370d080a957e9028e5a05adc0104f6005d4d11c5ed8b3f8485b6c0ef37a0ef34

Analysis

max time kernel
94s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

370d080a957e9028e5a05adc0104f6005d4d11c5ed8b3f8485b6c0ef37a0ef34.exe
Size

428KB
MD5

0e80e5e39a283bd420ed48a3181f2b13
SHA1

bba4b2a2431e1a525a5f46dfcf7cd914abd2808f
SHA256

370d080a957e9028e5a05adc0104f6005d4d11c5ed8b3f8485b6c0ef37a0ef34
SHA512

3b6ccbb68c4311d234e9852b8424123b27550d5fe2f879ae447def86647765a4214f038e007fbd9f33ec3d852ca8f4993332015c22bb44a2cf1ae2b1f31f2a61
SSDEEP

6144:zj2rh5ZXZuKVp1fNrNF5ZXZ7SEJtKa4sFj5tPNki9HZd1sFj5tw:/2l5hjtFrNF5h0EJtws15tPWu5Ls15tw

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Pcppfaka.exePjmehkqk.exeAmddjegd.exeDddhpjof.exeCjmgfgdf.exePqdqof32.exeAgglboim.exeAmgapeea.exeAfoeiklb.exeBjmnoi32.exeAmpkof32.exeAjckij32.exeBapiabak.exeQfcfml32.exeBgehcmmm.exeDmgbnq32.exeAnogiicl.exeAfmhck32.exeAeniabfd.exeAepefb32.exeCndikf32.exeBcebhoii.exeBmpcfdmg.exeBeglgani.exeQceiaa32.exeAqppkd32.exeAjhddjfn.exeBfabnjjp.exeBcoenmao.exeCegdnopg.exeBaicac32.exeBgcknmop.exePnfdcjkg.exePcbmka32.exeQcgffqei.exeAnadoi32.exeBhhdil32.exeCnffqf32.exeCjpckf32.exeAccfbokl.exeBmkjkd32.exeBagflcje.exeDmjocp32.exeQffbbldm.exeAgjhgngj.exeBjagjhnc.exeChcddk32.exeBjddphlq.exeBeihma32.exeCjkjpgfi.exeCdfkolkf.exeCmlcbbcj.exeDfnjafap.exe370d080a957e9028e5a05adc0104f6005d4d11c5ed8b3f8485b6c0ef37a0ef34.exeBjokdipf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	370d080a957e9028e5a05adc0104f6005d4d11c5ed8b3f8485b6c0ef37a0ef34.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe

Executes dropped EXE 64 IoCs

Processes:

Pjhlml32.exePmfhig32.exePcppfaka.exePfolbmje.exePnfdcjkg.exePqdqof32.exePcbmka32.exePgnilpah.exePjmehkqk.exeQmkadgpo.exeQdbiedpa.exeQceiaa32.exeQfcfml32.exeQnjnnj32.exeQmmnjfnl.exeQddfkd32.exeQcgffqei.exeQffbbldm.exeAnmjcieo.exeAmpkof32.exeAgeolo32.exeAjckij32.exeAnogiicl.exeAeiofcji.exeAclpap32.exeAgglboim.exeAjfhnjhq.exeAnadoi32.exeAmddjegd.exeAqppkd32.exeAeklkchg.exeAgjhgngj.exeAfmhck32.exeAjhddjfn.exeAmgapeea.exeAabmqd32.exeAeniabfd.exeAglemn32.exeAfoeiklb.exeAnfmjhmd.exeAminee32.exeAepefb32.exeAccfbokl.exeBfabnjjp.exeBjmnoi32.exeBmkjkd32.exeBagflcje.exeBcebhoii.exeBganhm32.exeBjokdipf.exeBnkgeg32.exeBaicac32.exeBchomn32.exeBgcknmop.exeBjagjhnc.exeBmpcfdmg.exeBeglgani.exeBgehcmmm.exeBjddphlq.exeBnpppgdj.exeBanllbdn.exeBeihma32.exeBhhdil32.exeBjfaeh32.exe

pid	process
5028	Pjhlml32.exe
112	Pmfhig32.exe
2708	Pcppfaka.exe
2312	Pfolbmje.exe
3840	Pnfdcjkg.exe
1952	Pqdqof32.exe
3696	Pcbmka32.exe
384	Pgnilpah.exe
4312	Pjmehkqk.exe
852	Qmkadgpo.exe
4428	Qdbiedpa.exe
4960	Qceiaa32.exe
876	Qfcfml32.exe
1232	Qnjnnj32.exe
3264	Qmmnjfnl.exe
4612	Qddfkd32.exe
2872	Qcgffqei.exe
1156	Qffbbldm.exe
3584	Anmjcieo.exe
4480	Ampkof32.exe
4868	Ageolo32.exe
2932	Ajckij32.exe
1064	Anogiicl.exe
4636	Aeiofcji.exe
688	Aclpap32.exe
2856	Agglboim.exe
2976	Ajfhnjhq.exe
4732	Anadoi32.exe
3932	Amddjegd.exe
5016	Aqppkd32.exe
1608	Aeklkchg.exe
2868	Agjhgngj.exe
3156	Afmhck32.exe
4644	Ajhddjfn.exe
4640	Amgapeea.exe
4896	Aabmqd32.exe
2308	Aeniabfd.exe
2904	Aglemn32.exe
2352	Afoeiklb.exe
4372	Anfmjhmd.exe
312	Aminee32.exe
3212	Aepefb32.exe
5068	Accfbokl.exe
4844	Bfabnjjp.exe
4040	Bjmnoi32.exe
4828	Bmkjkd32.exe
1068	Bagflcje.exe
3924	Bcebhoii.exe
4704	Bganhm32.exe
3588	Bjokdipf.exe
4860	Bnkgeg32.exe
1456	Baicac32.exe
2016	Bchomn32.exe
4608	Bgcknmop.exe
2540	Bjagjhnc.exe
5036	Bmpcfdmg.exe
2712	Beglgani.exe
1208	Bgehcmmm.exe
536	Bjddphlq.exe
2008	Bnpppgdj.exe
4400	Banllbdn.exe
1224	Beihma32.exe
3464	Bhhdil32.exe
3172	Bjfaeh32.exe

Drops file in System32 directory 64 IoCs

Processes:

Aeiofcji.exeAeniabfd.exeBnkgeg32.exeBanllbdn.exeBeihma32.exeDdakjkqi.exeQdbiedpa.exeAclpap32.exeAccfbokl.exeCenahpha.exeCnffqf32.exe370d080a957e9028e5a05adc0104f6005d4d11c5ed8b3f8485b6c0ef37a0ef34.exeQnjnnj32.exeQmmnjfnl.exeAnogiicl.exeBjmnoi32.exeBmkjkd32.exeDaqbip32.exeBaicac32.exeBeglgani.exeBhhdil32.exeBapiabak.exeQffbbldm.exeAglemn32.exeAminee32.exeBganhm32.exeBgehcmmm.exePjhlml32.exeQfcfml32.exeAnadoi32.exeAmgapeea.exeBnbmefbg.exeCjinkg32.exeCajlhqjp.exeCjpckf32.exeCjkjpgfi.exePcbmka32.exeAjckij32.exeAfmhck32.exeAabmqd32.exeBjagjhnc.exePfolbmje.exeAmpkof32.exeAeklkchg.exeDmcibama.exeAnmjcieo.exeAgeolo32.exeAnfmjhmd.exeBjokdipf.exePcppfaka.exeAjfhnjhq.exeAfoeiklb.exeBcebhoii.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	370d080a957e9028e5a05adc0104f6005d4d11c5ed8b3f8485b6c0ef37a0ef34.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3916 884 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
3916	884	WerFault.exe	Dmllipeg.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Pgnilpah.exePjmehkqk.exeAmpkof32.exeBapiabak.exeChokikeb.exePcppfaka.exeQfcfml32.exeAnogiicl.exeAqppkd32.exePfolbmje.exeAglemn32.exeCjkjpgfi.exePjhlml32.exeQdbiedpa.exeQffbbldm.exeAminee32.exeBmpcfdmg.exeCjinkg32.exeDddhpjof.exeAclpap32.exeAgglboim.exeAgjhgngj.exeBeihma32.exeDmgbnq32.exeDdakjkqi.exeAfoeiklb.exeBfabnjjp.exeBgcknmop.exeCnffqf32.exeCegdnopg.exePnfdcjkg.exeAgeolo32.exeAccfbokl.exeBgehcmmm.exeBjddphlq.exeBcoenmao.exePmfhig32.exeQceiaa32.exeBjokdipf.exeCabfga32.exeCjmgfgdf.exePcbmka32.exeAfmhck32.exeAeniabfd.exeQmkadgpo.exeAjckij32.exeAeiofcji.exeAmgapeea.exeChmndlge.exeCajlhqjp.exeDaqbip32.exeAjfhnjhq.exeBganhm32.exeBchomn32.exeBjagjhnc.exeBnbmefbg.exeCndikf32.exeDfnjafap.exeBhhdil32.exeCdfkolkf.exe370d080a957e9028e5a05adc0104f6005d4d11c5ed8b3f8485b6c0ef37a0ef34.exeQnjnnj32.exeAeklkchg.exeAjhddjfn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	370d080a957e9028e5a05adc0104f6005d4d11c5ed8b3f8485b6c0ef37a0ef34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe

Modifies registry class 64 IoCs

Processes:

Pjmehkqk.exeDmcibama.exeAeiofcji.exeAgjhgngj.exePnfdcjkg.exeAfoeiklb.exeBjokdipf.exeBaicac32.exeCjpckf32.exeChcddk32.exeBjfaeh32.exeCajlhqjp.exeCdfkolkf.exePcppfaka.exePqdqof32.exeQceiaa32.exeAminee32.exeBmkjkd32.exeBcoenmao.exeQffbbldm.exeAjckij32.exeAglemn32.exeAccfbokl.exeBfabnjjp.exeBmpcfdmg.exeCnffqf32.exeBjagjhnc.exeBhhdil32.exeCabfga32.exeAmpkof32.exeBchomn32.exeDaqbip32.exeBgcknmop.exeQmkadgpo.exeAnadoi32.exeAjhddjfn.exeCjinkg32.exeDfnjafap.exePmfhig32.exeQnjnnj32.exeAgeolo32.exeAclpap32.exeAeniabfd.exeBeihma32.exeChokikeb.exeBjmnoi32.exePgnilpah.exeQdbiedpa.exeBeglgani.exeBnpppgdj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

370d080a957e9028e5a05adc0104f6005d4d11c5ed8b3f8485b6c0ef37a0ef34.exePjhlml32.exePmfhig32.exePcppfaka.exePfolbmje.exePnfdcjkg.exePqdqof32.exePcbmka32.exePgnilpah.exePjmehkqk.exeQmkadgpo.exeQdbiedpa.exeQceiaa32.exeQfcfml32.exeQnjnnj32.exeQmmnjfnl.exeQddfkd32.exeQcgffqei.exeQffbbldm.exeAnmjcieo.exeAmpkof32.exeAgeolo32.exe

description	pid	process	target process
PID 2552 wrote to memory of 5028	2552	370d080a957e9028e5a05adc0104f6005d4d11c5ed8b3f8485b6c0ef37a0ef34.exe	Pjhlml32.exe
PID 2552 wrote to memory of 5028	2552	370d080a957e9028e5a05adc0104f6005d4d11c5ed8b3f8485b6c0ef37a0ef34.exe	Pjhlml32.exe
PID 2552 wrote to memory of 5028	2552	370d080a957e9028e5a05adc0104f6005d4d11c5ed8b3f8485b6c0ef37a0ef34.exe	Pjhlml32.exe
PID 5028 wrote to memory of 112	5028	Pjhlml32.exe	Pmfhig32.exe
PID 5028 wrote to memory of 112	5028	Pjhlml32.exe	Pmfhig32.exe
PID 5028 wrote to memory of 112	5028	Pjhlml32.exe	Pmfhig32.exe
PID 112 wrote to memory of 2708	112	Pmfhig32.exe	Pcppfaka.exe
PID 112 wrote to memory of 2708	112	Pmfhig32.exe	Pcppfaka.exe
PID 112 wrote to memory of 2708	112	Pmfhig32.exe	Pcppfaka.exe
PID 2708 wrote to memory of 2312	2708	Pcppfaka.exe	Pfolbmje.exe
PID 2708 wrote to memory of 2312	2708	Pcppfaka.exe	Pfolbmje.exe
PID 2708 wrote to memory of 2312	2708	Pcppfaka.exe	Pfolbmje.exe
PID 2312 wrote to memory of 3840	2312	Pfolbmje.exe	Pnfdcjkg.exe
PID 2312 wrote to memory of 3840	2312	Pfolbmje.exe	Pnfdcjkg.exe
PID 2312 wrote to memory of 3840	2312	Pfolbmje.exe	Pnfdcjkg.exe
PID 3840 wrote to memory of 1952	3840	Pnfdcjkg.exe	Pqdqof32.exe
PID 3840 wrote to memory of 1952	3840	Pnfdcjkg.exe	Pqdqof32.exe
PID 3840 wrote to memory of 1952	3840	Pnfdcjkg.exe	Pqdqof32.exe
PID 1952 wrote to memory of 3696	1952	Pqdqof32.exe	Pcbmka32.exe
PID 1952 wrote to memory of 3696	1952	Pqdqof32.exe	Pcbmka32.exe
PID 1952 wrote to memory of 3696	1952	Pqdqof32.exe	Pcbmka32.exe
PID 3696 wrote to memory of 384	3696	Pcbmka32.exe	Pgnilpah.exe
PID 3696 wrote to memory of 384	3696	Pcbmka32.exe	Pgnilpah.exe
PID 3696 wrote to memory of 384	3696	Pcbmka32.exe	Pgnilpah.exe
PID 384 wrote to memory of 4312	384	Pgnilpah.exe	Pjmehkqk.exe
PID 384 wrote to memory of 4312	384	Pgnilpah.exe	Pjmehkqk.exe
PID 384 wrote to memory of 4312	384	Pgnilpah.exe	Pjmehkqk.exe
PID 4312 wrote to memory of 852	4312	Pjmehkqk.exe	Qmkadgpo.exe
PID 4312 wrote to memory of 852	4312	Pjmehkqk.exe	Qmkadgpo.exe
PID 4312 wrote to memory of 852	4312	Pjmehkqk.exe	Qmkadgpo.exe
PID 852 wrote to memory of 4428	852	Qmkadgpo.exe	Qdbiedpa.exe
PID 852 wrote to memory of 4428	852	Qmkadgpo.exe	Qdbiedpa.exe
PID 852 wrote to memory of 4428	852	Qmkadgpo.exe	Qdbiedpa.exe
PID 4428 wrote to memory of 4960	4428	Qdbiedpa.exe	Qceiaa32.exe
PID 4428 wrote to memory of 4960	4428	Qdbiedpa.exe	Qceiaa32.exe
PID 4428 wrote to memory of 4960	4428	Qdbiedpa.exe	Qceiaa32.exe
PID 4960 wrote to memory of 876	4960	Qceiaa32.exe	Qfcfml32.exe
PID 4960 wrote to memory of 876	4960	Qceiaa32.exe	Qfcfml32.exe
PID 4960 wrote to memory of 876	4960	Qceiaa32.exe	Qfcfml32.exe
PID 876 wrote to memory of 1232	876	Qfcfml32.exe	Qnjnnj32.exe
PID 876 wrote to memory of 1232	876	Qfcfml32.exe	Qnjnnj32.exe
PID 876 wrote to memory of 1232	876	Qfcfml32.exe	Qnjnnj32.exe
PID 1232 wrote to memory of 3264	1232	Qnjnnj32.exe	Qmmnjfnl.exe
PID 1232 wrote to memory of 3264	1232	Qnjnnj32.exe	Qmmnjfnl.exe
PID 1232 wrote to memory of 3264	1232	Qnjnnj32.exe	Qmmnjfnl.exe
PID 3264 wrote to memory of 4612	3264	Qmmnjfnl.exe	Qddfkd32.exe
PID 3264 wrote to memory of 4612	3264	Qmmnjfnl.exe	Qddfkd32.exe
PID 3264 wrote to memory of 4612	3264	Qmmnjfnl.exe	Qddfkd32.exe
PID 4612 wrote to memory of 2872	4612	Qddfkd32.exe	Qcgffqei.exe
PID 4612 wrote to memory of 2872	4612	Qddfkd32.exe	Qcgffqei.exe
PID 4612 wrote to memory of 2872	4612	Qddfkd32.exe	Qcgffqei.exe
PID 2872 wrote to memory of 1156	2872	Qcgffqei.exe	Qffbbldm.exe
PID 2872 wrote to memory of 1156	2872	Qcgffqei.exe	Qffbbldm.exe
PID 2872 wrote to memory of 1156	2872	Qcgffqei.exe	Qffbbldm.exe
PID 1156 wrote to memory of 3584	1156	Qffbbldm.exe	Anmjcieo.exe
PID 1156 wrote to memory of 3584	1156	Qffbbldm.exe	Anmjcieo.exe
PID 1156 wrote to memory of 3584	1156	Qffbbldm.exe	Anmjcieo.exe
PID 3584 wrote to memory of 4480	3584	Anmjcieo.exe	Ampkof32.exe
PID 3584 wrote to memory of 4480	3584	Anmjcieo.exe	Ampkof32.exe
PID 3584 wrote to memory of 4480	3584	Anmjcieo.exe	Ampkof32.exe
PID 4480 wrote to memory of 4868	4480	Ampkof32.exe	Ageolo32.exe
PID 4480 wrote to memory of 4868	4480	Ampkof32.exe	Ageolo32.exe
PID 4480 wrote to memory of 4868	4480	Ampkof32.exe	Ageolo32.exe
PID 4868 wrote to memory of 2932	4868	Ageolo32.exe	Ajckij32.exe

C:\Users\Admin\AppData\Local\Temp\370d080a957e9028e5a05adc0104f6005d4d11c5ed8b3f8485b6c0ef37a0ef34.exe
"C:\Users\Admin\AppData\Local\Temp\370d080a957e9028e5a05adc0104f6005d4d11c5ed8b3f8485b6c0ef37a0ef34.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\Pjhlml32.exe
  C:\Windows\system32\Pjhlml32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\SysWOW64\Pmfhig32.exe
    C:\Windows\system32\Pmfhig32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Windows\SysWOW64\Pcppfaka.exe
      C:\Windows\system32\Pcppfaka.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1068
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3924
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        69⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        73⤵
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:832
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2620
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        92⤵
        
        PID:884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 396
        93⤵
        Program crash
        
        PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 884 -ip 884
1⤵
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
428KB

MD5
471e81b3baec60fd56d571c36d20a6e7

SHA1
c80738c16e2ab7a735ab1b49edf620f7665a7e1c

SHA256
52a7b7062691db14982ffa6a4383731915e6bcb1c766b1d735f08ae898a77395

SHA512
9677e604d0d1260f1b6685ea045282943f63185db4122c308d84a16a29ec05d303c7c2070960999c351c798f951339c6135e15a2ae95e8622d17d20dd60b6fca

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
428KB

MD5
3ad45b035635f529c551db9437e5800e

SHA1
3356db1352983f0ad0e5d134b83388ab94dae164

SHA256
e4feb6baf506878aae8d93e4a13bcc0a36d06dc8bce4a8716898b55f4a13af80

SHA512
2f0e22ec51ddd14978a1d6dc5a8571fb8fcca120994842d4e264328451f57e633b7b4a717f20dc0a77a29ddc4a71534b3afa405d7ff8a868df5ac5e63334d4e3

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
428KB

MD5
774751c1944ed1ec03f0955930934a94

SHA1
cb99e29030a96e51411326a97506373c853a0b9d

SHA256
d6a62833c5adf33223ef3bb765d58f365581ee583ba163a22e9321143383088c

SHA512
bdd804770e9a1be4417488b9f4427a8ebb866476611271124ba32752a6cbc349b12cf7fc03b118b74bfa4d0ccfbffa3abb1527e58094edfe92ef68bc175a7a0a

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
428KB

MD5
089e5ba8c52d70b3f5456445bab5f167

SHA1
1a91f0acc375766672d6c728709369829db5c057

SHA256
f5fbbdd8b45dc5db6bf2def96781545fa7bdc7d302751b3d73c11b1d5dabf160

SHA512
34edbf58b1f19b50780628a00004bc73b3c996f62fd3935d6f755c49969088ce81d019fce3d5a64103951e538a6d31906e3e5664100b1f61ae8d83a35b967b8b

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
428KB

MD5
74abac82b951b9ce2bf3646a8352c122

SHA1
1631adc97ffeb1cd4142480050b77c724be1284b

SHA256
5b46d4edb04f0a3e1474cb145c117bb1016cd22f16331184634e5da09aea382d

SHA512
777b9496a97dfff91a72f5bf61ca64e89479c3b00553ac13c36c37627f6bf493a1595f10ef1b7e10b495954d4cb7b6547076e71d5dafc2e258aa23ca09b2080f

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
428KB

MD5
d840fb53dbed9a9267c388230bf12f7e

SHA1
e09831d255bb8b57a14bb23827c2755390f95da9

SHA256
673b07c8f4be8d38c66b14ad8b9990dab2ac2ab7bd19abf37dd6496baf40c9fa

SHA512
d05d334c7179991b6e3c197ce261c88d6063a2b15d1eb683970ec2839575997802eb042d53f5eac5b79a80845c70ad43350fcec65b60f9c4fd666258bc2b0cbe

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
428KB

MD5
e69d9976c66bb42e1968097892cd5daf

SHA1
b6296764b97bd02acb5dc9e61db11b825bea3b1b

SHA256
faf4d3e766825940e0d2acef211648c384d402690c9d4583c25f2a2d531cd876

SHA512
ffa528681d5d1dce8fc301b75a987faa470a260d3fa72c87cb3ef17c08ce36f86a910d262913fa275c34d2b29ca7a1f49af87269c2185b94f711e2f26a895f8b

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
428KB

MD5
bfa2ff6ca3748417c21b7ec0b0ab0035

SHA1
ae31b5a6c48bfa9260edd7df81fe5bb76a9b491f

SHA256
107890c64e1a4869a7148dfd163fd2827833b2a63241af7cb39021dd68c92a05

SHA512
be45de3ab5f4835f1c315c287f549216646aa088d745c9d374de20959d00224914b7038d23f926eced2e72dd6fa3fd68ecd84e6fa2eec40a893c34ee9b77fd1c

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
428KB

MD5
6b5795f2427d7ce5d6641f7dabcb4d47

SHA1
3c16506de3532224686734d872ae32128d12e5e2

SHA256
bc6195fdf5dd50e0f68d34f753a4e427c117be94422fca00b8c5b25a57ab1976

SHA512
357a3a19fe9b6967e5cb8442be5850669a0172d6a14846f8c8303a66a6e3f06a6f1466dc62bb1e69d2a683dfd92aee763162f9f1a67c17fc81243ad0a9962162

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
428KB

MD5
dfa3578114647c11364096d1d720b382

SHA1
2d65b40815a8fe92a75be574c2a9c400879cb943

SHA256
a2b5a930239621a8c1cdd67d3426575dd0ef6093995773a92588be8a3745a341

SHA512
aac14ded42247cfe098feb56e443668e63eb67d116aec2de70569b23f3513b3a1f4cda68b6327d7c909868b397368317bbd43b3fe03eb14dccdabe5846692238

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
428KB

MD5
f172c87a9f8710ae7c26d38f34312050

SHA1
602ed3bbbbcda153c2349ec07a8eda0fc74a9469

SHA256
d3c0bead5395f83f59ca56784ad54975ecc5d37f094e38b65cafd2a18df13e9e

SHA512
ad1dfc3013540dc50c9bd84095e08b13ca3ec1a42980cfd22bd95301194a8155e68992f8cabccd3dd25ecbeded24eb632156528d1d6d7b7e24a065173df5be9e

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
428KB

MD5
b893e626b71cc24c7391efb1335c6db4

SHA1
baa3a8564a72b4245be25896cab9e863d51a1a9b

SHA256
a1af33f3bbf642d41981ff9b6774351cba09e9f27bb583d20226133eb52ccf6c

SHA512
1b4014bfc9a84305e6fe4f5d35019952cd993542a3b8edd0f4ab8855093441f787230981f278695b318d0bac450a788f9a1636858bb815ea1edd57dc53dcc00a

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
428KB

MD5
2e8970aac87fc9896f6987e793c7e721

SHA1
3c080ef2a616eddcb34099d0f941344e18776c41

SHA256
7c50201602ce5205129b10679abae5d26d22f9d83b3f93f27fbe83f00103ed5c

SHA512
56e416d6a2df52ad1a8c543fc3d1c119ee22189f643097f467095a791573f89427939f88f34359d45ba1dd403f53669420aa72e35e188507850215799d897874

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
428KB

MD5
9b5084a2c65fe00498de2bae0e304583

SHA1
41e0c1ccf94f9ccc5197590e5a851f39d6108a41

SHA256
205e83467df4d479c2abf6c3c7315fd4453b54d67476c52a951233f313102114

SHA512
62784d22c77d072a9f72827b2e60bc9999578c7e9bc74b9c6173ca9ee77a4f000c3d400586a00c4d595197cb069f85ea2bfee3b98ff1effd6d7b68d7da6ced41

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
428KB

MD5
83c27506a2b5b50864d52059b6cf1ec7

SHA1
3258d0ca37cf58379b587098f49db5c84d79763f

SHA256
99f5a15130f41a1fa04599662b63a60834cc658311e8a24469b15c8497d35139

SHA512
05061311cce49c7747e69efa0eeb37200e8cd980e7ff8403f254ce2f74db17cb1634bd76911d27a899d656e58df3f2b45d8bf6b479994d14cc88b0828f97a959

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
428KB

MD5
35afb84bbbfb20c06a1ca483c71b3d35

SHA1
84a6996f0572c33eafb0bea33ca6bab130398a4f

SHA256
090508294a6881e62c8cb2cb1388a4d9a9f4aa8b4d610bd0c7efd8f807ec31e3

SHA512
fa03ef205fd1173a2fa96d379b32bcf6d203871e7dc0caccfdf41a5c8e791247e018738728e0d5e054f2c8ca4ad674923508dfb39d4bbaa4cb85bf4a4d54aef4

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
428KB

MD5
050ace919c3bbdeee8f8bfaaa73306bb

SHA1
3dfa2865fbbf0e79db0b31fd2625e04f73968817

SHA256
5629d8dd492e9267fc815a2bb5941a540f67beecdd7d5796a7c6159a935c2c11

SHA512
ec6e38acec74f4db4ccd0575bbfda05f7f6d7022fe23f2ccdd08beb208782b3a1d2d3ffdad261a62cf4bfd5ea2c1c01409d8c9c8fb8ac9c648df861f2831acd5

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
428KB

MD5
edea71ca6b3e0996b8f9a1f190381af1

SHA1
bf66aab53f8311eb3d1546344d0f0ed87615778c

SHA256
d73fc8f9b0343ce456579618a226c6f870ed66243800b424ae863f2192265e8b

SHA512
5feccbcbadcc928cbced3f8c420ece7308f5dc08e8813621c184abc08f434578ee009292d0c28efdca060afada0d61f842d1af5029290b626baf8257c7201daa

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
428KB

MD5
66a1779c26046ff1bfdea46a66213173

SHA1
ed38fd6081fbe650baa1d524707d0bd50fd21ec3

SHA256
0858b8c22982e048ba49334661a8c2bf0667779b12af6aaf82e287d82939f644

SHA512
52507f4a30210c4827cfc9dbd87da4f05854ac06836748841197f1ea3f543a6425aa2d4b1efc290a8a378ca43eb7ec6730907cb52223558cd2d4bdcab185b5b7

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
428KB

MD5
325023fbd671f9f60918241b9b8c49bf

SHA1
31bb01df0dc1d3602fda9c9791beb5a251947d12

SHA256
0c9ed2b40f314c0adfb394e5ee19d6594c44b79a208ca2ab044646448baa5e9a

SHA512
a7709cf8d0cda5bf772fc4eaac43870f1961c98401d7c996c89512448792ceafd1bc76bf7f8568c6daa5b310775714643136846331503cb45c850a1b7ac78b2c

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
428KB

MD5
106e3e4934cd64176e995df92665018f

SHA1
3277584f720c8f0d4559b021e861102765c96be2

SHA256
843ca975923f5205cc2b767263382cb2dcaec6ebef6dd81b6e3d56167bc5d91c

SHA512
1759becc3be9c7c2fd6280f300d32eceaefcd0ec58440ddb0297096ee87d9c10c733e38c6ed9402f3e4bcbf19619a46d950284d3648cde557c048b2ab41ee082

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
428KB

MD5
5a28a4904eafaa30795fe9244ac371f4

SHA1
ed020ce60c6744c633bc4da7bb4d080a10d60fd3

SHA256
327d9270d18de3e533ab7956d97df4f48a3d027ff1a65e53a6e4f4365c5ee0c7

SHA512
cff043f08a32b64f4679b9cc70c3054aeaf6de17bec641edf183d03148a33b8f620b512dc97a7f7bef5f0b3ce7369674fa0c6f0f29cf8693cc07b3cab5707245

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
428KB

MD5
27a55bef314bea496ef7d56f8398be7a

SHA1
375b00e76f693aef4da61f25e06ee69969d09cad

SHA256
e1aa2cb979d80891ede87141100a6d245d4f83ddf843ec0f36f2d127624b8b11

SHA512
ecd1457704658b97f1e01a0877678a9fa7cb316c530a4f108295280cdfe1e5db8dcd86af69c03abf5e22dce38ce7c21c7197c160a74c16bbee33cd325d626ca9

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
428KB

MD5
8c31448b110d7db056d36e32c4d77c96

SHA1
8f1aef2a9242dfc10813505cd60deba52b17d86e

SHA256
ff21209a5b8147b898d2fdf018fee34b8025f8c497d8b97cc0ffbad37020f795

SHA512
703ba941c4f3b618f3cead1596319b7b3555b9c0661322485ad815d9801568c3de423d6e26772ba1f5a5de5a74dfd65c7f578c769892284dcb7404450039d6d4

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
428KB

MD5
bdd18410548f3e46ac85627ac4d030c4

SHA1
972342e36ba44dec5af1c0d3154f79b5ec5c6f39

SHA256
d3a7b2bfe50be9ebd728f8673f1118aea77afd950ac2a7871d3a090f1509333d

SHA512
42616c8b61b247a99a8fa7c8e2eafd3d7c1219e1db6220e2d5081b583fc73b3c66bef956d2fd6e33c748bf27d14fb1ad9fcb70a41db41f64facbd6eba6e4e49f

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
428KB

MD5
8d4021aa7af61e7ad25c5423cb9127d0

SHA1
1b8bbee44c49900cdaa45c2c28f19947772e2065

SHA256
a67296679d1fe98d0c1ebf59708fdf1b82c72c29f4472c7e0260d94164c797f2

SHA512
24e58a63277991e3cf96a606f335e89dc6131713341f9b208525b0cb922056d22e21893b555cd4a418a07048ea6dcbf27d4110b086c140bdfee0d40e132e91c6

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
428KB

MD5
e06075393e99bd4b87e49be45b819fb5

SHA1
8a22d5ee8902cc1daa2bf36b67078e218be24a28

SHA256
7960e9a450c36c1d7962611db9f112f42c62baed4adb9d303f9d1f13e07e21bb

SHA512
9f02c6522c00d7a9bbebd1ed4bf4be5024235ab6d451b4da6e1ec052f7d923cdcdeba4ec871771311e81017c7de427e032c51763255ae6c55f3054ce2e327f59

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
428KB

MD5
959bc7b499f168d8af3ddef5d336dbba

SHA1
25444b64a1a086e7bd9db5cb4abc5e9a5553720f

SHA256
dbf37ebaf99bd9edef403beef49793fe97126882e4e370c53eead840650f3ee9

SHA512
0ea663c27f5a9df57c8c60406bb3f921bf20ba865653311abd346a084f59745634c088ff6fda5153686e1b0395f098f618062fc1fd18ddadc5e1d1053fe67bfe

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
428KB

MD5
7b3651e6fac54309dba47c4e50b71851

SHA1
807b66585185f101bcf1883b68e37bd4594d2160

SHA256
a32a7018b3cff46aef1e7d6d21108a65fc1ffc151696d5bb8f9d79a11087a67e

SHA512
9b1a0dc59029082e41f69da4ac2b1aff16a9b7d12f4075adbd96ef7bb0df21e0d9a3b911646078702f4629fea953d3456f779aa0f08f7f7e70ccfe12f45fa056

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
428KB

MD5
ae700942070cd850f821eb744d38c1c3

SHA1
0a8eda5eb8242ac16d3d056c023b8ffecc843f09

SHA256
d89121f245696c27a3e66a040ad08660fbfd4dfb381582b3a7f64a0eb7496abe

SHA512
aee7b5f4d4b0326f198f47da7ffa710d7133b7a655c3486410a5b0a6544b654e760894f11b5be61a2d5d001750b3e903668276bac7d2af8a1d3be4501b81c52f

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
428KB

MD5
d54ac41c2866cd85d12ec006acc5967e

SHA1
38bd1a5094ddd66e78cd4f24742f7a9f514660b7

SHA256
96a3e92183645edcc880acf927a55f91b40628d24334b8638bc79c5cd1ad1d5f

SHA512
d8c7ed6227f5418707d776281aa35dac84077f5f63ec5963cfe5014e8b273adf61c4c101812f1f9430263ce0df8acbc47662728091b57ba34ee4d6cb238605c8

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
428KB

MD5
45cb1a577f7639bef50b3867385e6601

SHA1
981029184ef303fe3da9b1bab7997d851aadb4ca

SHA256
7b2734a275eccb796f124f0e2eccbd6874266327e98aad66845612fdfc6029fe

SHA512
b0e72da576d2f34656a09a9cc89b20b92a8d95439856a6894e8b9713f3ce41a22e95c92a186dd985b86da15c46b686e68208e07a4e3713cc7bb5809b2652fa77

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
428KB

MD5
c82131ea5f32a3545cc05fd50936124c

SHA1
619bffa9125db787498cbeb08ccaaa8ff8497448

SHA256
1ab256009fdd0f17b611548a9e1ae9d53de379a381466c1d80e4c7a9bd553a44

SHA512
2126c3f6d070cde0c170854e7225a93d2a54ac9187c7b62351ee26ebebb66fd80bf5027390af4286b0eb08acd658e09c87c4fe60936b4a5620b296bb3c0d6714

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
428KB

MD5
78b1c57c9647f67315204f353258720c

SHA1
100ac55858ef84c0d0306c8827d531f6f2391a40

SHA256
b3c79f7ab21ac2054f464c04b7c62d08fa71ab1f246aa4bac393009b38a50efa

SHA512
d7fb44e5e8f7e558a8f6d7f19612836125ccd240e7019da848620d8e90f38768bded58655ad449a8c0aec6d191df17a5d4292d6a78859cb83816f913581cea12

Download Submit
memory/112-20-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/112-538-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/312-306-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/384-68-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/384-573-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/536-410-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/688-198-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/816-472-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/832-506-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/832-624-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/852-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/852-587-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/876-107-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/884-595-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/884-599-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/988-626-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/988-500-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1068-340-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1160-547-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1160-612-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1484-530-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1484-618-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1608-244-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1952-61-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1952-566-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2016-375-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2144-632-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2248-608-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2308-282-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2312-39-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2312-546-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2332-606-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2332-567-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2352-294-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2540-387-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2552-524-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2552-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2620-581-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2620-603-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2708-28-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2708-545-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2712-399-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2868-253-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2904-287-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2932-176-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2976-213-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3020-554-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3020-610-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3212-311-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3264-123-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3464-431-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3468-574-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3468-604-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3540-532-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3540-616-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3588-357-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3596-488-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3596-630-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3696-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3696-564-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3840-553-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3840-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3932-229-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4012-620-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4012-521-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4032-628-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4032-494-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4040-329-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4292-614-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4292-540-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4312-76-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4312-580-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4372-300-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4428-594-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4480-160-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4584-512-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4584-622-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4608-381-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4612-131-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4640-269-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4640-708-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4644-263-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4704-351-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4732-221-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4828-335-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4860-364-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4868-168-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4896-275-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4960-99-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4960-596-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4984-588-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4984-600-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5016-236-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5028-531-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5028-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5036-393-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5068-318-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download