b8046b4903cf1030283c3a122f9b4ba2ce3f02fa9f36f232e6a57c5

SHA512
c71ca03e0f2a2c8ed5627b08650579f533c6bbf14cd7659e0bd4a2d8f3dc235e1cac09b0ca9fb0ca22a831ed6e6d671ca413d98a79ab03dae89d4252bb0c17f7

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
64KB

MD5
5eb4eb9eeb9075ae9d2abfac968f88a3

SHA1
21c17310d2c7c414cd48a98db8f39e80572830a6

SHA256
436f34dc16ca72f4938ca579059b19c75db503b182424bdd71834321c68c5519

SHA512
0a963cfdc5ac1eb2634d07b697c39435b41b9f5a712db157bb23215194a0b6ac685819c0a7966e77372e551f0ef57fcba5de81aa85e0ec8f8081d521b591d76f

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
64KB

MD5
e7ddfec9dc9b43189eae460a08060c22

SHA1
4238de26fca3df2f765328b75fb25a9edd0ff6ca

SHA256
5fd35a87486f141abe15b4f51a890c423db23edb6e809560c8330da1b34577ee

SHA512
6134d460579ae9542dbd6ffa9dafed68737a590fa6e7adbc7aa2cdc392dcbef894109cf13ed88d1c3538bbaa3cb650f2b8f9bce7b3d4df8cdfb3f2729cc529d4

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
64KB

MD5
3a772fa4d61839d67582af2c99810955

SHA1
97445684d04588d31ba0b62170223d578dcf3628

SHA256
42e18a026fb223778c635676152acbc365220760236e3b8e64792861a78c8343

SHA512
92980901ddcdd4f0b3e83421e8758cecdc84a4842d7d72f53267fa7dcf29e83c3f6da5c97d81f30c1f381d3f9b95be0722230161530719cf95fd951400138cbc

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
64KB

MD5
a8b2a8fbb12e2512d589eee4207a96b9

SHA1
e16377953868c2dfc7cd5cac8897afe8c36297cd

SHA256
1a4658b962e43cf7673e12b7dc0698b528b1c95d76d9402926e9d227ff1190ef

SHA512
c771091216c8cc83f52bda223443e68782571d7e46b99a1d3084c22646d88b356105bd7cd7827751feaf01a4c124e67d18824fdf07496db14b7246b1a437217d

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
64KB

MD5
430bcbc589811b50039687ebfa5104fb

SHA1
362b0f2ae8cb93d66848e2ad7f983f45d5d57699

SHA256
0994898a1c5b9fc26b1567bd869b39b7fe79af4c55f610aa8c9cf18eb08bb127

SHA512
b2de0643d226c49eff9405b4789615098ed6d5e5c5c12a9ef6e4503e582eb18a39c8a912cee72532c2eb111d2f8a10e1c9106e023fd19b39a92c28d6589fd7d2

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
64KB

MD5
3313a17db7dd5fd6fae2563c4e893ed1

SHA1
4a29afac4e741f0dfeae873eefc17e09a538eadd

SHA256
0c4196ed287f8e4590f6411d914a6fcf504ba22c91da2e5f7308800fc9176709

SHA512
cb91eb3463a6b558de824e656645c3b787964989623ef486480f7e99ca3640a65211f68f6858a4e11cfbf69760553efcf684596bbd828f5949033bc4ca628ea3

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
64KB

MD5
ea4e6121816caaa7ff833eb01272f946

SHA1
3b77630790521fea111b807e9717f580e0e42d72

SHA256
7fa90ac8395234efc5c17b5d51197978e164c9e3b1dad379f9728d1c4cc25aef

SHA512
1380a00591dbe76c97cd13d45b80ec1f0ba1285bc2fd66c3b8b6fc51bb0c6473379be09bec74102553fbdb00e5c6e478973cdf18c5db9c86ba0c3256347c3c62

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
64KB

MD5
bc8b36ac410b2b83aa2134a0a3ce8af6

SHA1
4ad98ce417a0615ec1e1222657bfd9b788bc28cd

SHA256
a7afb5335e42cd85fd38858413be47cab80d35ddf206a3601e6fc4e93954e0a2

SHA512
a4d308c6639ddba596b67ebf0d6cf6f0b9522f690d848d6613c4d32f4f411fbbe2acd3017f8977cd77d21c411b6d4bfebb844828a2ea9d305e468b7ea6331f88

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
64KB

MD5
241c34d0aa3d7076b8c5e67bf023e082

SHA1
6d409fbdef7a5c6a561dde1359135082da29356d

SHA256
0585fdaf618111033ffc9be830dc752ac71a566c8182e0a0aba2f71d8ffc3c07

SHA512
11c74e8e3b2c703bc82ee4e1e058fc36a794710588a3c79474966df5b80becf21eaffa7e8e2afd41f36f887f6d0d2dbe17c50f1bcf41412544f9822c6cf8a9b3

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
64KB

MD5
b27dd22e9ab93f5972db11d885b49338

SHA1
893dcd570adf3fac05ffc2b99dcc2e3edda18096

SHA256
177f177c7a07010d49cd65be92250244ebb7e379b54379f0c4778ff451ce5e7f

SHA512
416492dbf6d4c612952f9ac56746ce560d2daf781c89123ea6d69ed50227917c063fd14db10a2b55357f82b704aee8efb884e819800655bc88d5545378b50f05

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
64KB

MD5
02c00a0bdf8b021f37ab675d28a4421e

SHA1
bd4636d4f54130eb1ec4c066d09fc5958a6d9555

SHA256
56d87ce7101151f200783ad05b06949566cc1f3c6ee56a2368b27d1defe4c413

SHA512
86ec36f156217801d75f38432faf0d6c4570ba15f8db5d7d5844fd2cec503466ac8180db17ef278f8c86857f6707cc632effbd31aaee9f566648aa72101b487e

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
64KB

MD5
07eb46fadecdae5360af18246f6bec25

SHA1
cadab56c9ef993b7b07cffaf2a43083a5a101f1c

SHA256
22db58971336a6a57a90122a4bd9d78aa80094b8d34a1732307b63594804bb8e

SHA512
78d7baf88be37ae34ebda55a7dab1b69ff73ab590f02ec09b2942ec57779f4bc7ab15e32e9e3027755ef332da713be6d1b224d7c87c966b08b737e2065dbbd15

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
64KB

MD5
7b809ff64dde360cc95e80f63bca258c

SHA1
03af7ec4758abc78123269deb4f2e0ca77d83f26

SHA256
ece163b49fb4a8a9a6086d3a65f45ee3b024ed58e3e4290720c9defe64c4b8ae

SHA512
83a41af8dc8ec27bab68c2b4e1f223209f14d31ed3983afe6e3852a776890a2b5fa250b45c5141250b4a02ab33928bd1ef1e37d75c6df11cd10572ff3f433544

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
64KB

MD5
56ca2083efcbef0603615cac3f951851

SHA1
5360ed28d5d5eecdfac769da55dd2d82fc62b014

SHA256
9fd9732a91c4a64c5661f53d824b645e49ccff58002026ba205095d1dc08d2d0

SHA512
c488d987384a0cf2849cdde67bb0dc658aec64e57a660b95ba1f6875e04b04b6b8c7b5b32890a3221670c3cf8d65b6af56c07d9c6b6335bb1dd28f16e85e24a9

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
64KB

MD5
db1c83c3c17f3ee162705cf7c92c5f1b

SHA1
bd42b8878cb08c3376ad009f375f46a63a3abe47

SHA256
2001a4764666d72885e1984a84288b8489d5dc95d9d1cd1be97314be78abf4b0

SHA512
6f81e85a39982c2157cb24631c99f5216d36069125d1f39ff819b8717d70f197214b837118b65f19397517afa3a9e4ce8c43bf4dcf37c9802f047288fa382fda

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
64KB

MD5
64cb055ee5007bf22ade97cdca5876e2

SHA1
1827371a88d8e10d29cfc72342bd715c04e6303d

SHA256
730e9140acf3baf4e6eec8ae7407b660609bfee257f3015ae5cf3691e7cc7a57

SHA512
1942b5ad37c4670eb6d528f95dee6f57963abb2f01b828ea00f172de129f33098705b60108a315d5f8ebc260b5f9e412f98a82cb01ec4dc082a35eecb61b33dd

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
64KB

MD5
a400f0539829a6c7f0d62b05f25d0985

SHA1
5c644e1702bef9140ffc16dc3ad528e08515fe2c

SHA256
bd5f78eb841485b4699bc91f974720268b94d110eaebd1b2a29ed73587d50f3f

SHA512
18554099ff2128cff95f1c8a3a22e661b0e96726a5e29cba9adea80b93b2b72d09475983faa967a84d9b81f09b108f965fed8d99c086135a2dbcb2e70e700ef2

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
64KB

MD5
344bcf020140d3e1abf10be31a3e0eae

SHA1
5e92eb0d0a4acae0d1db37d293f812c3b89e74c1

SHA256
495c013bba0ee3812af7b2bb2fd5bb13a8fa190a0aec3e1238a08df453132321

SHA512
dbda31e9e6b203cf1c049b8be66c0cade8fef9d5d46d7fee350f3e798cb40cfe7315979d470d02ca8c83f646c5cae1c7f46cfb740eb27cdf71b9fbb9b70578dd

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
64KB

MD5
05bc067ef8c6bce5e4e0ee0189df7ec5

SHA1
66bb1c904f5742ce0787690592b495beaf0b7b74

SHA256
cc65ff365f1c879503272f51ea034f1e2b00d4410f3a6340b292a8602ced720c

SHA512
29887cec2ed2dae546de25e35e66552aeed21cc3b3641a9b0e5c5d79e0fab10eb769222018bba3f8d9daf3189d2ddc5322dda0fd7ae4158af0cb874f931090e5

Download Submit
memory/60-406-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/60-341-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/212-178-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/212-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/868-232-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/868-144-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/876-188-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/876-277-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/884-304-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1160-328-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1160-393-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1224-325-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1448-251-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1448-327-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1464-196-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1464-108-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1700-407-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1716-16-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1716-97-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1848-307-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1848-374-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1976-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1976-106-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2056-223-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2056-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2064-293-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2064-361-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2136-317-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2136-233-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2188-89-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2188-7-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2200-339-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2200-261-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2260-224-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2260-306-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2300-275-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2692-427-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2692-362-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2720-348-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2720-413-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2808-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2808-47-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2824-428-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2868-161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2868-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2952-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2952-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2976-260-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2976-170-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2980-116-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2980-206-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3000-81-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3000-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3084-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3084-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3120-400-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3200-286-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3200-354-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3532-387-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3572-381-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3576-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3576-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3852-207-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3852-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3924-324-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3924-243-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3960-318-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4036-273-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4036-179-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4088-241-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4088-153-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4132-32-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4132-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4256-303-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4256-215-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4260-368-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4260-434-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4280-421-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4356-162-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4356-250-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4368-355-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4368-420-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4480-99-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4480-187-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4548-197-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4548-285-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4660-124-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4660-39-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4740-414-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4804-375-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4808-278-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4808-347-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4832-394-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4868-126-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4868-214-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4896-340-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads