4ca7db8bb72c243be0b2c8db634fc4d6e619cf85444ad182bff294580a99d985

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ca7db8bb72c243be0b2c8db634fc4d6e619cf85444ad182bff294580a99d985.exe
Size

80KB
MD5

a601bfc55203325dfcbea42561c9f3f8
SHA1

8a7c354e7e4630d9620a39aad9c877e3151a27b6
SHA256

4ca7db8bb72c243be0b2c8db634fc4d6e619cf85444ad182bff294580a99d985
SHA512

e05ab7c5c7f6013879b30e5ab11c12fed1b838f5477657b8cb2e5f652d6b24aa3c31fc66aec62c9965f73176d115ea4b5cc8e9cefc89f819ed06d08b7ab48fd9
SSDEEP

1536:ZhaV7WvXTphJPUnhGj1MrbDz2SCIWVcdZgHFeJuqnhCN:Zhs7yUnhGjGXn2aWVseHFeJLCN

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe

Executes dropped EXE 64 IoCs

pid	Process
4660	Pjmehkqk.exe
3080	Qmkadgpo.exe
4568	Qdbiedpa.exe
3084	Qgqeappe.exe
836	Qfcfml32.exe
2024	Qnjnnj32.exe
2920	Qmmnjfnl.exe
372	Qddfkd32.exe
3924	Qgcbgo32.exe
3116	Ajanck32.exe
4884	Ampkof32.exe
3068	Adgbpc32.exe
4848	Acjclpcf.exe
4956	Afhohlbj.exe
2420	Anogiicl.exe
2932	Aqncedbp.exe
4032	Aclpap32.exe
4336	Agglboim.exe
1648	Anadoi32.exe
536	Aeklkchg.exe
1076	Agjhgngj.exe
2000	Ajhddjfn.exe
4056	Andqdh32.exe
764	Aabmqd32.exe
2044	Acqimo32.exe
3304	Afoeiklb.exe
3144	Aminee32.exe
948	Accfbokl.exe
4092	Bfabnjjp.exe
2436	Bnhjohkb.exe
1624	Bagflcje.exe
316	Bganhm32.exe
5008	Bjokdipf.exe
2760	Bmngqdpj.exe
696	Baicac32.exe
1340	Bchomn32.exe
4408	Bgcknmop.exe
60	Bjagjhnc.exe
4196	Bnmcjg32.exe
3400	Balpgb32.exe
4772	Beglgani.exe
828	Bgehcmmm.exe
2332	Bfhhoi32.exe
1508	Bnpppgdj.exe
3408	Banllbdn.exe
3680	Beihma32.exe
4588	Bhhdil32.exe
3356	Bfkedibe.exe
3044	Bmemac32.exe
4300	Belebq32.exe
4188	Chjaol32.exe
4564	Cjinkg32.exe
3452	Cmgjgcgo.exe
2428	Cenahpha.exe
524	Cdabcm32.exe
2292	Cfpnph32.exe
1536	Cjkjpgfi.exe
3852	Cmiflbel.exe
720	Ceqnmpfo.exe
1220	Cdcoim32.exe
2904	Cjmgfgdf.exe
4372	Cmlcbbcj.exe
3112	Ceckcp32.exe
4528	Cdfkolkf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	4ca7db8bb72c243be0b2c8db634fc4d6e619cf85444ad182bff294580a99d985.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5920	5832	WerFault.exe	180

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ca7db8bb72c243be0b2c8db634fc4d6e619cf85444ad182bff294580a99d985.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	4ca7db8bb72c243be0b2c8db634fc4d6e619cf85444ad182bff294580a99d985.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4ca7db8bb72c243be0b2c8db634fc4d6e619cf85444ad182bff294580a99d985.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 4660	4116	4ca7db8bb72c243be0b2c8db634fc4d6e619cf85444ad182bff294580a99d985.exe	83
PID 4116 wrote to memory of 4660	4116	4ca7db8bb72c243be0b2c8db634fc4d6e619cf85444ad182bff294580a99d985.exe	83
PID 4116 wrote to memory of 4660	4116	4ca7db8bb72c243be0b2c8db634fc4d6e619cf85444ad182bff294580a99d985.exe	83
PID 4660 wrote to memory of 3080	4660	Pjmehkqk.exe	84
PID 4660 wrote to memory of 3080	4660	Pjmehkqk.exe	84
PID 4660 wrote to memory of 3080	4660	Pjmehkqk.exe	84
PID 3080 wrote to memory of 4568	3080	Qmkadgpo.exe	86
PID 3080 wrote to memory of 4568	3080	Qmkadgpo.exe	86
PID 3080 wrote to memory of 4568	3080	Qmkadgpo.exe	86
PID 4568 wrote to memory of 3084	4568	Qdbiedpa.exe	87
PID 4568 wrote to memory of 3084	4568	Qdbiedpa.exe	87
PID 4568 wrote to memory of 3084	4568	Qdbiedpa.exe	87
PID 3084 wrote to memory of 836	3084	Qgqeappe.exe	88
PID 3084 wrote to memory of 836	3084	Qgqeappe.exe	88
PID 3084 wrote to memory of 836	3084	Qgqeappe.exe	88
PID 836 wrote to memory of 2024	836	Qfcfml32.exe	89
PID 836 wrote to memory of 2024	836	Qfcfml32.exe	89
PID 836 wrote to memory of 2024	836	Qfcfml32.exe	89
PID 2024 wrote to memory of 2920	2024	Qnjnnj32.exe	91
PID 2024 wrote to memory of 2920	2024	Qnjnnj32.exe	91
PID 2024 wrote to memory of 2920	2024	Qnjnnj32.exe	91
PID 2920 wrote to memory of 372	2920	Qmmnjfnl.exe	92
PID 2920 wrote to memory of 372	2920	Qmmnjfnl.exe	92
PID 2920 wrote to memory of 372	2920	Qmmnjfnl.exe	92
PID 372 wrote to memory of 3924	372	Qddfkd32.exe	93
PID 372 wrote to memory of 3924	372	Qddfkd32.exe	93
PID 372 wrote to memory of 3924	372	Qddfkd32.exe	93
PID 3924 wrote to memory of 3116	3924	Qgcbgo32.exe	94
PID 3924 wrote to memory of 3116	3924	Qgcbgo32.exe	94
PID 3924 wrote to memory of 3116	3924	Qgcbgo32.exe	94
PID 3116 wrote to memory of 4884	3116	Ajanck32.exe	95
PID 3116 wrote to memory of 4884	3116	Ajanck32.exe	95
PID 3116 wrote to memory of 4884	3116	Ajanck32.exe	95
PID 4884 wrote to memory of 3068	4884	Ampkof32.exe	97
PID 4884 wrote to memory of 3068	4884	Ampkof32.exe	97
PID 4884 wrote to memory of 3068	4884	Ampkof32.exe	97
PID 3068 wrote to memory of 4848	3068	Adgbpc32.exe	98
PID 3068 wrote to memory of 4848	3068	Adgbpc32.exe	98
PID 3068 wrote to memory of 4848	3068	Adgbpc32.exe	98
PID 4848 wrote to memory of 4956	4848	Acjclpcf.exe	99
PID 4848 wrote to memory of 4956	4848	Acjclpcf.exe	99
PID 4848 wrote to memory of 4956	4848	Acjclpcf.exe	99
PID 4956 wrote to memory of 2420	4956	Afhohlbj.exe	100
PID 4956 wrote to memory of 2420	4956	Afhohlbj.exe	100
PID 4956 wrote to memory of 2420	4956	Afhohlbj.exe	100
PID 2420 wrote to memory of 2932	2420	Anogiicl.exe	101
PID 2420 wrote to memory of 2932	2420	Anogiicl.exe	101
PID 2420 wrote to memory of 2932	2420	Anogiicl.exe	101
PID 2932 wrote to memory of 4032	2932	Aqncedbp.exe	102
PID 2932 wrote to memory of 4032	2932	Aqncedbp.exe	102
PID 2932 wrote to memory of 4032	2932	Aqncedbp.exe	102
PID 4032 wrote to memory of 4336	4032	Aclpap32.exe	103
PID 4032 wrote to memory of 4336	4032	Aclpap32.exe	103
PID 4032 wrote to memory of 4336	4032	Aclpap32.exe	103
PID 4336 wrote to memory of 1648	4336	Agglboim.exe	104
PID 4336 wrote to memory of 1648	4336	Agglboim.exe	104
PID 4336 wrote to memory of 1648	4336	Agglboim.exe	104
PID 1648 wrote to memory of 536	1648	Anadoi32.exe	105
PID 1648 wrote to memory of 536	1648	Anadoi32.exe	105
PID 1648 wrote to memory of 536	1648	Anadoi32.exe	105
PID 536 wrote to memory of 1076	536	Aeklkchg.exe	106
PID 536 wrote to memory of 1076	536	Aeklkchg.exe	106
PID 536 wrote to memory of 1076	536	Aeklkchg.exe	106
PID 1076 wrote to memory of 2000	1076	Agjhgngj.exe	107

C:\Users\Admin\AppData\Local\Temp\4ca7db8bb72c243be0b2c8db634fc4d6e619cf85444ad182bff294580a99d985.exe
"C:\Users\Admin\AppData\Local\Temp\4ca7db8bb72c243be0b2c8db634fc4d6e619cf85444ad182bff294580a99d985.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\SysWOW64\Pjmehkqk.exe
  C:\Windows\system32\Pjmehkqk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\SysWOW64\Qmkadgpo.exe
    C:\Windows\system32\Qmkadgpo.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\SysWOW64\Qdbiedpa.exe
      C:\Windows\system32\Qdbiedpa.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3084
      - C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:524
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3852
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:720
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        73⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2644
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        78⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        83⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        90⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        95⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 416
        97⤵
        Program crash
        
        PID:5920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5832 -ip 5832
1⤵
PID:5896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
80KB

MD5
e1ab51cfdd71526e91431095dcd10a38

SHA1
34d51c15821dc6b8a5a4f1f42451035233098b29

SHA256
a7bfbdbbf127e01b2cc185da595b47638560b24a78a55d4628379b5d8bacacc0

SHA512
b0e6621becbf6cf782a5544cda05076a9d5d7e8c064ace4fb3a867f5a4c4e9d94b3be4e4cb2d3f76b8e8c4f4ab096f3254371ff9a4cd3e2fabb1980e047bcd5b

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
80KB

MD5
8ab14c039c04bc9d896794b7ce05f3c1

SHA1
36d83930cef87ab35dbeb544e544cddfcc715956

SHA256
def43bfeac10ff1e961351448f7603ee85ea7cc843749d25710996f0918de8b7

SHA512
6d4fc04e8d2e7b2ff41d0d8a7fd189e70ef995a5fdf9bcbaf72a3ded50b4b7e7f3ac7c41aa93f0ddf4733c5eff260d37633de2d42059900c43395f1d055accd4

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
80KB

MD5
8feff2cdf8fec479ce5d6e0df6c94045

SHA1
51ebf21c8af15fbe105808110a8ef29ec7813eba

SHA256
3e76e48156d0423b40524c3e9eb81e3985f1aff5c47886102fa0e3881694cf91

SHA512
972f3d772f0dc7587ea57a8790274bc57b44ad009ec81422d951bc907b9a42f369d76d44828c8398a1d35d133522c048fa62563d8d07a4e9bda93a7f0aea955b

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
80KB

MD5
edf226abb10667a64d6b5c67fb7aa7f0

SHA1
a03834e7b8145aef686b4bf74144e1d1934197a0

SHA256
683b9d953abe031ccc650d8bf51dda6599668b654dced628858397ec5b0f21cd

SHA512
2c63b73bd2bab136e3bfd8379f7cf876351da5542126c145c661f923bfe4c0ee33523ea730ea40c78e27632517a2b91c758695fe651c8778cd3739d0278eb870

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
80KB

MD5
0991b6719fe07cba797abb9833fef1ae

SHA1
16d8c6e4dd70fc9fe91fffcda851de64f7d63115

SHA256
1981e645cedab395bd08ffbfcf003cb06412d0115be5d408454e1e66ef5b4a8c

SHA512
44850c732835d8682c3be16940aca1088eaaa01a97b81d5c3ad3818671144596a6dc304eb7e361c7330b45143ab688d06b28733334ecd2dec25509c0250d230f

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
80KB

MD5
e257e89b8d63eb9111fe852f33ee9e9b

SHA1
005114c18a7b4787ba146bbba714789bf90194e9

SHA256
abb13227b6df7de426136ae9c1f0c39630baee69cd6d9324b556a8af8e314f92

SHA512
6d2f07a6b5178d540170ea986377b591aea2bb813d68c8d803faef9291bacebb0229735a32f3cc0fdb9bb3991f2d0a3a720226b93870cc8f306810410d776bac

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
80KB

MD5
71c6262956346aef1775b19a17d0b04c

SHA1
e1b6f8f4669e5883a60adbd1073b36324f7bb045

SHA256
fe6451993973cfdacd0ffe319d8ea1d08252d7942cc8f8cfaec7b8e21fccf777

SHA512
8c11359331d29ff51368b082529febc412f80c4968a05e31915fbf866971b785968ddb8416f2e56a6e9db908d9c64b278561b8e2cecba15bf0cb31cb8556d987

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
80KB

MD5
87083c11aa04e84cf36fb9b58562aee1

SHA1
df27b8321e223e6755a5b99698f6f2972027d698

SHA256
02b7e57a7bf605e01de227b04b6c118a0c1d4a60baafb45ef9c5aed3d44264fa

SHA512
fc453a1b2a946a8ed2cdd0b765bf1f46d7917dee2affd9880141f83e1b13fd62bef4f673400aa23ddb933e83e404a1cb71aef04e299e3379edc45d34463032e1

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
80KB

MD5
4e6be94a3c561190bed7275e13ffce3c

SHA1
3a8ec4592f494c2f85b4b917cb927768668c5e4b

SHA256
1c85f35cedd386abdf2ba7dca1486cbeff666bd649d41117dfaeb6cef41c1dc6

SHA512
ce8a210a4a11f5409952a79e580eeb0d0fa67947e22c6bec833ef164b99f5a1ed4f8625fc638c9f7a26854297630aa40ae1a5e3b1b01820fd5d26d8d9499bc3a

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
80KB

MD5
131bddef7caea83383cbb19f53ebc569

SHA1
7c1156f3fafc90da996081b49463252f49b6f448

SHA256
2f5eb16c4e89d1f9a903481905572ce4a6b89cf76f5e43285000faf9a1c153b0

SHA512
82af2256ca7b13262bf97bf43271fb8d63982a01aaa4c0c994892be6a4dafa4580c8f2db797674fa815650318fcaa18266768985306b05899d4c86ea145df1b4

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
80KB

MD5
b71427065d749a3f3cf23d7c8f9ce9ab

SHA1
4839c9c2b2b52cb01a390bbc8853afaa32018d10

SHA256
8ba0fd391a4f0c1fd0317988ddf4436ec3ce720144a560a5454bf8fbd625c6d7

SHA512
6872fb13d28a4d16fb8c3e047d1ae5b9add1f3a5fe61cd1f2c435939b1662b71fe3ccbac2ac2e774f61c91d3d5b69b7177b8d2b8e3ecc900695f9c66a97a7f81

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
80KB

MD5
f3097afdc211f90d827ec85007f8dda5

SHA1
b5635f913c13e6e3de6be7aeaa62b9a5a2297e01

SHA256
76cc32402f829d74dedc367ad68ac48d5dbb3e6251865fd1fa01e3fed7f8d856

SHA512
4fdd2f3a0a5b039e06546565da3eaff46da32a1b6a46de2b72de374936cc2ae600c5c6f47f1a3244619dfddeb220ecba3881c9818d114b3a00d2b3df6c67b6d6

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
80KB

MD5
6cf457d9ef99f8b005076fbf8343015b

SHA1
9af827ba069b4b6fdc1ddbb93914c7974f5cf922

SHA256
68e5a6afe44710397de89797b2a1b950cd36124d1c98134a445d37f830aed2e3

SHA512
bc647d0dd4f06c51aab1dc4f78cc45832eebd100443eda013d0b40edb7c6fe8dcaafab3ff584e6fde9d7c73eccc342b5ac9811c323bc230049d83997a4df5916

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
80KB

MD5
ef8dac17297d05c710c871e7461e0d55

SHA1
fb6b64f9b9e6ffe4f6cb396bdda976666c67e29b

SHA256
a7d5b60b6819c1ae4133e18d507e4a5020384c8e8f0b1ec8114f70c548919439

SHA512
dcacb169badc9daf0c24c351301c59e9b5186f8ab94abf7e82561608971926eab70e4e02e0dacb5c5f078a69334da34053f1d12e8f89ada32e462f6774a1819a

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
80KB

MD5
0b5573ed9e2e3a4bedc39ed7256e911b

SHA1
7e85d354d261f36aa3e75ad72ba66a0b5a90058e

SHA256
04ac9a8e0e959780898a60eb8003b4e03d39be71363f04ed89b131c028b0b53c

SHA512
892b46109aafa20683be367115448392203925441eb2d0bda5ed59ffc8bacd57191023fc1aea53b3f55b071b60e6f1a708ee7885ff03da5b6e18d2430de09d3d

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
80KB

MD5
fc59930d2795bb740e5771a1da0dd04b

SHA1
b47ae1c5772d4e45576218189e2e0994f89f718b

SHA256
a0cf71c6ff2584cd1b7414a0b9179f38a2f75b3eb1f9a9829608a3550b7b995f

SHA512
a349cd53c0b15fb4c1fa5f71a5ff5481c7e21cf5d50cacf5c006e9c6debf154cc49d5a0702db1dc09d3283f98eb1c3fbbb1abea1683c03fb8fc75e4a69895c56

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
80KB

MD5
ea7871b7850ce19c237337bcaf2aa681

SHA1
314542b472ba4a282ac9f3c5f66ffa262de83a88

SHA256
46c28084c7684d4ab7b6299a9a1a97dcdcd887014e88e23e9d1d462f980e9cec

SHA512
a9c525f9edeeecce434cb24fe64f5fb8e7b5d24fca5c8588b6f57e2c1eec4837325f0546f6f54eea6d5f2b2b39d7c0912b047284450fb2e55efc61950e1524b0

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
80KB

MD5
be0e3c97ed15e36ac4b8f65dcf70ff76

SHA1
d9988cf8fd1c4d566d2d87d5d25b6c2e5b975326

SHA256
d611c1b19686fd5a12cac8d39dcf215a25e0f9b486f42d0a783ef14369dd0438

SHA512
dd0b6dd3b7855eeb5849d7879276a0527b08c60ca587b8a07ce05c8cfbabe95c2c6c278dcfe13aa72cad0bad2faf3f4c0d92e81e30c2daa6ed28d89a4a8ec3b1

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
80KB

MD5
d106fe015700008f2c5a418e87786782

SHA1
f4558cdaf77d250c5f04ce8e93e8c85fe91cf4ec

SHA256
535662e300f436569bc52aefd4da44d46f76a8688d67173f4cf7475de77f33f4

SHA512
877b4d07c8a5cba249e0da1b41cafd757a32908800f7b9a0418474747018156571e9323743ddd62288a34d4703b438a49bcce4c50b321ea84490802e31ed7e72

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
80KB

MD5
45dc0beb8085609511f5b6de8028e889

SHA1
f8e37a77b1e0b23f1439c57f92e50e934752f5ac

SHA256
64ae81948a70710dace79f70123dc1f7b71fdab2a3989951269b1cbd898138e9

SHA512
063669e132fddff0cae67e1b122f7427b5f63f0b86f4cef0544893efa942dc0df0b3e886c8d5e4bbff28489f6573f1e4d968430c267868f9a4eeb8a54f2f8d38

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
80KB

MD5
6f75c402f3671663199ef86cd76ac989

SHA1
3473a5a3a8d24ed6ceca399c7dfea345fb471098

SHA256
8f1f617f8dd725ae54415dfee13cc2637bb0175469f461a0eda242bacebc1ed0

SHA512
a8191f558c07ea9b24812d029e16b1e3076d3a6e2d5d3f776ac023119d71c2aea41ad9049fd429a8ea1758eee0cb337ad99cb4eb6c023aef9df70af093e9fd7e

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
80KB

MD5
d7ca2313f039969d2bd004bf55f0e5c2

SHA1
3ec94676b259b47f89a15a71688f5d13b40a8492

SHA256
f08ad487fff8836c8408591fc10016f1c1f507451f5be483cbc513c696552936

SHA512
7367450e0ffed4fc06733ade7dcfb56a9f569b35c6cbb79a40ee2fa21a5b9cb0dc781059696572723c9fb685298e1da2b7e8c596926653c3eb27ded7fdb71556

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
80KB

MD5
840cc7eb8aee220f4a8682a1c6406181

SHA1
aff5159778151763ad3b9d6d7510689d970ec2eb

SHA256
85f99b054545919e175b13043de4e35b1307842e67801e8e04239d430dd943ae

SHA512
a560857fc2c21a828492ecfdecb94439c1f610d35b17d92e3126c40f8eeb33ebefffc46bc3b182c4b7c07bdb929fc76fc81a5f42548b963dff38e5f92630642d

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
80KB

MD5
d108bc1a0037304fd0437742cc1fd01c

SHA1
0dd6cee961f4f4886f66d975367a32fe3f8852c7

SHA256
e795d3adbaac6da0a053ee8b4a443567e3529dde057fa9b8dacb9474254675d4

SHA512
14c121d9dae829ed9958ce0bd8b8c1d452963e4f109f20ebda3cec80fa32585caec63709226e4a32e5d8101e70cc75f2cd3e5123dde446a86c5ac0c004d7121a

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
80KB

MD5
c0d57dd8c14be43deb460c2a86abf2d9

SHA1
4852b6e99352a1a6d2b91844bcc5da901cbb8e56

SHA256
def45ea068a88016d26b57696f470ffab264560ad78169d8c435d6de99334c7f

SHA512
ade9098a02c7a43533dbaae434837d893add1c9d76fbd31ec1c385331f29e8c67cc761d28e99d06c604e2c28bfe6b062337acdd51e2053628bf29e849239ac7c

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
80KB

MD5
554b103701bbb56e9a24c55b13c1364b

SHA1
fa63359341a91063a59f6b646e14440b7b26cdc9

SHA256
3d25c85b8a944e98dd4a693cc3887a7d9454f3cf024d5594b3ad33ed4704acff

SHA512
60e240bc7226388a55d04605951fb4c8f5edc909b0b93f6cacb39b6f582319a879e15a83b4591e5ac0630cd5117bfd316a28b6a82fa46f69d12943d5e5fa83bd

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
80KB

MD5
7667a0cbf5499c626146c8f8317bb285

SHA1
0da90b080e3ddb10c91d2ca1ec46f3f3229b25f4

SHA256
2178ff811ed48332d2e9de42df2143dc94811ba617914c9538079e25dea7fd2b

SHA512
f2826bc4d6ccf6a1d47414c2eda367e608b59c7100d8b22ed26feec156676c313695541e452f89a5818331594be9a65eadf7c02e13ab029bbced2d42c60e94e0

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
80KB

MD5
309f264066fd307cbe8d95c04d53e78c

SHA1
c1c45021ddc7bf52bea49940b0c615671c40c1a5

SHA256
22f30a01509b9aa797e32fef0cbb3079e562b01e491d664745aee7188d32b07b

SHA512
6e4017e501318f199413a5d98535142c36450f4199a742e58dc2b29b9895f289ef4996e006d9f58cac0d90cca8fabae620a91a92543f27382473fa05121c013e

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
80KB

MD5
d719f90e6737377ebd8bb89ea87ab084

SHA1
794164551cc5966ec42aec000f8c5c9e65ab0feb

SHA256
5024a2e03c8fbd18ce5577dc3a232a7453141dbc5d5c7bea80450b03548ddd3e

SHA512
e597901b397c60de993c658e11b76e1919f2a2fb5d2ba3ef34fe57fd7009fb7b6fafc4b5dbf5a26ca1c8b5c67d2a9375eb40e31afed64a1dbe7b5b2272d6ef79

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
80KB

MD5
39c366907878b89165a5c794be66ad9e

SHA1
bd877acb9e77137dff798f40d4588246b026913f

SHA256
94f26a71255250cc8630f4591d53b0ff943209d6daf517c2f23a17cac8850f89

SHA512
1043ec0e76098209a4b779dc5fd260f13ac2173527eee6644576d16055f3704fe627413b7e68fe989b2aa7ad184c4e0442f464c1aceb195501f2a91b2ad9428f

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
80KB

MD5
152192d00bfd49e984f81b532d79147c

SHA1
d9d37699a435abb2f13cfe3c4bed62da1d91fa35

SHA256
898ef16ba199d798282d37f7a335e645407a209fb600e781b735e1505fdbdfd2

SHA512
ebd601895734ed2650dc074a792f946e32dfd77b7533098deba55fcbebde242ffde7b89497415e9b948fe85684f9cb3a3fc9f4cc563f5e8235bc32b984c4e7b2

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
80KB

MD5
49dca2690b178ce7144510f659587291

SHA1
a3a02c54d0120bafd745c31188e0cff08f2514f2

SHA256
41086022a613591c8603b86456a5356bab4468d59b6a23d3a605f37fdfac52f2

SHA512
4dbd9c00b3a221a300e261c9eec4e378259d311913adce6414f256d62c7724cfe2f1338580beed6c3fcd31337c67dd0f2920b3952b624e59fe705ce34132b209

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
80KB

MD5
a27aef02940759a2bfea5c9ce19301f2

SHA1
05eae5ede263001cd5fdb23a4c28d09edc9a3ad2

SHA256
17db3e657253a327d38e71328d6c2ed79987f576339eba149c7f0641dc59c81e

SHA512
00a8c122efbc4fff99f2bd1f78ef438aa03966c2036b0b00e60dd4ee13bf97e0c0b93826e65d36d009ab7ca9040aa9cf4bd2b43cb2ff82b03907f56b8b5e5d6b

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
80KB

MD5
aa8d52cb100cad5d34d5939cf31ca63a

SHA1
b37fb6cc01f8a698eadbb15b3f2e37b0a1149fed

SHA256
60dcf2bc44b2f48d201253ef7aa01c21e94b46bc84ae6d61a4f76ec105b663fe

SHA512
5a7a64010f99c637ff59d1cad4aa8a5dd751669042658414289188b8b5e68183089495375930e72a626ebbe8161a0f5c58df0e956d7bd8d7e4a10e76116e0aa3

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
80KB

MD5
591fcbfe6e0af76a0623f78fb16f7e1e

SHA1
639a1c6cafb2a1b0caafdf46ce8f7c134d201936

SHA256
4b898e75824c72a926c475b1117159af6818348d9bfb51b0b6ea7931d0984c9f

SHA512
8be9aa206a6fffcbc82c21c0f9bf696f442f8eea9cb5a355b4fac427d1eba980bff115b69b7936864bcd028d24e99dda08a6110043a27abb010232503eeb362f

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
80KB

MD5
784eca105fc0c83f35688b4728b0365d

SHA1
681e832c99de7e0087c9c79c34620c26a8355095

SHA256
7fbb52bcba59c561ad5dce25860dec35c1c93aed6fe009bc6b51f5b729d77638

SHA512
7fcb7dd86bd8e1f7b1449a9d1ff8fe502fa253452abca6f68481effdbc4f9f291b5a1ef1339c00cdb16c23eea152faa6d9e2457f2ebb5d094470de0d03df93c8

Download Submit
C:\Windows\SysWOW64\Gokgpogl.dll

Filesize
7KB

MD5
9f60da9115fb9565b0cfe234fe4e4be7

SHA1
a746e819c9d84ac9c26352163cb4b0a0ec6d8ab0

SHA256
fb91a3c7982fff0be968696026b4e54ae05cc21fd3ad2aa8dba0b4fa48939dba

SHA512
8970be46518916c22b46f2ae177c933082c797ae04f200f272e51faf65843f037eef3aaed91f784ca857d4c08108a38e57ee917c3222de4dfd31188716baee15

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
80KB

MD5
0a2c3b884450eda212d2fb574f808e68

SHA1
37cf20757496f7a0dd49d4cb7f38d94d5b0a6ec7

SHA256
32846fc2697e8e7313df99667fcb4b1d8f962fe3400588b88d4d04bbbc1f88e4

SHA512
4d1dfe169ee4617fb3df5cbe916fcf693a58f0c4be280736a502f4b679bc3c23008d2db9a65f89761fed816c02fbd01b84a8cb5884ac93549af46ad712cf40dc

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
80KB

MD5
14cb779d12ad4d346ae10cb4122b4ff5

SHA1
bc9797801ea73f2175dfe5aac763a946739b0e62

SHA256
470d9fbccc275dfd5af3f4e06d66717faf4d297f37d1ddadde2eb3ca0848e2ee

SHA512
f0d9df7eb1aaf47982b608e692b67cd8036e05aad385d708001e0dbffae6b49f837b75473c9f4ede144b888872caaba747337dd2c2d78a2b70f164217fbace63

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
80KB

MD5
9cbe5c724bdb9948b8525c93fdc7f43b

SHA1
9d5357e375d63fc81416a489cef5910020c9814a

SHA256
121cfbc5802d971c98a5be75772a0a464cc9e7c7a233881bd8c1fcfaad45618e

SHA512
f094283cb0c80213459a2ca4e6f4b220ecb95858d819cb98635235be7ad1b25be1069257447d494c79d00b2bba0a738aeb012ff29f3f69a0f6c4eb2f90fa5312

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
80KB

MD5
ba8922385c68e324bf310a5eed4487d8

SHA1
575302114a21561ea4b050c5a4bc6d0b2cb5fa51

SHA256
008dcc13c369cacfb24f74a204aade7f9f52d8b0f64011c0538d9aceed90ee1f

SHA512
00fb13f5fb16bcb1d175388a341ffe798fee55afd7914e90388b0010df1fc7e32a74cc3bbed9e05ca688318514899cc2324ce5adacaacac289a6cd597fbc7f71

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
80KB

MD5
17b62c844f41c8ead3535b955eaa89a5

SHA1
0c51f6c1b401ffbcc49ee26d2a1e1ea4e69c30bd

SHA256
397e7096cbaddcfbd737bc7f7085c17d6c87359628c8a5e1da971c10ff8054be

SHA512
c61b58827f4b8a7bbca7fd0e84ee16b9d9cf2451877b8c86f5073ed3cfc460ce58d3cbffd4de74c0afa71377d29074dfb314078b07083cc1d60b224fa852bc4b

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
80KB

MD5
ee578064f4540e97a18324a275cd3061

SHA1
b63b4d65c06c8d2fee94ef9406a121841517a64d

SHA256
6d584093520fbb226a976f68bba7efb579aa4f1504cd1f3ee0854e8c08ee2425

SHA512
f2dc24d5bdbc10b6b5280c0bdef31223a50705ff26ca85442b79c01babbf47e2a2b16aa51397a2feeb30cba543fb621adb9b393c46ef86ff9e3b2af6c2df4482

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
80KB

MD5
6b4a5f35dcbbcc537d192ee6ea47408e

SHA1
a7c4905bdfa1036aeba8a4e9d84a3277e49ba27f

SHA256
21f7fc220b99fb413c4770995667408a8b556414ebce9fe92c7ec587b894e254

SHA512
e9fdc54576eedfc7d1f106902c6c865e406ab32d79c13fd14bbf745ce76b9bd589dd274a73308c654161818fe7c048391b4a020fbfcb58b2cd0c80f4750acc0a

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
80KB

MD5
9c17b1d962089fa18b0d7ad5a6b6fb7e

SHA1
b3c50031e59cb450af5a9936e8bffad9758a722a

SHA256
55e96273b2cd6c519e46b9a94bf7e2d5ef074da623efb606a56b413bde4fa879

SHA512
38d614d10bc5c761fddd13a64c2a52331c5ffdb8c54541adf5d53156256e911df895231a21754adc3a8a37351fb81f5f4c8e54ba46f07d408becd10ecf2b18b9

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
80KB

MD5
fbc8f607b1a2a69f267504bd0bc082ab

SHA1
4ed28c630c01bfbc9e39f1668c8f99a2280b0285

SHA256
d07ad3bef197df97eb651ffa1b706d9c2aa8505509d4e2a4c33e9a3838361277

SHA512
098c17f1064c0b3bd5b84c6e9c4a6116b30533ef40243e25048718e38310985d2b24eab5ee0f70a2e856019b6dd9273e92998db8bcebdc112a435a6565132515

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
80KB

MD5
a4d4fdb4cb4d30501ad5d18f17b47be2

SHA1
ea19481d26afcb4630862b63a25081dce733bfa2

SHA256
2b856071b0c7f1780cd68b963e5119c8078d288cb9049878ce3bd42583523900

SHA512
9a55efbab70020ef2af68e7009ebf24c2209e74bac0d53fe817e580249aaabe48c2ec2a76da34eeebe1ce231c5db3eb88ac74a30eaa22ce467a5b96b3747e9c0

Download Submit
memory/60-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/316-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/372-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/372-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/524-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/536-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/696-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/720-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/764-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/828-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/836-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/836-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/948-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1076-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1200-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1220-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1340-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1536-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1624-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1648-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2000-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2292-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2324-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2332-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2436-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2644-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2760-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2824-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2920-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2920-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2932-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3044-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3068-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3080-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3080-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3084-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3084-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3112-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3116-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3144-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3304-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3356-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3400-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3408-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3452-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3576-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3636-515-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3648-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3680-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3852-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3924-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3936-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4032-139-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4092-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4116-539-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4116-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4188-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4196-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4300-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4336-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4372-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4376-497-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4408-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4504-521-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4528-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4564-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4568-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4568-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4588-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4620-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4660-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4772-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4848-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4884-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4932-485-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5008-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5128-533-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5168-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5220-546-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5260-553-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5304-560-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5348-567-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5392-574-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5436-581-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5480-588-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads