f6d353f88c09613a5b01c0bae2f54a957df936a4e1b092982e3429f05d05b897

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6d353f88c09613a5b01c0bae2f54a957df936a4e1b092982e3429f05d05b897.exe
Size

73KB
MD5

488e5e9fd5becc16b7c83779e3269c2c
SHA1

9b5d62d81eaf3e2258801f21b6f9c7f1a5a4bb72
SHA256

f6d353f88c09613a5b01c0bae2f54a957df936a4e1b092982e3429f05d05b897
SHA512

dec0a0c933a89c31840354cc8640ec5fe6a6cc11dc427f2530af56bb54ee46f925f4dd97c14ba7e15efd1d3b797b19d14501ac88edb7bb8694d5dd3e0b7df77d
SSDEEP

1536:gHcSWxLXCC/Qp7ZwlYzYrsVTV5YMkhohBM:gHpWxmCoQlYkYVTHUAM

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f6d353f88c09613a5b01c0bae2f54a957df936a4e1b092982e3429f05d05b897.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe

Executes dropped EXE 64 IoCs

pid	Process
3856	Ognpebpj.exe
4588	Onhhamgg.exe
3132	Oqfdnhfk.exe
2696	Ocdqjceo.exe
688	Ofcmfodb.exe
3484	Olmeci32.exe
4264	Oddmdf32.exe
1288	Ogbipa32.exe
3168	Ojaelm32.exe
5016	Pdfjifjo.exe
5108	Pfhfan32.exe
1380	Pjcbbmif.exe
2044	Pqmjog32.exe
716	Pggbkagp.exe
3432	Pnakhkol.exe
3960	Pmdkch32.exe
4204	Pdkcde32.exe
2256	Pflplnlg.exe
4036	Pncgmkmj.exe
2264	Pqbdjfln.exe
1252	Pcppfaka.exe
3304	Pfolbmje.exe
2912	Pjjhbl32.exe
2276	Pqdqof32.exe
1984	Pcbmka32.exe
1640	Pgnilpah.exe
3336	Qnhahj32.exe
4792	Qqfmde32.exe
3368	Qgqeappe.exe
1128	Qjoankoi.exe
856	Qcgffqei.exe
2788	Qffbbldm.exe
4428	Anmjcieo.exe
2008	Aqkgpedc.exe
4720	Acjclpcf.exe
2092	Ageolo32.exe
1944	Ajckij32.exe
2792	Aqncedbp.exe
4928	Aclpap32.exe
2700	Afjlnk32.exe
1064	Anadoi32.exe
1552	Aeklkchg.exe
5056	Afmhck32.exe
2152	Amgapeea.exe
4860	Aeniabfd.exe
2584	Aglemn32.exe
2880	Ajkaii32.exe
3828	Aadifclh.exe
1800	Aepefb32.exe
4500	Agoabn32.exe
4448	Bfabnjjp.exe
3808	Bnhjohkb.exe
640	Bagflcje.exe
3620	Bebblb32.exe
4336	Bfdodjhm.exe
4724	Bmngqdpj.exe
5036	Beeoaapl.exe
1556	Bgcknmop.exe
1112	Bjagjhnc.exe
3100	Beglgani.exe
2672	Bgehcmmm.exe
524	Bjddphlq.exe
4172	Banllbdn.exe
2740	Bclhhnca.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	f6d353f88c09613a5b01c0bae2f54a957df936a4e1b092982e3429f05d05b897.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	f6d353f88c09613a5b01c0bae2f54a957df936a4e1b092982e3429f05d05b897.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5892	5800	WerFault.exe	187

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	f6d353f88c09613a5b01c0bae2f54a957df936a4e1b092982e3429f05d05b897.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 3856	2204	f6d353f88c09613a5b01c0bae2f54a957df936a4e1b092982e3429f05d05b897.exe	83
PID 2204 wrote to memory of 3856	2204	f6d353f88c09613a5b01c0bae2f54a957df936a4e1b092982e3429f05d05b897.exe	83
PID 2204 wrote to memory of 3856	2204	f6d353f88c09613a5b01c0bae2f54a957df936a4e1b092982e3429f05d05b897.exe	83
PID 3856 wrote to memory of 4588	3856	Ognpebpj.exe	84
PID 3856 wrote to memory of 4588	3856	Ognpebpj.exe	84
PID 3856 wrote to memory of 4588	3856	Ognpebpj.exe	84
PID 4588 wrote to memory of 3132	4588	Onhhamgg.exe	85
PID 4588 wrote to memory of 3132	4588	Onhhamgg.exe	85
PID 4588 wrote to memory of 3132	4588	Onhhamgg.exe	85
PID 3132 wrote to memory of 2696	3132	Oqfdnhfk.exe	86
PID 3132 wrote to memory of 2696	3132	Oqfdnhfk.exe	86
PID 3132 wrote to memory of 2696	3132	Oqfdnhfk.exe	86
PID 2696 wrote to memory of 688	2696	Ocdqjceo.exe	87
PID 2696 wrote to memory of 688	2696	Ocdqjceo.exe	87
PID 2696 wrote to memory of 688	2696	Ocdqjceo.exe	87
PID 688 wrote to memory of 3484	688	Ofcmfodb.exe	88
PID 688 wrote to memory of 3484	688	Ofcmfodb.exe	88
PID 688 wrote to memory of 3484	688	Ofcmfodb.exe	88
PID 3484 wrote to memory of 4264	3484	Olmeci32.exe	90
PID 3484 wrote to memory of 4264	3484	Olmeci32.exe	90
PID 3484 wrote to memory of 4264	3484	Olmeci32.exe	90
PID 4264 wrote to memory of 1288	4264	Oddmdf32.exe	91
PID 4264 wrote to memory of 1288	4264	Oddmdf32.exe	91
PID 4264 wrote to memory of 1288	4264	Oddmdf32.exe	91
PID 1288 wrote to memory of 3168	1288	Ogbipa32.exe	92
PID 1288 wrote to memory of 3168	1288	Ogbipa32.exe	92
PID 1288 wrote to memory of 3168	1288	Ogbipa32.exe	92
PID 3168 wrote to memory of 5016	3168	Ojaelm32.exe	93
PID 3168 wrote to memory of 5016	3168	Ojaelm32.exe	93
PID 3168 wrote to memory of 5016	3168	Ojaelm32.exe	93
PID 5016 wrote to memory of 5108	5016	Pdfjifjo.exe	95
PID 5016 wrote to memory of 5108	5016	Pdfjifjo.exe	95
PID 5016 wrote to memory of 5108	5016	Pdfjifjo.exe	95
PID 5108 wrote to memory of 1380	5108	Pfhfan32.exe	96
PID 5108 wrote to memory of 1380	5108	Pfhfan32.exe	96
PID 5108 wrote to memory of 1380	5108	Pfhfan32.exe	96
PID 1380 wrote to memory of 2044	1380	Pjcbbmif.exe	97
PID 1380 wrote to memory of 2044	1380	Pjcbbmif.exe	97
PID 1380 wrote to memory of 2044	1380	Pjcbbmif.exe	97
PID 2044 wrote to memory of 716	2044	Pqmjog32.exe	98
PID 2044 wrote to memory of 716	2044	Pqmjog32.exe	98
PID 2044 wrote to memory of 716	2044	Pqmjog32.exe	98
PID 716 wrote to memory of 3432	716	Pggbkagp.exe	100
PID 716 wrote to memory of 3432	716	Pggbkagp.exe	100
PID 716 wrote to memory of 3432	716	Pggbkagp.exe	100
PID 3432 wrote to memory of 3960	3432	Pnakhkol.exe	101
PID 3432 wrote to memory of 3960	3432	Pnakhkol.exe	101
PID 3432 wrote to memory of 3960	3432	Pnakhkol.exe	101
PID 3960 wrote to memory of 4204	3960	Pmdkch32.exe	102
PID 3960 wrote to memory of 4204	3960	Pmdkch32.exe	102
PID 3960 wrote to memory of 4204	3960	Pmdkch32.exe	102
PID 4204 wrote to memory of 2256	4204	Pdkcde32.exe	103
PID 4204 wrote to memory of 2256	4204	Pdkcde32.exe	103
PID 4204 wrote to memory of 2256	4204	Pdkcde32.exe	103
PID 2256 wrote to memory of 4036	2256	Pflplnlg.exe	104
PID 2256 wrote to memory of 4036	2256	Pflplnlg.exe	104
PID 2256 wrote to memory of 4036	2256	Pflplnlg.exe	104
PID 4036 wrote to memory of 2264	4036	Pncgmkmj.exe	105
PID 4036 wrote to memory of 2264	4036	Pncgmkmj.exe	105
PID 4036 wrote to memory of 2264	4036	Pncgmkmj.exe	105
PID 2264 wrote to memory of 1252	2264	Pqbdjfln.exe	106
PID 2264 wrote to memory of 1252	2264	Pqbdjfln.exe	106
PID 2264 wrote to memory of 1252	2264	Pqbdjfln.exe	106
PID 1252 wrote to memory of 3304	1252	Pcppfaka.exe	107

C:\Users\Admin\AppData\Local\Temp\f6d353f88c09613a5b01c0bae2f54a957df936a4e1b092982e3429f05d05b897.exe
"C:\Users\Admin\AppData\Local\Temp\f6d353f88c09613a5b01c0bae2f54a957df936a4e1b092982e3429f05d05b897.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\Ognpebpj.exe
  C:\Windows\system32\Ognpebpj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\SysWOW64\Onhhamgg.exe
    C:\Windows\system32\Onhhamgg.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - C:\Windows\SysWOW64\Oqfdnhfk.exe
      C:\Windows\system32\Oqfdnhfk.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3132
    - - C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        26⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        36⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:524
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        71⤵
        
        PID:400
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2384
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        77⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        78⤵
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        81⤵
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        98⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 396
        102⤵
        Program crash
        
        PID:5892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5800 -ip 5800
1⤵
PID:5868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
73KB

MD5
9c8781bd92289b26e791858bfead8ba3

SHA1
dcdb3cf506ac53bf2695597b5614482f7ea3b8d0

SHA256
53c9602c7b516d4b28fdbfba45918b48ba71f411e59aaacac6f509803ad4d652

SHA512
1b7f8a9a10a600d453a4579320041071734c3230e169b740a89a7b3ccd91bdc3240ce67e30e9bbf7a431a1834fcdb5d46d06a50f74b5cc601e35b784bd5cf688

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
73KB

MD5
31a320710a35dfabf6843075148d3bf4

SHA1
1e8f86ba19fb39be15d41ab1b369c7126a53e0d5

SHA256
bbede9e8d144d17a0c1352ab440209ec42a3e662f7f1e7f166dcfcb00f69638e

SHA512
cd13cc4ea983b8296afc25763672eb48516b07c0f3d9acde096ad3153702dea8c3d5c31638a41f25dec425f324b128235acc6b58265cc8f5240d7e2b4ca7514b

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
73KB

MD5
d92ec7d458204f8e13631d65cd60fe90

SHA1
7a458c4cd3750de82da9d9043dbeef28c5890f2b

SHA256
8e1021dc283a728a7c4c8e39d35c1234ce89ff96281ab19f90771a996c8ddb3c

SHA512
15b8716261c9963d251f9a0d4c31354671060bb72fc771c18044b408a054ba27617569ccd41da208961c5e22ebdae6319d54db44363fc3c0ebb9704bd2e628aa

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
73KB

MD5
d148e816f6c9e4179114c0aea35682e4

SHA1
d9c503428ada7b9faf352c57d14f61c4dcfb6dfd

SHA256
60a22bd1169d9382d3a5e5f6125413b7b57705d4dfb129439858c0e451ef155f

SHA512
af5d9e46337ff8f46f22e5ebdba3bcac474a913528f96161653f2fe74fe96d03d68408019e07bcfbd9b89e4ea9b489d24e7620efceec6c2463f060145b10656c

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
73KB

MD5
1e8f269c49a6f9fa0a9f557f40c1e40f

SHA1
3b3c9841b8d0b236ad6b977ccd297ae331910fc3

SHA256
f7c2de5287dd7e760219534c3af048e5e1e9607e68465be61f0fb29c71c9aff4

SHA512
a3c262ea144ae24a5aa32548638df4f50dcb17af5668e0cb9d82087ffd5b49b5658e54ff2ceccdaaa96bc2612dfc712b393dd05d050ac84b398275ec3176cda9

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
73KB

MD5
1a447965214e5b0112acab12097133e0

SHA1
ddb43337a818d033256d964eb84828c92a71060b

SHA256
0a319d09788e1ebe196f52a3792bfb5cd1f1ca0e50451ff53f32e4b676a46b61

SHA512
9b9aa76b14261dfd1dbe64643e95a39685a9e807706ab351ba6a8898439612343cba71ad7e99d2a562e17a017799d23da8684084c91fabf568b0d85b1654514a

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
73KB

MD5
8fb1661a2e3496c50748dd547368bbc1

SHA1
d0ee2fdcdfcc43fb747f818eaec90698ad72c699

SHA256
8fb25b930fa95098f0959d8e25f19ad7bc728eaa81a44fd39de65a2bceaab04d

SHA512
9bd9c294b608480add173469abc8e50415c54caacb3667589dfa09e23e3a668d61215ef07d54e398fc79468ae88fbdfd71a220fd7a287e6e7efd381be7f8da9d

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
73KB

MD5
c56c3e3316f1557358fae4f85cbf6ad2

SHA1
09e77e9c31eac7bb50b13dd58a0087281606a89a

SHA256
70e3d3f017aa2ce7d4680844b5f32cf9d6f8de66b3b11b3db4cc27effa732c96

SHA512
ab6dbd54a09112763fa52baf160bf23857f951edfc1f8d7af22917c70c18ae727426cb4f87d2959f54b7548874839ea420eb658abd666e6385fa9ec2a6103050

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
73KB

MD5
39319f7b16198c93a2815f02d550db03

SHA1
de6d7a01774d939bc60cb05ccea751e97dbe3ebb

SHA256
facd5d612cbe8761063ebed525e4d028bd461f8156bc57624a10b51f61e6d2f4

SHA512
5f3180a0acc206673623fa13f67826b2149748a10cab48898f2b4996225708f95b024cb54d5ee6ee9d310f9ffd90abe5869488deb1f168cb7ebc35f5f1b27ed5

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
73KB

MD5
899ce97a328d59f9cdfc69499bc80158

SHA1
73b05187438981fd6dc680b45093e3a755523f41

SHA256
654880a4401cb885bedd1744604b05301d5d7b8086fd456c3760fc74829fd9ba

SHA512
c55a33cfacee169a6f86c96ebcd272d4fbe22d2761d64207e3fab96a7d5b257690b3af434521960552dfa0c8ef789c4f865e38a50600329af426871268c564ac

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
73KB

MD5
4ffaea5e8e193e0cc234580a8a654aa0

SHA1
64fbf3bfc0ae22356aa1eb5c924d65924ea6e3b7

SHA256
8523fd99373a8a6789e106751510db04031f2ac3f1941488e05e86601aea05a9

SHA512
5679727e5ab640c2e99faeaeacc9d67fdf1cde6ef8020e3b2b9bd459c24c5fb138ae7ec10281de4739f3b8d5a4b1381ef996477683cd406f7db5715aae9d1458

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
73KB

MD5
245c17389ce797c492ad4eeb8ed71924

SHA1
3dec1cb6cf7a261ad7020d7774968cd1c4af8796

SHA256
a99a62e2a33872793dfc6f38fb69388c7cfe056ae920248d627acf1ee52d6489

SHA512
80bc2701193dc2616586f9f7909973dc605be5ae720e15f4a734cab4b23d78f1b6403494a911058885aa81f117b52101688540c53d1ed2d66727fb21f961aaed

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
73KB

MD5
03b6fa7c70a625645b1d6f73c3ca674b

SHA1
0c063f7a1b0db4c509fa2707f7fe180c3c3f9ed8

SHA256
186f78032d1a8b0ff97422c0c0fa58e4e0d4bf7edf2b152e5f8e515b1f8e8f1e

SHA512
131a39ade076ecdf0ac8f58262db71da0166b2a3145642bdb8172f31121d7cfc12770a1c850860d1311c1b40a48145207b604d9784794f331177b20f913f80ec

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
73KB

MD5
031c864a80dec81a892c1064c1736a0e

SHA1
568abf615c30abcae8d58e9d05e19bc180daa275

SHA256
c08f730a8ef6eec76154ea79236db190db6b2ab5be08e3d5b0f19ee1c6448321

SHA512
974fb9fd3e6653a4772439be6320c8de4bbcfcd4ea8115423aa71b5ec6bf11aa6075f8f028e400e1618b8f125a0ec70b7045d0924a61eea18decf96c828eb0c9

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
73KB

MD5
ba9783b5af40e20b01a72e95c3d859dc

SHA1
7b588cf45c17ee4845dd0c3d4baa1145e588a3d5

SHA256
c19b47ac0905cadaa3068ed9fb5832ac3634a54d8b04412f110cbcc86726fc6b

SHA512
f9abc6f4740a6302677ecdb8a4a8e6474f9fc40fb840d261da92717aa039b0a7265cbfc0fa7a0c7e4bfda5e1afb003e9b971540fd54428c196209e6ad1ffe182

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
73KB

MD5
3c85c1b25d3e4b0b085533191d366f0b

SHA1
b0c33620fc8dcb22f13226efc7da02625d864d58

SHA256
79a283540c943ae03d3685a4cf90bfed9e7eb6226d263e3e2dcd0ec5d26dead1

SHA512
bad12c373c4d1774f7f7cb88279135f392e2ab315ac0c7e4ca8c4b11a7e2215eff49350e144b6b8a267f5627be515213713fb12c390a5f48ebc17e38bf1806da

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
73KB

MD5
b6a88e3112d63394af08a95260fb2c76

SHA1
986fee3bd8675148de531f2fb41d2067077b39ee

SHA256
a85c7553dcf6df385fd75842fcd2e498fcb727819fee973f90b727bda46412fd

SHA512
eaed3e0b5ff3903b63523f983023209d4e3745cc1e7eb51e61ac74f914ca963a24cbc08ae1ebdceb24c5846f18a06aadc5c2b1ef4f3d1422a2352d119c07d513

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
73KB

MD5
d25e9067d57b77573d79e020df8c0213

SHA1
2ae060f3d92f3ed4aae441d828ba498fbf4d935f

SHA256
000a693fe13791f5853e9a9e0d9dc28fcf8258314e293f2689ef62dc95940fcb

SHA512
f4fd8ff436a848e1350e1d299eaa0fb06014cd4089bbf5d94942db786426f4e7de4b60776e65ac30b8843325d128bdcf140679f253f0125568dacc19c9ef676b

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
73KB

MD5
4626c0eaaece74d2413ac99a9d80a041

SHA1
9ae7a3a410fb7471dcc70385aae6a9ea42892319

SHA256
d099c156880b29eedd2fdd001d1b1600100d9173ba6aa9e2c99792951f30bb16

SHA512
bf04d5291b8265ff8e85ef1b0fba0e569a9c6523aeb4587254fdf27a0147f423ad2aefb57ee350d85add75a8db6eabae47ced6e6fda52abbb84370c230d8053a

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
73KB

MD5
c32eca2cbbfa945446c7e9dc1bf20a03

SHA1
bcfe9ee97f6e7cc30d6086001ebcc8a2b8e42fe8

SHA256
562cbd95fdc44a3768c3815966ebf7129b48c0d818c23f9cbf597b3778f3c274

SHA512
c0abf18546b670c13d6b70f2158446bc78d341c14d886b506104ebb10a505217cd73c54b4158672720b5363803a0cbf6223f4289eb00deb50c925df98812d183

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
73KB

MD5
304926bb4bfa38806c0aa3b3d32fbe7d

SHA1
a7863774459ca6e5017f500af148a6792479c63d

SHA256
ffb7e794340f68247817c3526cd731e955229b8a89fcd98895ffa5da5a2e0518

SHA512
351600506faa667332c35e703ddc3c4b4a9f0a5641f3e00f733e9113876c4b13ea4b960fb6e1c3dd5eca0d09dce3f65c4284e88fbf5e6f1c67c6d664a80170d9

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
73KB

MD5
b187faf2c3f22ddf67eee1e75f0b23e1

SHA1
cf9f4fc089470f413059fc627ac2f958ae14be9f

SHA256
430e23ceb0addbcb3cd5362c2e2b13ad797c315f15f069b69c5875d08d3531b4

SHA512
325a1d1ca3a19bf0f3587936c8d67f7ccf8f1b320ae3a6cc87eb6f85337ced36e81c4467a16b7135acd4ebcf5ae59650cee594a04023064ff02fe2db92949e82

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
73KB

MD5
cb99fd27e6824b9ad18748fa18e1f3a0

SHA1
6f2111526c07b822dafd48075d6d4544df914090

SHA256
ba86bd953793aeaf3792dd4798fb3354e4dedde6395388d86c60ff5be359b753

SHA512
b769e0c54599f5dda759d5eff273b3d180d3faa5940a4d397f824dba68d396f6cef9de855ccee7a641e294d90fe2c27510eb7297f6f6a3f0ead22373e5037819

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
73KB

MD5
d59e0966a0d457068d91db7ecd257ac5

SHA1
4c4951a380d9e82922e0a1dbd3d0b823f21f03b4

SHA256
e2fd97af4b8f5d9b28b55e22c44f5eb25a285d920fef8eae7991cd09d224f3a2

SHA512
ad12c37fd305662bd642a2c9be604ac66d8acda581a31004b37d315d2b5010d8806e1c134c9eb0b5bcca367fed7454fe566735007eb7eccd1b05fccf5f2fe288

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
73KB

MD5
5008ec875e007ea539b09e32bbe052c7

SHA1
2e0cc60c4a05d4ae8a52a50d7a4163b7b6c06255

SHA256
b40afc2a122f06ecd2ca05c438d14e2725c2a18132af5e0524fead23f932c61e

SHA512
f66914babd8a31ebca535fc722be5e10c8398c46852c2cbf318c81a0363ad05f102b04622be157bd2f52f014877b04f7671f653e3d0146159fa9d6830c63d365

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
73KB

MD5
2461b38ae405504033fb6f3713295806

SHA1
3014b319d64e5a5cdfc41b555c333f4721012629

SHA256
d133eb0bd822a899d704a525c6c4942aac0ba144e57eb55c25c22cc33ddd9612

SHA512
c4e44502f0362c020752164ab3a56922751f744fd04aec271607c146672cc2b6c5eba3dd100b9f44a4ea52077a30b22c49a088d2162920e213786191f6529415

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
73KB

MD5
7244d5964357472206cc6c486a5af30e

SHA1
740dcc8914e323882ba4123d132f32a18363f526

SHA256
d12b5d77b00dfc5504a12f486c161c34e7950579aca4b9a1d9e9a118aa7131ce

SHA512
234f22ac03fe48de965421b1868e7c915cb52104a6a76853cef80f405ad6473cdeb41b1690624603a9aa82fc67b17472f857693762f8ce57679462edb224bcc6

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
73KB

MD5
c21ea2e0c321fcd50f778625dae7f602

SHA1
df4e1c328bb1c741a616a401c1e5797f102d323a

SHA256
c4cfe51d8e2e29ebc56d95147f0359c2d453ad74fb41cda914b580a532915aaf

SHA512
6a4327da33e1be79afbc1fdb239c3d5a8dfa8aa0a90f5295e12dbf184589088a03834a4d9de877a5b12781bf54ce97eaf633085d3c5f5f367e0df9a6fb45e299

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
73KB

MD5
5b8cb6e9a39f47d5cbfe0740a227e43a

SHA1
7e34650c0338433574c04ed3d523fae9666a7d0a

SHA256
ede1105b418cff81ca2d81da48e7412d86268c9b3f2f1448cc209b78e620a0b6

SHA512
eb6ca4b266a74ab83194668df578c4027e022e1646341a50568bb09e94df243a216823b1145282992885ea0cac6af54acebe6de5cfc2159c59120b3bccab7bd9

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
73KB

MD5
463b20ab5c35411c753b3c9d16ce2faa

SHA1
cb495f7d4969aa8a9211aedb840ea40ba5de3d65

SHA256
9709c95613d4825becea57934d66259925f414076fc12ccdb5c3ca643ae3403b

SHA512
20ff389483f694db8b73aaacf2e4aa9b95f95887c19631ffd373f3c6b120476fc3fb28464139e8f17748b6fac44a584709fa9fa023bec2153e76d03ed4098a39

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
73KB

MD5
f410f3ee28c6b9f3eb6be911d19254c4

SHA1
8806bdf4d72b305d83ccf8604b928c758507e52e

SHA256
ef0e091ba215ba23271ab1447cfc6db176acbecb08e4c442ced1a44b1a826b81

SHA512
b86b8a5f4e1fe63a868268c1de62aaadd8d076f64480a53d182975066728c7fd735f2acebab074f216b47ece5451d4c4dd9dd324624cf45912f1eaf45e119683

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
73KB

MD5
759dbbaf3a3c67557e2969884687f77a

SHA1
516966825b1c5f661baa7abc30d4a01afb55379b

SHA256
94fbed65142006d5058f7c23227f64f97530c76a79425f3e8826b12fffc379ba

SHA512
91a7a5771ac9391de45c36eed16ed41a72118041f0e3256b451f2dd078200388460cf5c997201517da4879cddf418b9bdb21beff45b322919a7133aad884109f

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
73KB

MD5
18c0b1f8d313dc7fef35a6b056b07b0c

SHA1
221f52c707613c27da740def6b51c15ff37c4a20

SHA256
a82181f40eac9458492457ca7d55746bef52f4dd77354fded53c8eeeea04263f

SHA512
962d656fa796b4bd554577dad88bd817eabe3c549edba0088d1cbfe92b6d3d8706b880c97403eb8c16505efa0bddc25726287cb4fc7ad68b1a822ba899dfc770

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
73KB

MD5
57ee7724971f919d4d2de22b43060049

SHA1
c217aa615e4584c7052aafc5d3e1ce60ccb4a84b

SHA256
e9f59e952eebf6a43d10004509a44816d8c3a497e4cf546114977acae01c1ef2

SHA512
8908a297e7a6b583a316ffaf842f493ee604d3110229aa15ec859e55b273a2b4a338583b576b8d85810393033fd87890f79a329fc2b738fbbce6b7f6d831a1bd

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
73KB

MD5
defbfcc6cd84be2a021920e0d9c7ca3a

SHA1
1bb2a8a3fff54f200e620d039531d3e94e68b71b

SHA256
cf9335a8c34b54a80bda3a271cf88b229d037ae3a0abb907be514f1c8de9d64d

SHA512
954a8571f184b2920af6aa4cbc6115d00997e8fbbd021a432571ac3fc59a389f5c2b4ca381bad5d021cd0e48fa56aab6c1ab8ea75e92199d58c3d68b961816dc

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
73KB

MD5
904795adbba51dd8f51a024296c0b7b8

SHA1
3a067246adc856c8ab5dccc5657b827dbb241a76

SHA256
87deade3b8dd7e31f1c98f14998ef40b057c3d2903ad7aaf8cd6e4a090541790

SHA512
e4c8cf689a42c857ab8bd4b213e9c52587ba1d24cec49922b43d29896d5e736dc7512d6e8781378732a1b1245ae57bb7ed1b33a433c057e2f62a5b37dfe5ff88

Download Submit
memory/400-488-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/524-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/688-579-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/688-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/716-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/856-247-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/996-472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1064-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1112-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1128-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1212-454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1252-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1288-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1380-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1428-466-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1484-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1552-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1556-412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-207-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-545-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1800-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1944-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1984-204-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2008-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2092-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2152-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-544-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2264-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2276-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2384-490-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-570-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2652-507-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2672-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-572-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2740-448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2788-261-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2792-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2880-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2912-183-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-478-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3100-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3132-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3132-565-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3168-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3304-180-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3336-215-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3368-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3432-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3484-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3484-586-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3488-514-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3620-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3688-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3808-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3828-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3856-551-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3856-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3960-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4036-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4172-442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4204-135-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4264-593-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4264-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4336-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4428-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4448-370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4500-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4576-538-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-558-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4600-508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4688-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4720-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4724-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4792-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4860-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4872-526-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4888-532-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4896-496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4928-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5000-520-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5016-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5036-406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5056-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5132-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5176-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5220-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads