5a31e39b8b2a85e5122e643102454e677c6073cb04941039aad5ed24ae591872

Analysis

max time kernel
94s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 13:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

92d95e9d604750729637bc31d5895fa0N.exe
Size

91KB
MD5

92d95e9d604750729637bc31d5895fa0
SHA1

2cec80e410747232261d3b30e93688fbd9be3cea
SHA256

5a31e39b8b2a85e5122e643102454e677c6073cb04941039aad5ed24ae591872
SHA512

651b8f473cf84c00c0f2fd21c61d5dfa0647a55db88d9bda0b6ce615330572ebd1163b6a287a6878a36a8682225b6b025f3bbecd5198f16d271c77b909d61790
SSDEEP

1536:O5T5g128CZ/6P0PyFoK+fT5EM+1ghnqObmVy9Zt9cx0XBQZFo:Oj2E6sPHJT5OCkEux0XBQZu

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe

Executes dropped EXE 64 IoCs

pid	Process
4660	Qmkadgpo.exe
672	Qdbiedpa.exe
5076	Qceiaa32.exe
2640	Qfcfml32.exe
2196	Qnjnnj32.exe
2916	Qqijje32.exe
1856	Qddfkd32.exe
2828	Qgcbgo32.exe
3980	Anmjcieo.exe
4188	Aqkgpedc.exe
1520	Adgbpc32.exe
692	Afhohlbj.exe
2792	Anogiicl.exe
224	Aqncedbp.exe
2956	Aclpap32.exe
3412	Ajfhnjhq.exe
2364	Aqppkd32.exe
2144	Acnlgp32.exe
3336	Afmhck32.exe
392	Andqdh32.exe
2204	Amgapeea.exe
1080	Aeniabfd.exe
2192	Afoeiklb.exe
4748	Ajkaii32.exe
1564	Aminee32.exe
4016	Accfbokl.exe
4372	Bfabnjjp.exe
2436	Bjmnoi32.exe
1164	Bagflcje.exe
3920	Bcebhoii.exe
3368	Bfdodjhm.exe
2672	Bnkgeg32.exe
1988	Bmngqdpj.exe
3600	Beeoaapl.exe
3628	Bchomn32.exe
3956	Bffkij32.exe
440	Bjagjhnc.exe
3068	Bnmcjg32.exe
3632	Balpgb32.exe
4524	Bcjlcn32.exe
1648	Bfhhoi32.exe
548	Bjddphlq.exe
2932	Banllbdn.exe
2540	Bclhhnca.exe
4872	Bhhdil32.exe
5020	Bjfaeh32.exe
2524	Bnbmefbg.exe
2872	Bapiabak.exe
2644	Bcoenmao.exe
3404	Chjaol32.exe
428	Cfmajipb.exe
3924	Cndikf32.exe
4908	Cmgjgcgo.exe
3440	Cenahpha.exe
4204	Cdabcm32.exe
4924	Cfpnph32.exe
4572	Cnffqf32.exe
1496	Caebma32.exe
1100	Ceqnmpfo.exe
4212	Chokikeb.exe
4280	Cjmgfgdf.exe
1836	Cnicfe32.exe
4080	Cagobalc.exe
2944	Ceckcp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5580	5488	WerFault.exe	175

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	92d95e9d604750729637bc31d5895fa0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 4660	1184	92d95e9d604750729637bc31d5895fa0N.exe	83
PID 1184 wrote to memory of 4660	1184	92d95e9d604750729637bc31d5895fa0N.exe	83
PID 1184 wrote to memory of 4660	1184	92d95e9d604750729637bc31d5895fa0N.exe	83
PID 4660 wrote to memory of 672	4660	Qmkadgpo.exe	84
PID 4660 wrote to memory of 672	4660	Qmkadgpo.exe	84
PID 4660 wrote to memory of 672	4660	Qmkadgpo.exe	84
PID 672 wrote to memory of 5076	672	Qdbiedpa.exe	86
PID 672 wrote to memory of 5076	672	Qdbiedpa.exe	86
PID 672 wrote to memory of 5076	672	Qdbiedpa.exe	86
PID 5076 wrote to memory of 2640	5076	Qceiaa32.exe	87
PID 5076 wrote to memory of 2640	5076	Qceiaa32.exe	87
PID 5076 wrote to memory of 2640	5076	Qceiaa32.exe	87
PID 2640 wrote to memory of 2196	2640	Qfcfml32.exe	89
PID 2640 wrote to memory of 2196	2640	Qfcfml32.exe	89
PID 2640 wrote to memory of 2196	2640	Qfcfml32.exe	89
PID 2196 wrote to memory of 2916	2196	Qnjnnj32.exe	90
PID 2196 wrote to memory of 2916	2196	Qnjnnj32.exe	90
PID 2196 wrote to memory of 2916	2196	Qnjnnj32.exe	90
PID 2916 wrote to memory of 1856	2916	Qqijje32.exe	91
PID 2916 wrote to memory of 1856	2916	Qqijje32.exe	91
PID 2916 wrote to memory of 1856	2916	Qqijje32.exe	91
PID 1856 wrote to memory of 2828	1856	Qddfkd32.exe	92
PID 1856 wrote to memory of 2828	1856	Qddfkd32.exe	92
PID 1856 wrote to memory of 2828	1856	Qddfkd32.exe	92
PID 2828 wrote to memory of 3980	2828	Qgcbgo32.exe	93
PID 2828 wrote to memory of 3980	2828	Qgcbgo32.exe	93
PID 2828 wrote to memory of 3980	2828	Qgcbgo32.exe	93
PID 3980 wrote to memory of 4188	3980	Anmjcieo.exe	95
PID 3980 wrote to memory of 4188	3980	Anmjcieo.exe	95
PID 3980 wrote to memory of 4188	3980	Anmjcieo.exe	95
PID 4188 wrote to memory of 1520	4188	Aqkgpedc.exe	96
PID 4188 wrote to memory of 1520	4188	Aqkgpedc.exe	96
PID 4188 wrote to memory of 1520	4188	Aqkgpedc.exe	96
PID 1520 wrote to memory of 692	1520	Adgbpc32.exe	97
PID 1520 wrote to memory of 692	1520	Adgbpc32.exe	97
PID 1520 wrote to memory of 692	1520	Adgbpc32.exe	97
PID 692 wrote to memory of 2792	692	Afhohlbj.exe	98
PID 692 wrote to memory of 2792	692	Afhohlbj.exe	98
PID 692 wrote to memory of 2792	692	Afhohlbj.exe	98
PID 2792 wrote to memory of 224	2792	Anogiicl.exe	99
PID 2792 wrote to memory of 224	2792	Anogiicl.exe	99
PID 2792 wrote to memory of 224	2792	Anogiicl.exe	99
PID 224 wrote to memory of 2956	224	Aqncedbp.exe	100
PID 224 wrote to memory of 2956	224	Aqncedbp.exe	100
PID 224 wrote to memory of 2956	224	Aqncedbp.exe	100
PID 2956 wrote to memory of 3412	2956	Aclpap32.exe	101
PID 2956 wrote to memory of 3412	2956	Aclpap32.exe	101
PID 2956 wrote to memory of 3412	2956	Aclpap32.exe	101
PID 3412 wrote to memory of 2364	3412	Ajfhnjhq.exe	102
PID 3412 wrote to memory of 2364	3412	Ajfhnjhq.exe	102
PID 3412 wrote to memory of 2364	3412	Ajfhnjhq.exe	102
PID 2364 wrote to memory of 2144	2364	Aqppkd32.exe	103
PID 2364 wrote to memory of 2144	2364	Aqppkd32.exe	103
PID 2364 wrote to memory of 2144	2364	Aqppkd32.exe	103
PID 2144 wrote to memory of 3336	2144	Acnlgp32.exe	104
PID 2144 wrote to memory of 3336	2144	Acnlgp32.exe	104
PID 2144 wrote to memory of 3336	2144	Acnlgp32.exe	104
PID 3336 wrote to memory of 392	3336	Afmhck32.exe	105
PID 3336 wrote to memory of 392	3336	Afmhck32.exe	105
PID 3336 wrote to memory of 392	3336	Afmhck32.exe	105
PID 392 wrote to memory of 2204	392	Andqdh32.exe	106
PID 392 wrote to memory of 2204	392	Andqdh32.exe	106
PID 392 wrote to memory of 2204	392	Andqdh32.exe	106
PID 2204 wrote to memory of 1080	2204	Amgapeea.exe	107

C:\Users\Admin\AppData\Local\Temp\92d95e9d604750729637bc31d5895fa0N.exe
"C:\Users\Admin\AppData\Local\Temp\92d95e9d604750729637bc31d5895fa0N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\SysWOW64\Qmkadgpo.exe
  C:\Windows\system32\Qmkadgpo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\SysWOW64\Qdbiedpa.exe
    C:\Windows\system32\Qdbiedpa.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Windows\SysWOW64\Qceiaa32.exe
      C:\Windows\system32\Qceiaa32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        47⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        69⤵
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4164
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        76⤵
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        82⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        87⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5488 -s 396
        92⤵
        Program crash
        
        PID:5580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5488 -ip 5488
1⤵
PID:5556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
91KB

MD5
ee580fa62cf6795e793c2dda4a0099aa

SHA1
94c46dd6210fa310ebcc42dc448a8d3e7c839ea2

SHA256
0d332a2125173bd55d65dff1836bc830a27a6f96c58cb271f0441f9e026a07b9

SHA512
65028d8ce0a7cdaf56bd0ce99e462fd00a5acbb561ea734994ba8715f141f20c3b3b7f0c6b48fa4a85845583a2b3b238f341ed2e69abb1c315ae844dce4d44c3

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
91KB

MD5
9a7f3368f2d09a100b206483763e7a6a

SHA1
9582ff5a2fdf96fd48f863e5973e1b7ad9bb54f6

SHA256
d50141ad49159b1ce23001c9a3805b60f546f2dc0fd9ada9c010a4c87c1aad33

SHA512
b536bd6fc3f4b0c9c99f6741f2e0dc5ffb4a6a98f1731181c0f30ec6affa98764abdfcc3d8bda2c5d03841b833b105d504353cf67adbdf14576f4314ffe1ee3c

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
91KB

MD5
8e72141436d0099da3c4dfdb43a104bb

SHA1
6e586663c745ab558c2e01440d16adcccdd2705e

SHA256
95a7d3de175b9113a52a552644cade62fae4901ecbe84c9d0228e11101b632a0

SHA512
288d256e295f54f310a1d40d6cb90adfc5b5a715cd854a39bc983229ca7a1d1045c22ed200b476143b54f3ee9af29bb2d4fd73ee63f8781a84287b190d8b6e97

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
91KB

MD5
e4b010a85cf96d9908235523d9e45c4f

SHA1
50b2d27c7875e648e121cbacbcc963861bdd1fc6

SHA256
88ee07713480bfa058a53f06feb52d0eed48ff017353ac77b1deb2d851f437f4

SHA512
f47562884b51711cb75fafa763f19c4a7f15efcd3a7e74b9f0dc169d1f52ed3ab41e606d9cc76a526768b4f0a70888657b90e7e10d874f94d7b377f2980214a1

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
91KB

MD5
21d3dff1a38951fe0a9cae72f869bcd4

SHA1
c601cbe3dfb2090a9c18360da2ea099a0c14fd32

SHA256
7dd270d8962dc86a09bfdf6dad4607ee0993b4c6acb998cb261e25ca6b06a058

SHA512
5cd63933e50f8296761d0f4c179859d64654301123ece95ddf6e8322d93b1674fa2b67c737cb91cc811d98ded61cb7bf721f85f3993c5ea4d47a6665614868ea

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
91KB

MD5
1c8b3e50339763d5b353c96fe8a06725

SHA1
2934b4e6f2a4686933f28fdea1668b121b7e4e29

SHA256
c87cff69bd7ad9c83151fda87f8cce4564f46825b46953402fbb3f249c952b35

SHA512
3f43517b1061d06bb7332da047cf69b77e72dd327d5b6973bf766c7924313b1970f90d27fb4aedab74305292278ac514ff0c8a2f333aacc29e3089cb4fa96579

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
91KB

MD5
3d733bc30854249a91f36a07cf26cece

SHA1
df0dcfb58abee0cb1c48cb1cce08899379be5c31

SHA256
6b1984e8ab1daa28f7e464db84fac25ecfa81e9869d428e9931e5136d6c3d340

SHA512
2fc849685c753c9d671b265e890fa8be82915b9dc51d002548596f4fe0f5bdc5e4d259bd0d2c1329f9d5afc6e01c1b68cf927b29fe1fc70d53dad0138eda5b97

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
91KB

MD5
5a2de1c53638a0c801c870de8c925de3

SHA1
8cc0d813007c1d45e32b0e3fc3ea73bbb259d562

SHA256
a86120b4299724d39c4cd87ac7dab4b8eb2427529fd2beca7125ffd2c2a13acc

SHA512
4d82a589b092f9ad97666c5359490c9e8f712cdee9711600b43fb8a6da2be2014ba249ef0a3bdaa0f4d2cc61717a3f2835d1295a1a0cca5437ddb33b172de5be

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
91KB

MD5
3e31017886ac1da94b04301db62d5877

SHA1
dc3d0a7499275f6759cbe6d2169dbf0f927c071e

SHA256
20a346c5488f08fb818d0ca215d2058b58adf9c987a170b05ae2b4e2cef5687f

SHA512
4b90779737f5f183a43fedb04a004e496b7e313b84e802385c449e80e32ed670f2fe5c78491a80788104cf91d2437744497e0974dc40084129e72e17ce3ab5f0

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
91KB

MD5
8d38c0065b6c2ee22a849507cb9cf121

SHA1
2eb7823264650fd18a5c4b447ca98acc53565a00

SHA256
ac889eac2e3d5e6688ef5fdee0a1f6ab1115791770c234efa5fb2504fa0a5711

SHA512
a4710a8fa9babf44768d004ca670c8bdb49604f6084818bd30936f56f7a6e6fcd311abc8e8d0f36082b8e63d7e38602afa0e236b34927d63892687c313932757

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
91KB

MD5
e4b04cf907d1338bb92bf7ccada01f2a

SHA1
e53d1d3a4ec04ad31787ff546c02cedb35969795

SHA256
1ef9b9f5b9fec884d5178e35543dc7d402532787e7600c0dbfae99dda293192d

SHA512
ba14a52c95833e93fbb33c217eb4ea85d28420c9b8857567fb4554a712ac3e0c0f9f486123604b55f3dfa98500c514da885a48294e5752da86965fa112c34dc9

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
91KB

MD5
584a7b60b56070b9f94fd34262f1a250

SHA1
f2c091a0c9b086110ebef15b1950585e1a397608

SHA256
d8c457e0448c560aa49ef369483c2c33c51b43a5b46c3e06274ad4aa0308f8c5

SHA512
ede1e1f9a6fe041a6e0002f8d0ffbeabe27210b711727e5e7f9544aeb2ccafb7af580e2c83fe585f54510d0e5eb1c47e93e0a75e77156773290d3de69d7e4658

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
91KB

MD5
93642a687f0301828cf2058f077debc2

SHA1
05da3d5aca852f9e73887ca3b13a48c4adb872b4

SHA256
4e7b0eae3d5616891e5a2f06a828bc1e7d697308f3eb66213702741f2d80dfdc

SHA512
cddc9d378571f6fba6266d5fc842d20773b82f2eb892fc23f4da3dcd566db1b82c94f2df8b91d8127bb3db66daf52f81fa47e4254b56ace985415e08b710a049

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
91KB

MD5
8cd8962012c886d948085bea1c5ef294

SHA1
7785da09e68aca2b40fb7ff7be582c2789746784

SHA256
f52385eddeb3984dc46682590b8e4cf8bd4d8626186fbbc54c9a4766c1a72108

SHA512
828f5dc03da3d5023b918a31a6f425e8f63e917b94910a2d99654e2e171b3b4a6aed904d5ac70c3177289e5aef22d3d3c55f39b0d4cf57ca4a8322109913b39d

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
91KB

MD5
fa5bd5248cf2071b3e97d03be0f44256

SHA1
abb93bb70dea1dbc0cb3f0ec475643b2f852b163

SHA256
f0aa92b5321e19816aa580b05842fb5589a7c06cdfe0ec1b723135a5eefea0c6

SHA512
1eed2dd0f789a7206e8919f3f4d749963645a3a095d2ddaf6803aa1eae989ac138040aebed933eff64d6cbdf0ad8f69b9cee2b0eb6ab23dd4c6d728199780711

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
91KB

MD5
3b20e8b86c73b09f724263c08541dfcf

SHA1
1433b3d4f42f8b74a6ee351748e26000a0dff963

SHA256
d694ebbbf20c2fb02950350e81f3edcf3f8cd2a0a81fc33c109a126f810cd441

SHA512
973c4371cc41452794c3e19545bb7acdf38cdac391f96c129e0bcb06dbb7acee319aafacd2f9a6c82349a5ec5d94b1d4f24f2be4739f4a62680a13112af92951

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
91KB

MD5
ce36d5f57f2387d58cde5340e9ee8cb2

SHA1
ffcbe65d4cba38fae16045823053e7a7a4c2af48

SHA256
cbf7205228832774142b6c941ebf575900b60b643b1acffd01bac0ac366c7251

SHA512
2712eeabe6f60c4dc5ae151acc003f88901eeb1ddca80697bcb88966250f03422fc9e008db0be6f5c0b51bda160080e5c1b130492d32359acbdda58f437ca0ff

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
91KB

MD5
1931b826ca7bf9827c6e6c2f21a276a7

SHA1
fc1505dbf5de02a9dcfcbf4ef61f63c2ef22c107

SHA256
9bc0e7012e0b4c12742acbc503d22c4d4e283aaae0f23430be7fc04030cf614a

SHA512
4e435ce613e6974256942accf0fddec1f93247d3ab0a323e038a636c6fea0db280d8d057ef7bf66746cd3c86664f2c0c48f58e7d5c79d3167852c306902b7637

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
91KB

MD5
b41aa58881896ab680cda4ab4c09618e

SHA1
7c7d157a5ecf04c43a07703bea88c4ca71ec61ee

SHA256
0716fa3fa3b34dfc4ac7df68f9dda1e56d488711688253619f4dd6667603978c

SHA512
91539fe7bfb1cc346aadae0015888a91a3823a392548a090a4baef95d5056151d07a58077a2f713555a44ceb446901ec3a37f561ef2a8f468862415cbd5b6b0a

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
91KB

MD5
2a341d2acdcc4d5eb4f7b0b5dd0e995b

SHA1
206bbe02204ee88e4906599c5ed901ce89264c36

SHA256
68e369affc5fbff181ba2391fe09ba5c00c651b77b81cc678466a72af60ffaba

SHA512
785feb9f8ae9101b1d2eb762ad70845ed1a38d161fde7f6db5b94fd9cf8cb27f81754fa232376bd89d625c00bd0c5c3dd49cc4d092da96696cd537315b675a7c

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
91KB

MD5
62431326b6407e3fd169b1d8c9e30fb3

SHA1
0dd958a63675711decdcb552b9874486d01a3b77

SHA256
033d00d0ec0b101d08b18318bbb8840342435692d384b027a2b913a1cb54f80e

SHA512
4c4520584d8619013ce9586a65432c3ed4f148a6255504d290300b516f4d6f0a2eacf201269df14bd8240d0d7561bd283aa3a277a606183d58f4ae3ca7b38159

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
91KB

MD5
6f9e342abaf940c4fef485004c1a10d5

SHA1
780010f2a4f20d22e152cf0cc5c4c91e9b9596e3

SHA256
8f76a452ef2fc3ad0d54b2b68a0fcbe317e873dff5190a0c18e7712485e92924

SHA512
a84dcc88e1dbb6aae75b7c31b3e1cab9ddd7ba3237e45a961c2af105776e8836bfe8553e4fe22ac0916beba2152be520142daa4977069c93ba60305101d6e44e

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
91KB

MD5
10fc8c6e64475154e296e4a538ab7eed

SHA1
90b32aad67268d5796646b170a0d8c35713f7f9f

SHA256
5943513a73c08d2e8ccb92b82bb2d0d9639ea3498e724a0308c2d701f2e79566

SHA512
aaf9bacef96254517e3e440e604e57c7fbecb75a1fa71db299714551499806ef65927c959ba885bf00f10dfb476c420b1c68adcf172b854021b184c180553d48

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
91KB

MD5
399ee9ef014d4bf3084d2aa2eb7633d0

SHA1
738fd635e8bf068fee367c0d5a081bea1b81ef90

SHA256
5748ab1e4d48e87dacacdc7a2b869aba36733b390322b55a8907a14ef8182117

SHA512
70632550ff964b0b69e6efc54e79814fedf11d1070237677a0aa0b465336a4a557c154bcd735d0ebb18c1747dd5348e6a5a82dc3ae016451f4c33e2ba162231f

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
91KB

MD5
b243f97c1178c32a5ccc99bfafa990a7

SHA1
4f6ce07c90acca4a844d8dee4b2c3c2067e84ffe

SHA256
bbd472b7e887740039f03e84e3dd48d1c718764c8db8e0712cce39dccf5b914d

SHA512
d404432e6d1117577e3f62d1d18f02207484c6bf5994fc69ac77e9a44486a1e91406f4102c890543906cac5a5f0d0048bc33923cfdfa568239e99b7ae4348938

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
91KB

MD5
c74417e343c750fe8e7f03b5094cf182

SHA1
92136dd294b5e992f5a16b5e7e7df5e72f4afbf0

SHA256
ee14a1edce83121f5af236702cde4af17bcd7f55803039c3de08eef2d7355b79

SHA512
64051a924c485a917a73f730aebe701318784f31f06703d5f867887156cfcee0d667fd9f91bae3896e001e6e95e0ca5acab29d9a437b30a6d33a1ebb7883281e

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
91KB

MD5
a38457cd52a191a2f8a73d13f71b37f5

SHA1
ddbc4bb8c5699557586914454fac41856f005bc9

SHA256
d154c8f18fa7751adcaaed9f31fe92c97b270b649c7f7552c9b7faac4ecc78fa

SHA512
1ae13bd8ec0099304a4d5ea0bab2bc88d2744f8d71688482c0eb20bdc8a0f2ac227b099f84560d90dcbd53d22b72069254ad8147ebf491ba4de2fb89cdc3aea7

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
91KB

MD5
a8f3bd0c7e135e44f69f2252a25602a5

SHA1
068b2915d1cd1f6b5af03e593cb61fb93000c470

SHA256
0f2c5def3e071758257e460bfa0a84853219b6718d3a2039200ad4f58369ea62

SHA512
0a57f7c657e69628dcae21e9624bd37d0a667c27c82d2359b1da4713109b23a7bb4f6b142c3a900ac728ff6728cfd3c85af87049f6ab9931e4f77096d3185cbd

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
91KB

MD5
cc791010528491d22dc4326d3b4b36a4

SHA1
0c171a8788c631f22d068dec528adc8bb42ffc79

SHA256
b197176d349199835e073b7b3b4c8063f60251f85bee90cf716b4df2b5c099dd

SHA512
b89ed58906bc25d9051cf91ceb6d208fefb1ce682e60ca275a6d80c24d0258151a99d2e5711da0127eb9e181aa39815ca013d4cbe310c863c6baee4c4ba31cff

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
91KB

MD5
2c0599d249d2c5043254ad959080a6be

SHA1
8fd84495156fa6201520597689a9a1bdca217d33

SHA256
5c4749ad6dc09c90d33faa538197332e2cf9f120529fb92c922a2e3e6465e71d

SHA512
9fcd2df32a647aecf3b34d3816123989291df72ca39fa6a1debc9040f22325bcb5ffa2fd1ba9e4495d42edeb5fefc52ccf3642b8373c060134cf2b82aa245b55

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
91KB

MD5
584ecdb0c5ed655c5ff99434f206cb6f

SHA1
3eeee4500d7bf94be1685ad1588d8051ae8f8044

SHA256
6b0f9a918038973e59f0dc73cf3ba41d78654e3bb663509899dd8e5a70a2452b

SHA512
e188bee68789819413d56b1f8acc44d5423a4dade707b00770d4a1c2cceddafa21d1c5ba532eec7767f7cc7d4f949d1db8ac2b3e45e1a8b63a6bd3931980ef87

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
91KB

MD5
845211987ccb68734f3e8ee1c9d8d07e

SHA1
7447fb950e58735b648db98da50fc813248bf6ff

SHA256
e93f6a91abd732a021a3c987fa48921326977050e33007d9628c19af1adb41bd

SHA512
525890ce0e3e7935921d37045776c326f5d7df2a7cc0731538ee95d3ffce5447c462b20534c9d1388cb39ff1778784fd0bfbde8b10a0fd264fe0d62d95274c7a

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
91KB

MD5
d926ade3685974b3702fff8c7fab19b1

SHA1
6fd16de6b780423c64aada604a6795e1a6387beb

SHA256
dca3d27a1623379a161bf4ad048e716bb8afb36d4840e2fa69f4fab5daddcd86

SHA512
19835b5000a8107c69d265526fd19d918a47a1dd05e2f1d37641fffec5bbb722c50148af4d4f2e57972b0e8228e8026722c2fd521ae683fa3809d02039c22984

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
91KB

MD5
3640178b6f7ec41e5c411806f7f6419b

SHA1
5faf4a481777f228ad47b5f3b653d6c8772d367b

SHA256
dc05d36cc15151f1e45f85f073e020986d74c5e7c3404235cb8a75942f094ad4

SHA512
1c1f55575923e9c0f5dc47a0e43796c05e6c2660c5dbee9f0e9121aa1628e2b949c8ad02ddec1c07edb2e891790e2518f438504a753431986cdcbf16ee596766

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
91KB

MD5
53e19bc7717a07f6fe2fdc3030808c5d

SHA1
4579a65f9af2c723d8f08c34f1c6e0f8b0f6e0cd

SHA256
f3b59144bee077087f26696a15097999c680bb171435bbfb3e77a899c143c4cc

SHA512
9a61bb01d51510c894deb3177fb6e7b42e3689fc0120f82e123e9bf6b273083bc03da7fefb2b300929053a5810cf6a53d2e2d69cdc4ae961f66d034e454f4abb

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
91KB

MD5
7b07a7a764be9e5eed2d327f520a01ee

SHA1
31c6df579c22bebccf00d4d540781e4bc639af05

SHA256
cb0ff684c8a6b238c0534d3fecf7e545d5cf155d6b9875e3b024baa1512b28cf

SHA512
353115a02765194c54778c185ea2a1b89feac1427f8c1ed81ef8516346e595cf797f3cb7af98266f90ba8b875552c7ab05b2aefaabcb89a537b104864d5309cb

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
91KB

MD5
7a908ff541c99ebd00530b5e58fadd12

SHA1
633b227eb8cae660f722fc0c868581918930cd55

SHA256
58b904144600d49a727f6adec0d81d9bba9bcca7a72af5a10131c77daa2548ca

SHA512
5d427393d5c4753a75aed3a3cd5936a9963653fab3305d8e26818f91dadbb72e620481100a5a9b9e1b2ddae25ae158a250b15e2b1e4d38109b611ac303a75dc1

Download Submit
memory/224-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/348-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/392-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/440-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/672-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/672-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/692-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1080-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1100-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1164-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1184-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1184-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1264-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1520-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1776-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1836-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1856-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1856-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1988-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-650-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-706-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2640-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2640-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2956-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3140-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3140-649-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3148-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3336-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3368-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3404-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3412-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3440-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3600-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3628-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3632-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3636-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3640-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3804-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3828-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3936-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4016-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4080-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4164-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4188-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4204-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4280-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4524-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4572-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4660-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4660-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4896-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4924-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5076-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5076-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5136-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5180-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5224-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5268-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5312-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5356-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads