f9a016b06f4d086c8907ac8d95d10f9fac29a913fcae501a2a0e4595c055d33d

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6592da3c18879fc4d5fd442bcbd167f0N.exe
Size

669KB
MD5

6592da3c18879fc4d5fd442bcbd167f0
SHA1

053507ff8a4c8084b5541ee1e7bed3147cfa5661
SHA256

f9a016b06f4d086c8907ac8d95d10f9fac29a913fcae501a2a0e4595c055d33d
SHA512

0e25d7b956a92dfc51d1f988d70ba5b73f723f1bdf80e38719534d5232a82ab85ed490235cde8a780e66103d1c63e4c77eeb4862843fcc49a9a291c6c9a4f048
SSDEEP

12288:yFb0eVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:yFTchMpQnqrdX72LbY6x46uR/qYglMi

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncgmkmj.exe

Executes dropped EXE 64 IoCs

pid	Process
4492	Ndcdmikd.exe
3288	Nloiakho.exe
3308	Nfgmjqop.exe
908	Nlaegk32.exe
2640	Odkjng32.exe
2916	Oflgep32.exe
2336	Oncofm32.exe
5080	Opakbi32.exe
3564	Odapnf32.exe
716	Olmeci32.exe
4596	Ojaelm32.exe
768	Pqknig32.exe
4540	Pclgkb32.exe
1132	Pmdkch32.exe
936	Pgioqq32.exe
2448	Pncgmkmj.exe
1356	Pcppfaka.exe
1468	Pjjhbl32.exe
2796	Pdpmpdbd.exe
852	Pfaigm32.exe
3192	Pjmehkqk.exe
1940	Qmkadgpo.exe
640	Qqfmde32.exe
2912	Qceiaa32.exe
2896	Qjoankoi.exe
4712	Qnjnnj32.exe
3584	Qqijje32.exe
4448	Qcgffqei.exe
3988	Qgcbgo32.exe
4688	Ajanck32.exe
4752	Ampkof32.exe
1580	Aqkgpedc.exe
2848	Acjclpcf.exe
684	Afhohlbj.exe
1756	Anogiicl.exe
1416	Aqncedbp.exe
3036	Aeiofcji.exe
2344	Agglboim.exe
1272	Ajfhnjhq.exe
4640	Amddjegd.exe
2880	Aeklkchg.exe
848	Agjhgngj.exe
384	Andqdh32.exe
2424	Aabmqd32.exe
5040	Acqimo32.exe
1888	Afoeiklb.exe
2660	Anfmjhmd.exe
1096	Aadifclh.exe
4880	Accfbokl.exe
1640	Bfabnjjp.exe
3100	Bnhjohkb.exe
4864	Bebblb32.exe
3552	Bganhm32.exe
1404	Bnkgeg32.exe
2072	Baicac32.exe
1224	Bchomn32.exe
1972	Bffkij32.exe
2180	Bnmcjg32.exe
4928	Bcjlcn32.exe
2056	Bfhhoi32.exe
460	Bnpppgdj.exe
4208	Bmbplc32.exe
856	Bhhdil32.exe
804	Bjfaeh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pqknig32.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	6592da3c18879fc4d5fd442bcbd167f0N.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	6592da3c18879fc4d5fd442bcbd167f0N.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Nloiakho.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4588	4360	WerFault.exe	183

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pncgmkmj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 4492	4364	6592da3c18879fc4d5fd442bcbd167f0N.exe	83
PID 4364 wrote to memory of 4492	4364	6592da3c18879fc4d5fd442bcbd167f0N.exe	83
PID 4364 wrote to memory of 4492	4364	6592da3c18879fc4d5fd442bcbd167f0N.exe	83
PID 4492 wrote to memory of 3288	4492	Ndcdmikd.exe	84
PID 4492 wrote to memory of 3288	4492	Ndcdmikd.exe	84
PID 4492 wrote to memory of 3288	4492	Ndcdmikd.exe	84
PID 3288 wrote to memory of 3308	3288	Nloiakho.exe	86
PID 3288 wrote to memory of 3308	3288	Nloiakho.exe	86
PID 3288 wrote to memory of 3308	3288	Nloiakho.exe	86
PID 3308 wrote to memory of 908	3308	Nfgmjqop.exe	87
PID 3308 wrote to memory of 908	3308	Nfgmjqop.exe	87
PID 3308 wrote to memory of 908	3308	Nfgmjqop.exe	87
PID 908 wrote to memory of 2640	908	Nlaegk32.exe	89
PID 908 wrote to memory of 2640	908	Nlaegk32.exe	89
PID 908 wrote to memory of 2640	908	Nlaegk32.exe	89
PID 2640 wrote to memory of 2916	2640	Odkjng32.exe	90
PID 2640 wrote to memory of 2916	2640	Odkjng32.exe	90
PID 2640 wrote to memory of 2916	2640	Odkjng32.exe	90
PID 2916 wrote to memory of 2336	2916	Oflgep32.exe	91
PID 2916 wrote to memory of 2336	2916	Oflgep32.exe	91
PID 2916 wrote to memory of 2336	2916	Oflgep32.exe	91
PID 2336 wrote to memory of 5080	2336	Oncofm32.exe	92
PID 2336 wrote to memory of 5080	2336	Oncofm32.exe	92
PID 2336 wrote to memory of 5080	2336	Oncofm32.exe	92
PID 5080 wrote to memory of 3564	5080	Opakbi32.exe	94
PID 5080 wrote to memory of 3564	5080	Opakbi32.exe	94
PID 5080 wrote to memory of 3564	5080	Opakbi32.exe	94
PID 3564 wrote to memory of 716	3564	Odapnf32.exe	95
PID 3564 wrote to memory of 716	3564	Odapnf32.exe	95
PID 3564 wrote to memory of 716	3564	Odapnf32.exe	95
PID 716 wrote to memory of 4596	716	Olmeci32.exe	96
PID 716 wrote to memory of 4596	716	Olmeci32.exe	96
PID 716 wrote to memory of 4596	716	Olmeci32.exe	96
PID 4596 wrote to memory of 768	4596	Ojaelm32.exe	97
PID 4596 wrote to memory of 768	4596	Ojaelm32.exe	97
PID 4596 wrote to memory of 768	4596	Ojaelm32.exe	97
PID 768 wrote to memory of 4540	768	Pqknig32.exe	98
PID 768 wrote to memory of 4540	768	Pqknig32.exe	98
PID 768 wrote to memory of 4540	768	Pqknig32.exe	98
PID 4540 wrote to memory of 1132	4540	Pclgkb32.exe	99
PID 4540 wrote to memory of 1132	4540	Pclgkb32.exe	99
PID 4540 wrote to memory of 1132	4540	Pclgkb32.exe	99
PID 1132 wrote to memory of 936	1132	Pmdkch32.exe	100
PID 1132 wrote to memory of 936	1132	Pmdkch32.exe	100
PID 1132 wrote to memory of 936	1132	Pmdkch32.exe	100
PID 936 wrote to memory of 2448	936	Pgioqq32.exe	101
PID 936 wrote to memory of 2448	936	Pgioqq32.exe	101
PID 936 wrote to memory of 2448	936	Pgioqq32.exe	101
PID 2448 wrote to memory of 1356	2448	Pncgmkmj.exe	102
PID 2448 wrote to memory of 1356	2448	Pncgmkmj.exe	102
PID 2448 wrote to memory of 1356	2448	Pncgmkmj.exe	102
PID 1356 wrote to memory of 1468	1356	Pcppfaka.exe	103
PID 1356 wrote to memory of 1468	1356	Pcppfaka.exe	103
PID 1356 wrote to memory of 1468	1356	Pcppfaka.exe	103
PID 1468 wrote to memory of 2796	1468	Pjjhbl32.exe	104
PID 1468 wrote to memory of 2796	1468	Pjjhbl32.exe	104
PID 1468 wrote to memory of 2796	1468	Pjjhbl32.exe	104
PID 2796 wrote to memory of 852	2796	Pdpmpdbd.exe	105
PID 2796 wrote to memory of 852	2796	Pdpmpdbd.exe	105
PID 2796 wrote to memory of 852	2796	Pdpmpdbd.exe	105
PID 852 wrote to memory of 3192	852	Pfaigm32.exe	106
PID 852 wrote to memory of 3192	852	Pfaigm32.exe	106
PID 852 wrote to memory of 3192	852	Pfaigm32.exe	106
PID 3192 wrote to memory of 1940	3192	Pjmehkqk.exe	107

C:\Users\Admin\AppData\Local\Temp\6592da3c18879fc4d5fd442bcbd167f0N.exe
"C:\Users\Admin\AppData\Local\Temp\6592da3c18879fc4d5fd442bcbd167f0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\SysWOW64\Ndcdmikd.exe
  C:\Windows\system32\Ndcdmikd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\SysWOW64\Nloiakho.exe
    C:\Windows\system32\Nloiakho.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\SysWOW64\Nfgmjqop.exe
      C:\Windows\system32\Nfgmjqop.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3308
    - - C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:908
      - C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2660
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1096
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        69⤵
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        78⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        81⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        87⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        91⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        99⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 408
        100⤵
        Program crash
        
        PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4360 -ip 4360
1⤵
PID:5180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajanck32.exe

Filesize
669KB

MD5
585a9d7c0f48e2e7c0eb9c816a5081a5

SHA1
ffe5d14812180529f6b5315f8fa158a31bb3a7b4

SHA256
0793562d9ea2146b8fa3739c30e71bd00fad783418d0c4ca3bf596c3467b679a

SHA512
a06b51970b6317397044ca5a59a5ffe50d289d9ca79952103eada92f916c140b2a5e483c812387b620e7f012c2fe64baba8751e2d640f66c9078b995f8d49650

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
669KB

MD5
e0990e2cd1056defd7925e24d5ebb46a

SHA1
2966e69014fcd62478eb0aef754dafb4ed18480f

SHA256
d70d32e3496a55fa8edaf6c708ecc9de1aea1f90756ce1f22880815e22d9c013

SHA512
11e55e227018ab2858380f88a5a9bbd70681f1ff47b7ce152abd0accfd192f88af9af07abba425450490ce48688f8a6457f57302ca577854f840c82138329223

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
669KB

MD5
f9d4129248efc8ba168e74708d085798

SHA1
bb7f6121d38215b2305b7fcfd718f7ad3a61994d

SHA256
58acacc5bb8290b81c9cc1182fe1efd397d46d96f803b28d52dd0e2a93fd8d6f

SHA512
c9bd2b0c54c2c71413dbe7201edf4279c760442f22cf27ce167b022f61227fa0ca905ecf92ed67d990c314a15aa8649021ab781e671743a00f7f3f7ebf7669f3

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
669KB

MD5
52bfaa4d0388542e6fc390c65fb8af28

SHA1
dcefbfcdcadc8a45a32f8f4249ddfdc19a7acaf2

SHA256
a98c418488ee537602c493602315c615baa2b401ba0c301d53335f548e584e38

SHA512
2713e081caffc8d9ac449a5233e253017fe8bfc67a2bf7cf696ce36d66c5ad3015e085d9f77bdaccf45d8f11acd63e94adb1d13b3a9c1ed5a3eb32c6f85f86a8

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
669KB

MD5
e29336321402f65f716431e08ac2db69

SHA1
561b089ea68487b161026cca9f32f5971b423f36

SHA256
ac3826367f7f35350d519013b400806ecf3cf8494e51994865e404007952ead4

SHA512
5448ab58df969c236bafe59d7571390c876710039909d8df773284f6fc459ee89118e5e1f754a2fb98f5282e7de4308ea2137a695a93d9e43ee7f7e821be6675

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
669KB

MD5
3a76ed836ecb642c6a68888676d0342a

SHA1
636778ada263cb18a1d241be5e597e50efbd5f6f

SHA256
f17eab1709a9432b0fbefad9a0e40b0083f8c2cab2ba75fb644d6f864ab31fb3

SHA512
781e231e426395a9f081f19528b6611649b3bb8b6cb8cd663830b3369507cff6ff695f898f0b6ef6f0ffe34056d10f9cfbe0bdf87fb1bcd5f7dc2b1b7e4918f0

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
669KB

MD5
830184f626d924389fa9fd3a0c3de85b

SHA1
d6571701d9f684ab674e0b8a23a3294af2de9c6d

SHA256
4ef1ea43ced124cf0f41edd5939ef2809fbf08d3d34ad43c3bb44911a4f0bf62

SHA512
654f95c5543e656af39f97ed69396bbaa45afc1312cd969eb3db23242a66654db08a971ee5f5b86d4ccb00993b6edced26158475ee4db6a0aec706daffb191ed

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
669KB

MD5
a8ba11532ad3554fc72b2e94946c4ce3

SHA1
5c0c73b0e0c05382ee97833a894a7ec113e03780

SHA256
5ce6a6f45f1c07006e44fbb08f0fa5e118a0a8840f9d17c9364eaa1a4d9ee0b0

SHA512
ced6e7b9ec677840a16af63f116b1a6acabad90c828ecb33a1fabcea6e6a66861bea82bbd51f2b7502ac2e014dae91d84162213403422b4e8f8117ee3db85daa

Download Submit
C:\Windows\SysWOW64\Glgmkm32.dll

Filesize
7KB

MD5
c9d9cb2bbbe2db2ba2dbadcb724456b2

SHA1
44b33c6ffe0f3f4b89b2c691b76bb95281b442d1

SHA256
1ea46542baddf4d9b948c16ee06ddaa800bd120e78219a9961888a37b940e69c

SHA512
eb15d3dd47bdd6a364cf6dc5ed8ec50741f94cc9cc762bf3c58e4e6d84d191979f0d8c0acf626ea222827506990be95a52ff5af35b28a38175427a7668129b00

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
669KB

MD5
1a3cf301891db85c8bc146e7b036dc22

SHA1
c4eeed1b96012a9d1706793927b281691dd2fbaf

SHA256
5c87483cef82a8e71c7a3aadcf9b8056142db645ed1430195bf9b4847a16283b

SHA512
dda4f6f6956aad3ca096a2919d27f0b70bd3fedaf15658cc458ee115699eb21cf237919dabdaac93804de8ec341d7444ca481b2a2f2cf018ff5bcd3f4ec88fb4

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
669KB

MD5
3d198218902e58613966413538f7169c

SHA1
78a57f65c731fb62225f0e1d91f42cd176a7deb3

SHA256
8c596a183c732f4dd2a5e4c24ca136d2c1bb19a0422de43cbd846beb088336ce

SHA512
17abf29398c59f8cf722600c3ca7b2b7a55f90376570feb5c21910a42b4131f214f548c97066f0fb2c4689f20e8b9a1b3a6ced38c59c5549dfe579ddb0d41794

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
669KB

MD5
291bf9e98a94f1e66272bb4b07d5c3de

SHA1
05ce8c4fc705fc7539e297a932348a961614d994

SHA256
ebee8580842c56b51f5720e3a3d8880814988cf3ad51887f0e9a1f604ef1b434

SHA512
d140123908cae0ce676ec722df5ac85f017b4c1610710bb13f752eaecc0bd75212f3a552152e7a3e1dd249416b9bd9f482f5e48d4de09d8c029d076517ad7ca0

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
669KB

MD5
67aa971062aa8a410c128ab3b24e1b35

SHA1
86fb4a9c072a61aab8f1faa842b81d376b484837

SHA256
7d454ab07f241ec0fb668b8fa6cd88284995839812c51eef701e8dde92b3dc3f

SHA512
709774ae695c95aa2ac9d1ff275698057d6068427a5e1e74540caf87b70eff670f70605e65a25624a9d52b25699283784fd227cd15e921f5d9d0b472303c4c59

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
669KB

MD5
7da095a12d428d8d99407b5d6e6305ae

SHA1
5231ccaae84e7b3a47158007f74f042711231a2c

SHA256
6fcad9eb7e82547d024589eaba9f8de1f1a765476ade5be0b3370baa9d89b8ef

SHA512
27644b5bb174228aa01cfbe95097754c5021153dd7ba0487dd6290b8063de8008ba1b0b7f8f4c7cfe2953432ab06f5180a33281bc59453bc322f29562227cad1

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
669KB

MD5
38041a364734fcf1cf7ac1e718797f04

SHA1
6e56e258a8fe38e877fc8af2218d6d55d536f6a2

SHA256
85c7d15f6a522eb791d1237ac609d3cf2e34431a4ba038956ee52a02032d350a

SHA512
d90e1129aa5b772b2b485fa6d5c6bf31feba56f00b30e661842c684d9c9fc017abeb5cb8f19fabc0153ad18cab0403993c15eb33f2998d98057bb98f3b7762c7

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
669KB

MD5
893a5cc3ae7487d563ae16304396ddad

SHA1
55ae9c64cc4c0a72c8a75a7617f9881758e510a1

SHA256
cb7f9d45c5e09c9661c92851fc7b5ea76ca4dac479582ad3da9056a3e4584bd1

SHA512
d7dc41f767b12260ff354d4bc6800fde21bba6ded791cf567d0499afa77ae60213a239304d8468dfa12dcecf8f2de101f4dde16711c961a2797cb8f3b1514a1a

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
669KB

MD5
f98fbb9713198d4b2026db9440025148

SHA1
bf5dfa97f0286a062d40a7d4550fbd9a24e12eef

SHA256
0b9a6fdfa7bbfe391ce22fecd27d41a6adf97df75676b0204e0c9476d0a3323c

SHA512
098d2bfbe1373ad444f1e4049a7776570b5b46a7ad8508067f2898948c3ed2a638e5099ff29d705625124006f70441e9eda140fa24efb41ed877d8fe228d5d70

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
669KB

MD5
9b28e661d5ad613c822b1cec00b890f5

SHA1
3803eeea6ce67593665a14a84b85dbbd2b9be1a6

SHA256
94c274abe0d7bf2b40b50ebf0c211b665d4a0096a9321914264e2ae5ea1261af

SHA512
fe189f9ccc4e41c7badec1f721bf05bbf8c5ade5726e4d50f414498364d9b3daeea8fdf98bcc75b9fa497a55018c8e0966f57d725582b88a96542ded323ebecb

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
669KB

MD5
cd53a80dc3b2ff550b4fac9ca9f8600c

SHA1
70061cdeac577cc181b625e54df3214bdda56db6

SHA256
099ec52b0ef2a71b279dc67288e0f840983b275cc19e014a3e41efec87f4b275

SHA512
1b88b4adff2b6c5b0685613a5fc845e4e7589877f54d7cb1ed729c7403e0cb9da760fa2a91aca5d2d0e7046e36ef2ec13b46603468c5be3b1448a82829f20a08

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
669KB

MD5
b2a291fb792cd69ce05c7d4ca16b2680

SHA1
5018740befd9ddb25f3e571912f2eb79435e00bd

SHA256
205e6498ef200f6e7133c25267c6496376b71134273acda4fdd678894d9f9589

SHA512
3bc0a455246f3388dec6ad4578300d9f5d4ae42f2a40f0585a117dbcce9f98c61d34c963813f154fa854064a8affc661d29ad88796861c81c3e6a0e6a325968e

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
669KB

MD5
ba12c139dbe4fa8021eb1b8fa72392b6

SHA1
46c70b14676e005ac9e0aaa7efd62e8a1ad7e4b7

SHA256
7ab22b121033fc868b9f88cc56ad46eb3d142a59be7b152b0003b62de936e5fb

SHA512
68b516bfdbbfe81caea4942cfd30c30df8d7b78bcb9673e789889998a7413c16eb563d01b00781aa6c2eeeac640f77e911196546d6d80d861599634c528be394

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
669KB

MD5
d6da10c8ac24167f471019e59eba6b15

SHA1
bbb328ac38a6575908d9632eddd6d933d9b83fa8

SHA256
6db44777a5c14c5750cc48331b12a7543cfb79bc35b3eff4d489ad22995a1e0c

SHA512
5a6eaac21edaeda11c5d0c5bfb4b35e16980d5db39777f10be0124432d6898be930e0f6e813386b70be59f53fc55dd691b37612639491a95f8008d572915c025

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
669KB

MD5
7b1ba79e8e70b90260d10a056ff1a06e

SHA1
6a265e355d0e79b15d738ec519620b1e96a5e38e

SHA256
a155b815031d219e7786b4d6ce2a490b971c9ba1451849dd109e2cdebf660210

SHA512
de0f291929d1f7a02d3277a52a769dce5e8dc42828dcde5eaf477a5536c9cc0a7c43b0a940fc9059700ca3b04fea3765f389becef35fba5d98448ac8cf805261

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
669KB

MD5
5277445e8a870a2fdf4fee3487998371

SHA1
bcf1abd781af258f1d7f2bb1ca5fe470c839ac9a

SHA256
17fb6df968a8d43ed3b1845e72e22775794870152b15d3c186f81104a737c07a

SHA512
c41519ca6e7197ef54fd42bb60381cb7b61e8e92c79815da64624b0d460a22f0035642434f051519abf5a565d2e40e55e9182a7dd24e1c2d037b51bed90d9426

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
669KB

MD5
ee03153bb68c189ddee6f19c200a2121

SHA1
67c82de13f9cae9bf7761f4377d2d65fa53a7c48

SHA256
e79b660089e81934ac86a7a8532a5c1f0e7a3b04766abd20f041a5ba926eb0db

SHA512
89f45207310e8d932aba6f3800cb1f55f7fae5b1abe434ccbc0f9d082de997e46851386e3ae5b896bc5336878d009d6bb72ece12900ab4590eae7243886f430c

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
669KB

MD5
7a2cb59bc686e316dda86cc8af41b70a

SHA1
68c3adca513edd2dfbbdbb87e085b791a3e07bf3

SHA256
1f8459cf67ec3a280b4757def65225a44b6a5c6ce7652365711cb997cdfa30b5

SHA512
5061beb98403729232a889d53930a5eda3ec8f891b005ac3d8fa5d7f1daa768d332c81682f061efe44afd9ba3a0a63a5aee1bd8248b187aa13dcb09f2eda14ed

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
669KB

MD5
17658b8271037ae474a2359f3b083e52

SHA1
354649a02c4dd41c9d493b24954139b25ea6ed34

SHA256
dd3888740dd7b0defff58c8f44c34f47c9199247cc72bd1f228e0fd5a6860856

SHA512
d39e8d4a371e41d356aac28bb4a4cba597164b8208b581d77d1ea22069c4a8fd1f8a7903d3de93a92b6d342c969af5b290ab2ef6f791a6c50061d42bd0c6fb24

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
669KB

MD5
8ad92d6e31ebedb93cd1473bf0ff6387

SHA1
56215933b35d348a9d011c8b82f4a8e0e8ec04c1

SHA256
b6ea674a65ae39abf92f0feae60e47dc0e4e3d85e2fb94afec11645ab834945a

SHA512
bfdcd4145b4ed47d4a763228b36e53e3f64282cc754936cf8cfd8715ab523c0518a2c4be7ba8416467ceb052c6f44a1563690490ca8fc6bab8438debf0401dd8

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
669KB

MD5
76925a850d36f69f2e2eb4a739450e2b

SHA1
fea515f363f6451f7ef56b64af7f7d84c16eee7c

SHA256
62c37402b714b8adf03d44125b8e8fbdd7b44628a59368277f1fb1ab6c10bebe

SHA512
55b9f73b42df613263022a6a2a21331939e1fc4fbf7d55dbb3f7f7fadd57d90411e0a89e128b438a7a2989d34dcc080258951433e865802a75fa4a100bd45ea2

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
669KB

MD5
84c6a5d49ffd628aa6fe1b5e86e49476

SHA1
df3848c22b2e6e5d44d3a63921c2f3f4aed1bd08

SHA256
d1c3a3a5089a5e40197dce00708ecb9091fd11864293f704af32b8a2d0c249fa

SHA512
622adb4f8826e3fb06fbed4c9ad78361800c2322b15408ef0ecfb6e064c6ae4addaeb757181265c2b3c2f29ccd6f08f4d60d809888b5b7d57205b2a9c6e39e5c

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
669KB

MD5
9de0275de1f7c5ffba41296775e43388

SHA1
545ce6b0680c41403166fc848a0a51537523bdd2

SHA256
fc377cb26f42ebf1528ff55fc5abc6c3aed7291ab5239a8a1f5b6f9f254b2256

SHA512
d7a5442cf64bd1aa92914904d0dc1d78d5ffea6a9a45ccf6c5013b7c2e52bfe9c364b69bcb6d364026d9b48b17c0e3d727ff3bff8c1749eeeaac35b56af31ddc

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
669KB

MD5
48ac9ca261c23560c5822836d0afe0d7

SHA1
759cc07ab6b4b5d2084b0434c876e8960929dd72

SHA256
e3429c81b69d1348d3139fa4e7f57f1ee2eef7c5d16030bd00113894235fe866

SHA512
fc6d19701e38986c1447e94db45e2319ca536523b265e4fbb0657a902dbbfed2403de95127d14e528a89503935b05f2ebc5e2ab87a3ce6698745f8bc747a8bdb

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
669KB

MD5
4c83ed05b3d8687ea05a9d6d1587d9a9

SHA1
8fa9ee79d5001a1553824670c00cceda921a7bad

SHA256
5d2072e7400b59d94de3a61d6c9d79e3d8bc9d6120e08ae53a568583f8f85499

SHA512
61a240d14b17c90dbb2fa1e298c9f58bcc305c5fa09a1219ba5b64464cce5d48f49e43e727174249194463e899f665fab23e97608d81eb3f6f21a74256bb9d1e

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
669KB

MD5
4f249765ec98acf5168231e8c6fdae37

SHA1
0f681eba9fc5e2fc46209d9b208ee42201b64630

SHA256
80265f3d2e81fe4230ddd0ff231db71c9b025dd75ea8c6b4746967e50eca4e4c

SHA512
d452398f1c55277154507a81e6d482bc8020bbebdfccf62ee465aff91d00ef102dd576a5f1338943021f79684815eedb23c42345768828a045f2fff6457c444e

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
669KB

MD5
db00506b2c8fd44852be0c4e938859d9

SHA1
80c079529f45947eb9f764c99ca3f1c1f706e431

SHA256
77e0bb048efab08d0ded113ed6a6b7094ffd7a455f8894b609399d9eb9755383

SHA512
83a5b64610a9e288adba75af948794d5426d4df01349fc6b03740072d47b6486cd4e35e003fd566c9b0dd9e43ca4d1b378ae2d4dfaa87a93641344d848a2dec8

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
669KB

MD5
551dbe57a0bb1f9974e4f53922f3f50d

SHA1
91c4122099198542d942678ef4e9224245ff6298

SHA256
bb7b23b53af050e8774c43601986b24117d8604c8ab53b835f6572a4e2bf695c

SHA512
07b56ef0a9193acd47cbfea11d9081bc56bf9ad80099033dc00b4c5a9a33313fdfeba006c452920f2e1594fb40cfe2860fe32bfc363664e17f00c9a1f2781f48

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
669KB

MD5
d6064c41e53d6b95115a43a05fb8d006

SHA1
3d511c3650f64c18678e977aee896c1f7aa9c573

SHA256
c426aee3d27b9a330aeca727d43d7a4d5b5a64f065cdbd05c2953a2633738840

SHA512
fa50b19951fad4e725d949254e44847e4480f2e4880782ee30a62fd88e7ee7c4561b99f9d62546cb31316134b0aca70c1fc38e859711b0e03b337d0a4ea76807

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
669KB

MD5
de69257d931b927cb39978caac71945e

SHA1
ee60cb5f5c15c3c21364e93aa76ab74f66ab169a

SHA256
be8d2b0f7f0137f9fc815360be7a09ed7f440b34a0acc016626d916a59520dad

SHA512
f9331b24a4cfb00c63c13b298ac6adc1b550db896ff443c006e21bade891ff4b5e3a58a0ed7e78a8cc331ba43350b196d11a874db4835dae33b6ba93bd74f6d1

Download Submit
memory/384-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/460-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/804-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/856-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1272-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1972-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3288-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3288-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3848-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4208-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4640-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4688-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4712-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4752-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5152-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5192-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5232-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5272-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5312-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5352-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5400-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5432-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5472-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5512-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5552-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5596-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5652-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5716-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5760-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5804-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5848-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads