a779b81b1baf324eee77a007d78ccd2ee3a157cbda2dc3e7ca0d465d8fcf0ba3

Analysis

max time kernel
97s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 01:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a779b81b1baf324eee77a007d78ccd2ee3a157cbda2dc3e7ca0d465d8fcf0ba3.exe
Size

391KB
MD5

be22004f28bc121075090892ad659907
SHA1

2b150cf4e4a756400dcbdc0aa18ac35a939d905f
SHA256

a779b81b1baf324eee77a007d78ccd2ee3a157cbda2dc3e7ca0d465d8fcf0ba3
SHA512

c64db40a0cb3523d4ecb2934496d9f5bd6dccc463ff90209527d4ec6727e16fca8e241df10e436004a2f129d29d4f144cb549266e8bfe888d6fd9710bf4f8f18
SSDEEP

6144:Nl5fMhYBNTuz+xPMaAfbAfNtTAfMAfFAfNPUmKyIxLfYeOO9UmKyIxL:dfMhYzTuRmNtuhUNP3cOK3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe

Executes dropped EXE 64 IoCs

pid	Process
2888	Olkhmi32.exe
436	Ojoign32.exe
4348	Ocgmpccl.exe
1408	Pdfjifjo.exe
2724	Pnonbk32.exe
1224	Pfjcgn32.exe
2452	Pmdkch32.exe
4964	Pcncpbmd.exe
3960	Pflplnlg.exe
4492	Pncgmkmj.exe
2488	Pqbdjfln.exe
1816	Pcppfaka.exe
1912	Pgllfp32.exe
3928	Pjjhbl32.exe
452	Pmidog32.exe
3208	Pqdqof32.exe
2484	Pcbmka32.exe
3196	Pfaigm32.exe
3636	Pjmehkqk.exe
3260	Qmkadgpo.exe
4748	Qqfmde32.exe
1636	Qceiaa32.exe
3976	Qgqeappe.exe
4648	Qfcfml32.exe
732	Qjoankoi.exe
1456	Qmmnjfnl.exe
3372	Qqijje32.exe
1804	Qgcbgo32.exe
1032	Ajanck32.exe
4312	Anmjcieo.exe
2892	Ampkof32.exe
4812	Adgbpc32.exe
2748	Acjclpcf.exe
4300	Afhohlbj.exe
3132	Ajckij32.exe
4332	Ambgef32.exe
2240	Aqncedbp.exe
4856	Aclpap32.exe
1544	Agglboim.exe
3708	Ajfhnjhq.exe
4620	Amddjegd.exe
4508	Aqppkd32.exe
3704	Acnlgp32.exe
1920	Afmhck32.exe
1468	Andqdh32.exe
4536	Amgapeea.exe
3008	Aeniabfd.exe
3964	Aglemn32.exe
1952	Ajkaii32.exe
2692	Aminee32.exe
400	Aadifclh.exe
3616	Accfbokl.exe
3032	Bfabnjjp.exe
4712	Bnhjohkb.exe
4172	Bmkjkd32.exe
4268	Bebblb32.exe
1448	Bganhm32.exe
2796	Bjokdipf.exe
4520	Bnkgeg32.exe
2720	Baicac32.exe
4276	Bchomn32.exe
4776	Bffkij32.exe
4932	Bnmcjg32.exe
2444	Bmpcfdmg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	a779b81b1baf324eee77a007d78ccd2ee3a157cbda2dc3e7ca0d465d8fcf0ba3.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2336	1244	WerFault.exe	200

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a779b81b1baf324eee77a007d78ccd2ee3a157cbda2dc3e7ca0d465d8fcf0ba3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 2888	4432	a779b81b1baf324eee77a007d78ccd2ee3a157cbda2dc3e7ca0d465d8fcf0ba3.exe	82
PID 4432 wrote to memory of 2888	4432	a779b81b1baf324eee77a007d78ccd2ee3a157cbda2dc3e7ca0d465d8fcf0ba3.exe	82
PID 4432 wrote to memory of 2888	4432	a779b81b1baf324eee77a007d78ccd2ee3a157cbda2dc3e7ca0d465d8fcf0ba3.exe	82
PID 2888 wrote to memory of 436	2888	Olkhmi32.exe	83
PID 2888 wrote to memory of 436	2888	Olkhmi32.exe	83
PID 2888 wrote to memory of 436	2888	Olkhmi32.exe	83
PID 436 wrote to memory of 4348	436	Ojoign32.exe	84
PID 436 wrote to memory of 4348	436	Ojoign32.exe	84
PID 436 wrote to memory of 4348	436	Ojoign32.exe	84
PID 4348 wrote to memory of 1408	4348	Ocgmpccl.exe	85
PID 4348 wrote to memory of 1408	4348	Ocgmpccl.exe	85
PID 4348 wrote to memory of 1408	4348	Ocgmpccl.exe	85
PID 1408 wrote to memory of 2724	1408	Pdfjifjo.exe	86
PID 1408 wrote to memory of 2724	1408	Pdfjifjo.exe	86
PID 1408 wrote to memory of 2724	1408	Pdfjifjo.exe	86
PID 2724 wrote to memory of 1224	2724	Pnonbk32.exe	87
PID 2724 wrote to memory of 1224	2724	Pnonbk32.exe	87
PID 2724 wrote to memory of 1224	2724	Pnonbk32.exe	87
PID 1224 wrote to memory of 2452	1224	Pfjcgn32.exe	88
PID 1224 wrote to memory of 2452	1224	Pfjcgn32.exe	88
PID 1224 wrote to memory of 2452	1224	Pfjcgn32.exe	88
PID 2452 wrote to memory of 4964	2452	Pmdkch32.exe	89
PID 2452 wrote to memory of 4964	2452	Pmdkch32.exe	89
PID 2452 wrote to memory of 4964	2452	Pmdkch32.exe	89
PID 4964 wrote to memory of 3960	4964	Pcncpbmd.exe	90
PID 4964 wrote to memory of 3960	4964	Pcncpbmd.exe	90
PID 4964 wrote to memory of 3960	4964	Pcncpbmd.exe	90
PID 3960 wrote to memory of 4492	3960	Pflplnlg.exe	91
PID 3960 wrote to memory of 4492	3960	Pflplnlg.exe	91
PID 3960 wrote to memory of 4492	3960	Pflplnlg.exe	91
PID 4492 wrote to memory of 2488	4492	Pncgmkmj.exe	92
PID 4492 wrote to memory of 2488	4492	Pncgmkmj.exe	92
PID 4492 wrote to memory of 2488	4492	Pncgmkmj.exe	92
PID 2488 wrote to memory of 1816	2488	Pqbdjfln.exe	93
PID 2488 wrote to memory of 1816	2488	Pqbdjfln.exe	93
PID 2488 wrote to memory of 1816	2488	Pqbdjfln.exe	93
PID 1816 wrote to memory of 1912	1816	Pcppfaka.exe	94
PID 1816 wrote to memory of 1912	1816	Pcppfaka.exe	94
PID 1816 wrote to memory of 1912	1816	Pcppfaka.exe	94
PID 1912 wrote to memory of 3928	1912	Pgllfp32.exe	95
PID 1912 wrote to memory of 3928	1912	Pgllfp32.exe	95
PID 1912 wrote to memory of 3928	1912	Pgllfp32.exe	95
PID 3928 wrote to memory of 452	3928	Pjjhbl32.exe	96
PID 3928 wrote to memory of 452	3928	Pjjhbl32.exe	96
PID 3928 wrote to memory of 452	3928	Pjjhbl32.exe	96
PID 452 wrote to memory of 3208	452	Pmidog32.exe	97
PID 452 wrote to memory of 3208	452	Pmidog32.exe	97
PID 452 wrote to memory of 3208	452	Pmidog32.exe	97
PID 3208 wrote to memory of 2484	3208	Pqdqof32.exe	98
PID 3208 wrote to memory of 2484	3208	Pqdqof32.exe	98
PID 3208 wrote to memory of 2484	3208	Pqdqof32.exe	98
PID 2484 wrote to memory of 3196	2484	Pcbmka32.exe	99
PID 2484 wrote to memory of 3196	2484	Pcbmka32.exe	99
PID 2484 wrote to memory of 3196	2484	Pcbmka32.exe	99
PID 3196 wrote to memory of 3636	3196	Pfaigm32.exe	100
PID 3196 wrote to memory of 3636	3196	Pfaigm32.exe	100
PID 3196 wrote to memory of 3636	3196	Pfaigm32.exe	100
PID 3636 wrote to memory of 3260	3636	Pjmehkqk.exe	101
PID 3636 wrote to memory of 3260	3636	Pjmehkqk.exe	101
PID 3636 wrote to memory of 3260	3636	Pjmehkqk.exe	101
PID 3260 wrote to memory of 4748	3260	Qmkadgpo.exe	102
PID 3260 wrote to memory of 4748	3260	Qmkadgpo.exe	102
PID 3260 wrote to memory of 4748	3260	Qmkadgpo.exe	102
PID 4748 wrote to memory of 1636	4748	Qqfmde32.exe	103

C:\Users\Admin\AppData\Local\Temp\a779b81b1baf324eee77a007d78ccd2ee3a157cbda2dc3e7ca0d465d8fcf0ba3.exe
"C:\Users\Admin\AppData\Local\Temp\a779b81b1baf324eee77a007d78ccd2ee3a157cbda2dc3e7ca0d465d8fcf0ba3.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Windows\SysWOW64\Olkhmi32.exe
  C:\Windows\system32\Olkhmi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\Ojoign32.exe
    C:\Windows\system32\Ojoign32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\SysWOW64\Ocgmpccl.exe
      C:\Windows\system32\Ocgmpccl.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1408
      - C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:732
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        81⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        82⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5500
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5540
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        86⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        91⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        96⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        97⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        99⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        101⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        107⤵
        
        PID:680
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        109⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        112⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        113⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        115⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        116⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2516
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 408
        121⤵
        Program crash
        
        PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1244 -ip 1244
1⤵
PID:5856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
391KB

MD5
33d1df868d6d7dd66de15d7c26f27036

SHA1
63261272dcf819924bd4b789956721a66bfc7cdb

SHA256
98d8f16978108463343d329d2f8ee2fca4029db90d4f2e4b9f0faf09923c7b4a

SHA512
341c4711ba4d0e9bfb9b2cbf2841fa573c5a38ad822954026b941f27111d1bda36b580f1ab92cde455a2f0b335653281dab12af1f130c9b23d77a94594b41cb3

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
391KB

MD5
4aa735bfd8a3cc179b7ded659f6da796

SHA1
8d1e6334fd7dc51a0f0d51969eff13fb55ed4fe1

SHA256
645440d6d4784f18ad2920068f8ca9a4ae725ddb98b847aba382ec0c94a37795

SHA512
02bd2cbe266a3164c2dd6a3bae2c2946de3dd8448bd9fef77036e5f0f25f12c923acec18e15b8daf005913a47fbc7093e8be40e22a667877b5663c2f36b8d3b7

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
391KB

MD5
c7e0dc2794c519a169d0d8edfbbee541

SHA1
0eeea9308cd9a92a34b9dd04253ba6fe4ca4ec68

SHA256
e057a5e01134ad37a69c262d54ff2769591d71166f700b8e0f02d21c95b158b1

SHA512
95345a6e9d5aa1c331eea4e839978b904cc9fee533e0c01f5991e88e648505a4bcf734cf67a5b88ee06584453d241b3ed73b876590514dc03ce05083d12d53d6

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
391KB

MD5
b6fb44076cd60456dff0d910c5a1e387

SHA1
5018e0b78b3b1705ee7b89a26917aefab765eccf

SHA256
7cba0a1786781c2d4c3c5cf34caa577b1a2be2db9991fe09a2897b7fbb3fed6f

SHA512
3d7635a39987f335da660d72df4ccb6b795068565a195b29f86c09edfd981b89f1d80fad817e38cd07ca4902cceff06378ba2629e644b4bacf5dc182993fb244

Download Submit
C:\Windows\SysWOW64\Fjbnapki.dll

Filesize
7KB

MD5
834d2f0f30cb131a1a8ec615170fdc5b

SHA1
a5dddb2bdb712ae4d4d339ecace027c49c802875

SHA256
5b2b11d7e254b1d33e51d9fd5817fc778c5b7e9723f866304e22c3677feb3e59

SHA512
e125854066f1236f9db891af6494ba4f28931bf56c599fb4b7612a3709aca5220fbfeb7e875136594d93e01a56e64fc3d6efdcd277910f5ffc73e0fd812f4183

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
391KB

MD5
214ebd012f5e5a327d059675f9b5846c

SHA1
79adbb42aa71488d62989e38d580ffe4a4c4474a

SHA256
12770e1924acf67a54b2ce831ba326ccd6bde2763d648b2b624f9ef1ccf0349f

SHA512
b9b66751e582069ac21d48260afca7a9e3d4bbeb0a71250ad0b71ba75c1ddb7ed2adb98fd1d51c42e1e95d93b2c80db85877cffe4de3762ab71a3ea9338a85c0

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
391KB

MD5
800b3250ae8036ff84c5034854004203

SHA1
267a09e49f640a3a5537583013fb1ead1bda7d77

SHA256
62d105f0b0df9434dec2bbad75b08ff6ddd5fca282db02e26c001fb912bb5c3b

SHA512
b90b482bdc34f048ac0078b00f06c03c3a3f98497b6415f6d0ad540cabd727e4255acea1a02845d1a6f1de94670bbd4ee3b9000ba5d34f0c455099c164acd18b

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
391KB

MD5
26e1b464cd3e3238fafe6a5409338819

SHA1
01ac20b35c45397e1d6f93793704348f0a8d3d92

SHA256
64bf295386e347b7c731949d0c6c7cfa48f6918759733613610a078267934844

SHA512
f67ed6d4a575ec4dbf2d005e1920306dc552f3197d8bbc5395042798399812ae0b832da5a003d2e77ae07a8f59d9744cbf57286eb82b1383ab8f8d9af1505368

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
391KB

MD5
8586518f6612ac0fded87cfea13c2498

SHA1
096205b60523c710fd385b339dde227cbadc2728

SHA256
fc5f8bdaae43acda035614cf9f7f04009826c765eb1bdac7d7001266741c44fa

SHA512
78d2060c719fe92179c9fa2840591a2b17d5535937926825197d754c2f835dd988990dfd3dcfc2969a1d36952eaa629886f721714db04cd96a0495245f9c1221

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
391KB

MD5
1a18c715b7d4d61eb5cd294737ed53e1

SHA1
9284dac13dadcc32c3c4e85ddc71aeb522a80b32

SHA256
ef7b18eab80c9e41fdc6bc304a8d8f0c9696737ab6a91471c55ec7c4259cf76a

SHA512
26e6c829ef2f10928ce1e2c50a2da0c7b48b64bfe27a4cd42a54514e76f079342174cdfcc893310a42ab8c7c819ec58ce050690824526aa57c6c8945aa0b4fa1

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
391KB

MD5
b9cf4064edaf4e3f82dc1e0de24157f7

SHA1
7920f473ac6ed1aef8876586835325b7a5884d61

SHA256
5bc08702c4b951bad514d14e3d4f76c86022b9f0503494f8aeb251728214d382

SHA512
618d5ecce24f8720ac1224184156f76da5190bfc4be22f2acd97e9b8b3a6e785834629db0e4c784554dbe4a48bdc98bb27a26dfb2d8943e40d726f3e05583010

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
391KB

MD5
b8e595652bec3f44a94b1b6931efc6db

SHA1
c91048d913d5ca2108722efc3261e8f0018b83f2

SHA256
79ddf3a01a7ad144dcaea057e37e271c149e41ffbbea72b35ca95fd782669fc7

SHA512
3070b6acacfed77414c8be282d7fb5216f415640846fcdfa518ac1131414197c7f43914eb1543cd1d86fce3e1b3c44ec487d78a5a6e3212e5459d4eacb8b1fd9

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
391KB

MD5
c13ffed78f8fb2a8faed4e4020457878

SHA1
2d58c1a7947c92bcd5dbc0721587671875e5c5b2

SHA256
c5dcfcb1c189ba21388322cc76312b54f64373e9392a15c1e00278125b3c0c2f

SHA512
7f75e4cfe8d57b450a0d432732d451cee1baf62b52338a03f17214c865aee4de544476fd76d7b1b6c58a5c59e600d594701bcc541a2cf9f8f17b0af42d4c3800

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
391KB

MD5
ceff5be2dba6271960e1d8e051ec02e5

SHA1
1b22051993a2d51330c73fe9ad8b46b221830f12

SHA256
9163947bb650e9f70d2480bd8db70a6a4d583c0568436d99696f9d7f9d15e8ed

SHA512
27a2d1ca11605e074ff80ec3a8d26ddcbbd8c552db4d854460b565aef9bc4101e2e2f7630a801aafec81f1bb7bb2bc28fc7c9fc1c10fc70460dcb93f530ec25a

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
391KB

MD5
7b726fed6d61524f60285bba2c68c6e0

SHA1
b6dbe1beeee0631fe594eee8517a426b29cac51e

SHA256
6e1ad74e6ab4412fcc2391cab497528ef216fa660cae757b1b7036bfe568834d

SHA512
352baa84908b308db14aa01f7d4dce0ea00a764fb2a8e08b0325779177480ffe90b4b1852daf96976fcfb3386e2064492a7503ad7eb87a10f1a768176f1bc719

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
391KB

MD5
13dc1dfb525cf569595f2c43d4a10dbf

SHA1
d080890df95092397d1e9e8a0ab30cb460762419

SHA256
71184001b4ed8b6554f3b3b999389f894a9d1a13b8925235f2013e1f688c93d5

SHA512
dbbd4084a62710eb191b5a216ed2530efed440c7788399b8a6e233a55ae715363fcef16a75df67e459f3a1e60d16f7d661102de9abec9a34b83f11d454c82b6e

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
391KB

MD5
0b81c7b5bae3186297447066188e98ba

SHA1
bd2fb483a2503a9546d75f1b3622766ed48a8c8a

SHA256
77f245fa439559f5b761fed056b09f818c001c194627a7a412b534a9e4dbca4d

SHA512
677d78a1578575b8559cad3fc872a3259316ccb968807963e6faf5d139fcd494ed52222dd766e7dfeab5a2a33241db500cfaf99d27000872b08e49b2d6270194

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
391KB

MD5
405c26012cfe3dbf21be4c1c32465de4

SHA1
d0a8e306a58cbd23709bbe7dd6a1277897a74792

SHA256
c998b248f44224d29ca0bd641e8a42881efe71539e1b3bd9bad98b72cc336ed6

SHA512
c984a1c2f11dc51346ab1e07191c602b9d6d8b18c931562dc2b84bcfabf62ccdcc924403a913ba53906c77afc8b32e29fca276b38a06d4334f0cfea69a150157

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
391KB

MD5
c21aaea473179107087249e7c09097e7

SHA1
fe49b1381fc34ffe7677b47f5faf501d9261a2a3

SHA256
1de42aa7dbf411f7212a324ab45627d3b1f649ea32d795e6f1c945368171a189

SHA512
c61dc050056778d120c9e4c4b3f83fbe4df583a25e5a85728f48eb76572fed25888424d4035829c8b89836cd78db1804889567aec5ef2707054aa8a9fa2b36ba

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
391KB

MD5
353b59fd6743b1f8d7611e7e64cee37d

SHA1
1e48eb87a709f70401e8a46cd0dd1e2de8c5f665

SHA256
ea18358ce331caec654fd282015d9accd60847a3be188a0c34687b5e0951dd1b

SHA512
f7eef53a4a8e7197a373f824e6e2bf8631cccdbda0bc3ba7165c6ac4a26e6030e0bc653a0f679824779f3aac28f6b582cca287a1b32a8bdf7028a182d6213d78

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
391KB

MD5
5b92d1e740a8254d0dfdb77078bbfef9

SHA1
f6ff86c6557a7437b59354463d2a16ec93ac741c

SHA256
2b537ae504be6bfde7586e3d030dc08c283231267d19ffbef852fff471176027

SHA512
3ee93a563d17bffdb33fd631596f99d958ef8e9bb053d9f60a08ff545e52a7e099a874f3640064e53297098600aeef3df1ed53b6d6c90e1d221d672097e71704

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
391KB

MD5
fea9e67c78bf979163afc5f63b69c573

SHA1
34d839a2a1b5f1984927f1287412583fd80bb306

SHA256
ba8ddab0f837a25294ddfe66e6a487dc3fd1ec716d5993cef1d9e1ddab7b87de

SHA512
d114d7974de2bc7b7b1451c88bab92787d2b293c2a9537ac5feac76e4196798b70e6b7f8f4435c2f5f1f86cb292d03359ac880ebcec612d2d6b37c7163ee7992

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
391KB

MD5
09a7d9d8c3f33a5c1ef39a6b41c4fef9

SHA1
bb41a10e2cf8ea9650e7738d4d38ebf2e126f1ca

SHA256
57c65def9b634fa41e4b4a12ffb3c596b5706d422fb451c8a6010442e7517e9c

SHA512
ace32b4b6c0348c15c9ee3c336539e258e3b040210f0bf6e864686489b7be34f8390ad09b0da767b9f191792852a07357d9f73fc88c2e11ab9aafc9f4b55f4ae

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
391KB

MD5
f6cce1e4a1c507267c6a7040f6d89633

SHA1
2cf9ae3587f3d30dc7b52105119310fa0994f682

SHA256
786280f5b6c420af207ced571d16c24d5b696c9b0c64c0ca0978c28b3d46913e

SHA512
509b6b648555eee5802c3285e12eb8868bb3602be9f627ae7bc88ae7b51c39881c68afa5f784db4d1d892fafaff998935f3144e556896319791498626367d471

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
391KB

MD5
b28da6fb768f291cb28e28eb92157b6a

SHA1
bc0045f2e409512cb37b6c6aa764e3b888bfc663

SHA256
7a683a4db22ea1578216c9640e54806c7858e8baca71084ba531f0c7dddcde7a

SHA512
26a042ecda95225d8f76a368b7bbabf7ef66032bcad91296ab9daf21bb2f4b2098ed2c1bf4485f8b0cfb55cf55d34b88c7cd2ca3ad2e38433f19f64f9d38ee36

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
391KB

MD5
253588e1fbce8f8217b156205d79226c

SHA1
654764272af95eb3eee73f953cedc5371cb4c6ad

SHA256
3840a4273a74fea5352c6531cef54d77dce283cbdbae3d3137697ae96ef14e6d

SHA512
3934acd821101fdfa0561ee61136bcde99dc0f140ed0fcb3693ba12e1bf653900477d365ad42e188744af44bab9c2449a8da027b69a1abcffef86879c32431ed

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
391KB

MD5
71b7960d8b09443bc0c1c9ad17ffa27a

SHA1
5d6da14944f60ca2e14b04b0c73d1e4699f915fd

SHA256
3e44b51e1c0080e28e52001ed409358443709e3f4169b5ea00ba274c74a83fa3

SHA512
2983a31e041b3bb549af8935cebe7729385cffe292c4cd1b3208d7370eb94f8873653d1d0206ff8c584015cee4b10d54decbbed25ddb6d0cc70176a7cc49abff

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
391KB

MD5
b51a952bc3ec9328748588900cfa5184

SHA1
4a638bb5054946d370aaf71abf8b7c681fae6072

SHA256
9daee0b3e6f4648a735ed41df812fcb220a03437887d6a462a9bf6ef64ac399a

SHA512
a106ba2ce671f4597f81dfea9e27a224475d9ac651f8906bfc174311f3bd8a08dd1a838e3faa9676b17dc00bb67433afef133b87ac3246b2114a5bfcd75bdf56

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
391KB

MD5
3a8a106ba47069687ba9a5a8effd0e2f

SHA1
a922c171776d639d141d9a89c628b3a4963c8bc1

SHA256
136ed13241a6ff4d7492a59a75d101e0b8ec993fd11d5062abf5cf3ff63bca9c

SHA512
43a7ad96e670dd1e492f6a82947e4a89a8512e04746cb6dd5ac192c0e1ec5afb5cae5dce3629a85e88b61a077d7f10647d0ed043799e71f770ae430449b0bdc6

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
391KB

MD5
7d9243e87be9e9801c4b6e105802530e

SHA1
f1f23cecec355257eddba08641baf521882f5698

SHA256
7732742f894cd7e60c3377281d5454231b9b603b6aeb9e90f45a02eaa74c46b2

SHA512
b86b586c9fdfe184994720d484c86e2bd6f2e9690097f58260a1a39ad519f966bab9e658d1315cf9e20a8b96a4cbca506244e30ba42e321d09d49d94377449f5

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
391KB

MD5
e8595b1474d5758b4711f54636a15507

SHA1
d20cfdc7fea6e92346e45850126f7624303e28f4

SHA256
d6dbe002079eaaaa666f53f401f25c9a2a16e85bdc3a3a32160715d47bc1f6a5

SHA512
d9122b891fe4219b1f2a5636d61fced4958e3895d3a9a7009b6cc4b197fde34441d40e8f5150e720b48555d29aced239f58ecb49b36721428d822369c4a02268

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
391KB

MD5
5cd15ec8d24a1d09fc9128a17fa875b9

SHA1
148af46307746ba82456a6778eb5dddd2c75a770

SHA256
83ae4c45babd27aa6caeda0ff37c86b3cfc2170bc1aa3c0a563d68ea4e2c3d36

SHA512
93d055baf0da9c9ed32fea9bb4ead919a8d229a7052ea87dcfac3d0752937df9d61b3d67fdecd290e2d004dfe1366b4c24353ae4070841020f132a10c9a1d41a

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
391KB

MD5
bf16e533cfd712301dfc45d7830d6548

SHA1
9bf1251696465e66a43ae2ba50e541e9634bd061

SHA256
4739ca9e24346f1e1c2046240caf62d93f2619940c608b9bfa9d625beba95fea

SHA512
01eaeff8877e92e7839af2e88d318003d25804d1cfb7b8790e76ff7b249fcf8ceea3e0c4b41291ca44571e3fe2a901aad152981c34acccef843ebea6518fe91d

Download Submit
memory/400-371-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/400-899-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/436-16-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/436-546-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/448-472-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/452-123-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/452-624-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/452-971-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/732-681-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1032-706-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1224-570-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1224-48-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1408-32-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1408-999-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1408-558-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1448-405-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1448-887-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1456-688-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1456-210-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1468-335-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1544-299-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1636-180-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1636-664-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1804-226-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1804-700-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1816-606-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1912-613-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1912-102-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1920-329-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1948-461-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1952-359-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1952-904-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2240-287-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2444-444-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2452-60-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2452-576-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2484-140-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2484-967-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2484-636-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2488-979-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2488-92-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2488-601-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2692-365-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2724-564-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2724-39-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2748-263-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2796-411-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2888-539-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2888-7-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2892-719-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2892-249-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-494-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3008-347-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3132-275-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3192-794-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3196-148-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3208-132-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3208-631-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3260-961-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3260-164-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3260-652-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3372-694-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3636-156-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3704-323-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3708-305-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3928-618-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3928-115-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3928-973-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3960-83-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3960-583-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3964-905-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3964-353-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3976-188-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3976-671-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4172-393-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4268-399-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4300-269-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4312-241-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4312-712-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4332-281-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4348-23-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4348-552-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4432-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4432-533-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4492-594-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4492-981-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4492-84-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4508-317-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4536-341-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4620-311-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4620-920-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4632-488-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4648-196-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4712-387-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4748-659-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4748-172-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4776-432-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4812-257-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4856-293-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4932-438-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4964-582-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4964-64-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4980-450-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5148-500-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5228-511-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5252-713-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5264-517-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5304-523-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5660-577-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads