da2bf9b6fe7a0cf61b947ae8156f98157d43e51073c82271c6cf79ddbd96fc64

Analysis

max time kernel
142s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 03:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

da2bf9b6fe7a0cf61b947ae8156f98157d43e51073c82271c6cf79ddbd96fc64.exe
Size

256KB
MD5

740da17feb87e5810954ff99a4f2e643
SHA1

df5fe48e4b2f7d6def995f2a15a19f645a3fd460
SHA256

da2bf9b6fe7a0cf61b947ae8156f98157d43e51073c82271c6cf79ddbd96fc64
SHA512

56171d8d0eead015b19209b3f0dec0d1666f4d0d72f065f6160d12fb8c3436b32c669aeaf1a9b648956f18f567b4cbd7035a242b68d952f40431b52a9406fb14
SSDEEP

6144:xifCs14GsMUkXE4rQD85k/hQO+zrWnAdqjeOpKfduBU:xif7CGlD5rQg5W/+zrWAI5KFuU

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	da2bf9b6fe7a0cf61b947ae8156f98157d43e51073c82271c6cf79ddbd96fc64.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe

Executes dropped EXE 64 IoCs

pid	Process
1224	Pgnilpah.exe
3784	Pjmehkqk.exe
2276	Qdbiedpa.exe
4528	Qfcfml32.exe
4064	Qmmnjfnl.exe
2024	Qddfkd32.exe
2920	Qgcbgo32.exe
3280	Ajanck32.exe
4876	Acjclpcf.exe
1556	Afhohlbj.exe
4224	Anogiicl.exe
4008	Aqncedbp.exe
3956	Afjlnk32.exe
3448	Aeklkchg.exe
2296	Afmhck32.exe
1496	Andqdh32.exe
4492	Acqimo32.exe
2492	Ajkaii32.exe
2812	Aminee32.exe
5064	Aepefb32.exe
2332	Agoabn32.exe
4684	Bmkjkd32.exe
2820	Bnkgeg32.exe
2044	Bchomn32.exe
4380	Bnmcjg32.exe
3356	Balpgb32.exe
1920	Bgehcmmm.exe
5076	Bjddphlq.exe
2760	Bnbmefbg.exe
3600	Belebq32.exe
3508	Cfmajipb.exe
3612	Cndikf32.exe
3308	Cdabcm32.exe
224	Chmndlge.exe
4456	Cnffqf32.exe
1040	Cmiflbel.exe
640	Cdcoim32.exe
4804	Chokikeb.exe
2468	Cnicfe32.exe
2668	Cagobalc.exe
4220	Cdfkolkf.exe
1192	Cfdhkhjj.exe
4364	Cnkplejl.exe
2824	Cajlhqjp.exe
4300	Chcddk32.exe
4412	Cffdpghg.exe
2928	Cnnlaehj.exe
2748	Calhnpgn.exe
3856	Ddjejl32.exe
3440	Djdmffnn.exe
968	Dmcibama.exe
3412	Danecp32.exe
5004	Ddmaok32.exe
1836	Dmefhako.exe
1564	Delnin32.exe
4144	Ddonekbl.exe
4588	Dodbbdbb.exe
3456	Daconoae.exe
3452	Ddakjkqi.exe
3204	Dkkcge32.exe
1852	Dogogcpo.exe
2028	Daekdooc.exe
2400	Deagdn32.exe
2900	Dddhpjof.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	da2bf9b6fe7a0cf61b947ae8156f98157d43e51073c82271c6cf79ddbd96fc64.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	da2bf9b6fe7a0cf61b947ae8156f98157d43e51073c82271c6cf79ddbd96fc64.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4600	2852	WerFault.exe	153

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	da2bf9b6fe7a0cf61b947ae8156f98157d43e51073c82271c6cf79ddbd96fc64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 1224	3840	da2bf9b6fe7a0cf61b947ae8156f98157d43e51073c82271c6cf79ddbd96fc64.exe	84
PID 3840 wrote to memory of 1224	3840	da2bf9b6fe7a0cf61b947ae8156f98157d43e51073c82271c6cf79ddbd96fc64.exe	84
PID 3840 wrote to memory of 1224	3840	da2bf9b6fe7a0cf61b947ae8156f98157d43e51073c82271c6cf79ddbd96fc64.exe	84
PID 1224 wrote to memory of 3784	1224	Pgnilpah.exe	85
PID 1224 wrote to memory of 3784	1224	Pgnilpah.exe	85
PID 1224 wrote to memory of 3784	1224	Pgnilpah.exe	85
PID 3784 wrote to memory of 2276	3784	Pjmehkqk.exe	86
PID 3784 wrote to memory of 2276	3784	Pjmehkqk.exe	86
PID 3784 wrote to memory of 2276	3784	Pjmehkqk.exe	86
PID 2276 wrote to memory of 4528	2276	Qdbiedpa.exe	87
PID 2276 wrote to memory of 4528	2276	Qdbiedpa.exe	87
PID 2276 wrote to memory of 4528	2276	Qdbiedpa.exe	87
PID 4528 wrote to memory of 4064	4528	Qfcfml32.exe	89
PID 4528 wrote to memory of 4064	4528	Qfcfml32.exe	89
PID 4528 wrote to memory of 4064	4528	Qfcfml32.exe	89
PID 4064 wrote to memory of 2024	4064	Qmmnjfnl.exe	90
PID 4064 wrote to memory of 2024	4064	Qmmnjfnl.exe	90
PID 4064 wrote to memory of 2024	4064	Qmmnjfnl.exe	90
PID 2024 wrote to memory of 2920	2024	Qddfkd32.exe	91
PID 2024 wrote to memory of 2920	2024	Qddfkd32.exe	91
PID 2024 wrote to memory of 2920	2024	Qddfkd32.exe	91
PID 2920 wrote to memory of 3280	2920	Qgcbgo32.exe	92
PID 2920 wrote to memory of 3280	2920	Qgcbgo32.exe	92
PID 2920 wrote to memory of 3280	2920	Qgcbgo32.exe	92
PID 3280 wrote to memory of 4876	3280	Ajanck32.exe	94
PID 3280 wrote to memory of 4876	3280	Ajanck32.exe	94
PID 3280 wrote to memory of 4876	3280	Ajanck32.exe	94
PID 4876 wrote to memory of 1556	4876	Acjclpcf.exe	95
PID 4876 wrote to memory of 1556	4876	Acjclpcf.exe	95
PID 4876 wrote to memory of 1556	4876	Acjclpcf.exe	95
PID 1556 wrote to memory of 4224	1556	Afhohlbj.exe	96
PID 1556 wrote to memory of 4224	1556	Afhohlbj.exe	96
PID 1556 wrote to memory of 4224	1556	Afhohlbj.exe	96
PID 4224 wrote to memory of 4008	4224	Anogiicl.exe	97
PID 4224 wrote to memory of 4008	4224	Anogiicl.exe	97
PID 4224 wrote to memory of 4008	4224	Anogiicl.exe	97
PID 4008 wrote to memory of 3956	4008	Aqncedbp.exe	99
PID 4008 wrote to memory of 3956	4008	Aqncedbp.exe	99
PID 4008 wrote to memory of 3956	4008	Aqncedbp.exe	99
PID 3956 wrote to memory of 3448	3956	Afjlnk32.exe	100
PID 3956 wrote to memory of 3448	3956	Afjlnk32.exe	100
PID 3956 wrote to memory of 3448	3956	Afjlnk32.exe	100
PID 3448 wrote to memory of 2296	3448	Aeklkchg.exe	101
PID 3448 wrote to memory of 2296	3448	Aeklkchg.exe	101
PID 3448 wrote to memory of 2296	3448	Aeklkchg.exe	101
PID 2296 wrote to memory of 1496	2296	Afmhck32.exe	102
PID 2296 wrote to memory of 1496	2296	Afmhck32.exe	102
PID 2296 wrote to memory of 1496	2296	Afmhck32.exe	102
PID 1496 wrote to memory of 4492	1496	Andqdh32.exe	103
PID 1496 wrote to memory of 4492	1496	Andqdh32.exe	103
PID 1496 wrote to memory of 4492	1496	Andqdh32.exe	103
PID 4492 wrote to memory of 2492	4492	Acqimo32.exe	104
PID 4492 wrote to memory of 2492	4492	Acqimo32.exe	104
PID 4492 wrote to memory of 2492	4492	Acqimo32.exe	104
PID 2492 wrote to memory of 2812	2492	Ajkaii32.exe	105
PID 2492 wrote to memory of 2812	2492	Ajkaii32.exe	105
PID 2492 wrote to memory of 2812	2492	Ajkaii32.exe	105
PID 2812 wrote to memory of 5064	2812	Aminee32.exe	106
PID 2812 wrote to memory of 5064	2812	Aminee32.exe	106
PID 2812 wrote to memory of 5064	2812	Aminee32.exe	106
PID 5064 wrote to memory of 2332	5064	Aepefb32.exe	107
PID 5064 wrote to memory of 2332	5064	Aepefb32.exe	107
PID 5064 wrote to memory of 2332	5064	Aepefb32.exe	107
PID 2332 wrote to memory of 4684	2332	Agoabn32.exe	108

C:\Users\Admin\AppData\Local\Temp\da2bf9b6fe7a0cf61b947ae8156f98157d43e51073c82271c6cf79ddbd96fc64.exe
"C:\Users\Admin\AppData\Local\Temp\da2bf9b6fe7a0cf61b947ae8156f98157d43e51073c82271c6cf79ddbd96fc64.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Windows\SysWOW64\Pgnilpah.exe
  C:\Windows\system32\Pgnilpah.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\Pjmehkqk.exe
    C:\Windows\system32\Pjmehkqk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Windows\SysWOW64\Qdbiedpa.exe
      C:\Windows\system32\Qdbiedpa.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
      - C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4144
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 416
        69⤵
        Program crash
        
        PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2852 -ip 2852
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
256KB

MD5
09f4167e9d8b6bd7ac254d84e31542b5

SHA1
b5a0c2a4dfc393bc90dc7262fa13e91d09f114e3

SHA256
78634ce67114bf5bf62515582a535e0da5619d042fcfd0ff431c056ed734fbce

SHA512
f480f28033c3c6d5f4f841c79615101e0ad74000a493e7c2e863a69ef0951b5b4f2ba06c3dbcd63e973b293e80693814b67a9b7d497c4c72589ab1ee56a7e58e

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
256KB

MD5
11dc057da62b994450ded5cad68a781e

SHA1
57a6da5cff9e55c64f5fa53872b8c2d615fe855e

SHA256
aac5d3f67f7353fcc738a19eb01dcc8f484a080640963da28fc66280d630cc18

SHA512
6298e5557beb06ad297b8bffc45bad1db3b5c70d34f18dbfb8af68f25c37281c8a6f1e99e576438f83c6afc64fd2b381e6a877abfd30c2eef85d148f534e47f0

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
256KB

MD5
87361560e63f653ce19339b9bc67baef

SHA1
4d5e41d3029509957fcfe1cca814852e4e287229

SHA256
4730b3c01f5753884934851b4c16a7ecb7f24ed9f7d84cddacb6f03bdb1c8c55

SHA512
8d0e3acd997b942dcbb45ba1a68a758db12cf86f9aaad4ac3480f4dd94e35319b8d6fff217f5a3cc4688a8b44aad52196f4856a9b061b69d699d6f606322a9e6

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
256KB

MD5
705443971ff701acfb219a51bbf30057

SHA1
c235e7e12dba5ddab84c5ff8a37866e84e1541b5

SHA256
ddec7670cef6644cf88200d53120c781d29627d4a4367bbc0eec0fa1e64e0c66

SHA512
1f59ccd762d4cfcb6c79c73e4e9fa12974631d82c8594df7048a483b151aeddf752f8e02fd4f4ace8d302b389048e4ab121184a0e44fe46ffc52b5b7f86691b0

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
256KB

MD5
682a2ba02bf7f8696c4ed5c5b99501b2

SHA1
1eaa13ca8d26ec2b969dae3167cf91172485bb82

SHA256
b9783a696686cf00d64cee8ec37b74a9c6dda09a11e38f22fd2d69c170259bce

SHA512
138c146259a59d6435406ee41843e802fc3067b6b89707e77d857288470bf12d7ed4e67373d6f1eaca6b659d07da3c42dc91e77a53a2e9a09e279149afc7c6d9

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
256KB

MD5
abc621f114ea470d89dcb00a4a2e052f

SHA1
2b0930127def02fc1fd9fdf96f1732b083b5c608

SHA256
388be3646391f4ecbee7423048a0cfe5ffd9f52707a6524da515db7c1385b051

SHA512
19bcb2d586d5dabdfe86530b2ac2c4282c02be9cebbeb0571695a235e1a1e5f06665005b5631c9a483293f5d6eea53b18810aae132e4b7adb67c442a2fb805be

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
256KB

MD5
b20d383e409fe42cfd97a4bb1130fdcd

SHA1
0b0f10facdf22173ae422538bebd13eae998d88b

SHA256
9536821210d8c921b557c68af3e57beb9f3bbd5f1200684729cfc1c7f116d66f

SHA512
e2d73149af5d9c2bdc4f99378f91dd615b5454265aa129a8e491173f15cc44e4b6a2babc753dda1bdcf6225a768c2ab249fd1222f533e8229377a9dbf2bdbd84

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
256KB

MD5
24e409644c11ed7f26f4424150721e39

SHA1
522053d58f9e31c0f654ca76c54181c2034eb2cc

SHA256
2f8b61c07cfc7140b254141bea44ebe11024487b9a0e3ba890ed099c4f8b897d

SHA512
c9d4a1664bd0e875d8e5aa71a80430c50c5088b9758e8d2ee5bf2f2e8f21a98eb451593ec8d39d67e0fde829565e76c8e422b0be6e5066b2ba41b582cc29ca90

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
256KB

MD5
3f40132b771a6bb2661c8c0d99fdbfa8

SHA1
d18626cc4f514d03f0bdb91b01e03419e3a0614f

SHA256
a37ad612c0f34ce4c3484f0935327f02e242ab252b3d6cda1ab59c80edae6ad3

SHA512
d6f3434acb3124a1db68fee454e4760908dbef19f66375fdd16f4fe6096ddff4b51ba4feed378aa71b997fd8052ceb2d700bcb2038d9ca8c1f09ecbe6b0d44b1

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
256KB

MD5
d26243655de10aaa1dfd9cf178511584

SHA1
34b02deaa0e1e1c33f1874ba8790ac1b1d73ca6f

SHA256
4c9011ffa211b4055f6b7dece67dcd62df870415b21156f3a3dd561c4ac70f67

SHA512
a01a212ba04e7df1e2c7ea32dda13a79b14afaab9e4d3eb303722f4ceff468f94c574a2fe69f9e4295fa82f41ab13d6c4aea1dc64e0c7f892f7280dd504e4863

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
256KB

MD5
9de1a9089e771b5148a8c91c61f5a125

SHA1
ba56a14bcace6ef2be96bf2d30728dc60940e997

SHA256
c0d48c9da49ec37d3da819e499057bd561dd844615847657e39118b1bb257ab0

SHA512
76819644ab5e319c3b5228ab51e8879b33088ef8ca7b86f110c02437ca372e6440531f67ce3e58d822d1eaa3ddd10b87c076bc4c75b95d21b80571d98a3acef1

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
256KB

MD5
7fbf59a3c78506ffd3228c79ce187987

SHA1
113e4347ff39e83491c9126e9b83f99d1541cbce

SHA256
18766a56848d6953e8669df34bb1a8a01491cb7b66044bb87dacae5a9030adcb

SHA512
8fe35c528adf34e8ffc964f4e1f7a25f22a1bd45191347b0eab41144b54977062447da0d2158847ad6163d2228e20b8efd3220752817880798645e64df176fd9

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
256KB

MD5
6cec1a3e5b275371d1edc227803c3b67

SHA1
a9c85658e9611344314e2e33a61382e90bd85238

SHA256
b5993d59fe072463fd54f23a35f1cb91b9fb267061a632201c8cebf6bb7f3783

SHA512
31d3f3a5a0fcf2e354c245b42a9f350e89517c11e5654218864a47228800f7d10424d51a79fc5a280b77fed7fcc3fb9ef8482d4c14af01ecff9d67320ef97445

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
256KB

MD5
06657ebe4b2b5e19bee9c61aa85f9723

SHA1
71c791e9f3332c5e271692f421a4b678cf3cb5fb

SHA256
a5344f67a348182097b1a4b6ae7f3839bd82348904d6700a8f009a97dfbfd3a2

SHA512
00bdf18232f82eacf44dd06fdfe3016ca20cbf8d5100f99f3333c02962af3b5dc70a3174ccbb36397808492678dcb3dc5ec5157f9ad556edb031920e5b5707dc

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
256KB

MD5
cd8236300e2d3fda914afaff6b5bf430

SHA1
a32e3f0efa61f95b83b1f71257a8b2bc4b575427

SHA256
98b31280e2143568e486f7baef4074a1ed319a742272385672d40104e7f36f5a

SHA512
3c6245769f55b4c8ff2da3e100957c5c8ab0240d0710e0adfb49d84db850f32a17b08d26f70d2b2403f6ae9201e627fda48abb1a57d669fbe51ce7b22f56f62d

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
256KB

MD5
083e94e2c451e205b155eb935666be72

SHA1
b49356923591601e1c39fa64c3ef7fdd07835e87

SHA256
ffebfd3afca5a227848fe6af102bd87c33efe9cd220482c72c9ef967cea833fe

SHA512
7a0291c7ead4b2989ba3f191ab0ec523f82be32079f22c97b04063c32a1af8c4116fc999f28a6e6fe236454979d7997d9c4e0d487d596696b9a801a19ce60b85

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
256KB

MD5
1ea886ac0e453d06c8cfb3ba056adc33

SHA1
a08bafeee35fe24f17815dabb2e3f0d16dff01f1

SHA256
81e25fa2e0ff117a652e8a84d580a6616a85aaa7c711c643212a94d8f58d69cc

SHA512
edc1197844e52952e7279b6bd8e3a9b38390cb619c9ab0367b17b5c85b7ea707ce6a23554ce6f920762a2185272aceb2dd605cbc2511cfc96aff5eea44288d65

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
256KB

MD5
a18349f79774defce8ef61ab313ad0aa

SHA1
850f20e3aa081eed107e80e86a0d36879197b63f

SHA256
3ecd22a1a5a7c66342c639f35334fec66194f8075688d0dc1211edcc04fa3649

SHA512
8ecd9889dd908e52e0c456df7554aab79e1e6b38e5bb5075d96c375def6e2c91edc5302e6f70c1f03063272f3f10c38ffb7fbf6e24028a5d6aabf252e4575c03

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
256KB

MD5
158cb8b1a3a9061e6451dd7cf68bd859

SHA1
003fc2351f3f6459c859c9714ef639c96ec7c755

SHA256
b8af2f45692825cf6ae5535d66f9a7ab2b99fed17ec09e8c5c4f695474186eae

SHA512
524cd54547af49503d1342348141bc892baca3e43b5ef0c7da7c41fad9a4469abe7bdd375e56f4bae7ed61371bd70757af5590acfd52109b708bf77ad6fb95c1

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
256KB

MD5
5c9a9614c973c4094f2f643a36f7c05f

SHA1
cf50e966fd301f5d3c399c823f0eff3dc81cb8e9

SHA256
7a50c1c434527575957e34dcf7eebb935e2f8ddfdefb665ac015ecce7e697721

SHA512
55514e5836ff3a25d3cf81bea87d900646727147f001495b3a6bc9e7a11d0441e5daeac2ab442645b23c2172c67d5e094071b427b28bdd4447b9d2731e97292e

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
256KB

MD5
478117a3eddf7e389f1100d74fd88432

SHA1
efb565a45dd1855c889d821ce33265f13e1aa952

SHA256
7503af352e27e49338ab584b7b4dd3e69e0f976f34f0d4ff043cf96db432d9e5

SHA512
0af88e2287d0187318da2bcb3723e4c55042897041fc91f54d2e04e6ffc0cbdccac37be3265df9a86e22127a500a07b40e0d208f29a9bdb88d162211a0ae0377

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
256KB

MD5
0cb0e769f5febf73108318c4e73624f2

SHA1
da951a58fde1492c80cc825629066833439ce8de

SHA256
4caca282c67ddf34e5b41767fd92eff95ab2d1be5001a100cd8cb4ce43467db2

SHA512
4598e71ae66f12c0eb03323dac29cd157bd5fd5a2fb4a999f01e7e47fad6f84a0663661a29fe451f7d815bc014eae918111188d8a33b0785f30eaf8f784b96d2

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
256KB

MD5
c4eca17f2b89f029cf1928f049fa448c

SHA1
760bff1f557aeb4c255e02b2c60a29084c3b6643

SHA256
f5d4187aa46fcbc5140028b9fb98b2d03b735d3fff4beb82290f71e98d95b2a3

SHA512
f0084119c286b18c3ba092611e4e3b6ca5bce15f03edc31c7d99ddc1ef21ae21d3ddd6eb0b8de0f0c0a4943aa83c7234c5ef1b6d9d215e4da999e2ad9edad658

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
256KB

MD5
ac2344a9fc118060bfc462bb9317eda9

SHA1
7b670da5692074639fb0635aa31cf9160b419c3b

SHA256
4e29155fe744c43a1690d3bb2495ad79daedcca4f4ace0480a7e2d43a6f7f9b6

SHA512
ec1819fe8acee8c1434b99346bd94cb245d47e40ca3082f5019b6d62a520233f6169e3dee1776aadfd2483ad9450de0d2a132a9eda660f011b7a8a32b7647b73

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
256KB

MD5
d5a1ce98d21d8d2259df0ec3f9107868

SHA1
fb25d9fb4abe3bb3cb23e6b0231c1ad942c990fe

SHA256
86a562a1563f5caed553ada0d6f46064e4c3bb1015c8e38c39dea15f153c454b

SHA512
3f9ef894c150a289a4a498b142a9a54c10de3c9407aa1a28ecad71459d0565ec8f1f7a13fdd85752902a500864bfef7b63d7b716d6aac39a45a41cb06fc3ad00

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
256KB

MD5
63a56d2cde555450f2e8b9a1be934b28

SHA1
6dfe9b63eb1afc2a1f86926653a320dc7e51fa98

SHA256
1ecff7d6d9bca97b3ef9d8316d053b6d7cc199fe911eeb20a0eab1ab82ce722f

SHA512
292828b3433c223c3dc4e960949a995dc90b890d94bfb09f9859699439edcf74f24bb700e37bc77e033ddc91e16705fd8d6328f09d4c9177283a60fd5c5e7020

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
256KB

MD5
50c70259fe0dc03058dede54e9cf0e0b

SHA1
0fedf22da49c8ce1ace985cbb362a54ee13e8c99

SHA256
68a905af686d92f27ef1172b43fd57d583374d8473a10d19d546c353ed6c58b3

SHA512
823012ce8825546afbdd5eac9efe3424c06f80c7be8ff51e8b836ae07f7428166b6368ff15ac61513ce63585d36252af8e38f60bafbac277a0eb08417586aafc

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
256KB

MD5
6b54448c2f5dd79d67e95f71c0101815

SHA1
6e91854a8406dc3e03f607a5d6ce44823cf3c669

SHA256
c5701e2d039eab08f62052690cdb0f8b73aa9bc95ed662f24ed0d3dcc5564639

SHA512
02cc6ca19e7913f9a154e90c51bef86f2e9607ef4261d508fe62e4ddd59287c031f1680cb88db09c59eb8d778069bcb825783276bc6f7705a2bf48d47678ec05

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
256KB

MD5
e98a7545060449c2152e637f9f60053f

SHA1
94e46f17425b09d6f28d281866dafbd9d35e9b84

SHA256
ad505173918ff2f5f70474888c7ed8c02963499a4689ad4725cf98b19f45a64a

SHA512
d01cf118b0735f945dd7c49c90b1d67d191f198bfb026ade93f061ceb16224ca36a7fbdd1c35be953f0fc1e862885951dc3158ffc27e5558afd993ba124db352

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
256KB

MD5
f0e7c938ecad6895b1c93395e0097aa0

SHA1
57be66951d9f6e9cfa2d2cafeeae18ea335a80ed

SHA256
b94e1e0b23b3f806c5f6261cd0157fb59b4ae8f54ffb160dfef48d4419f7ad03

SHA512
a511c1b36f01c3fc34a0b1c275b5f2f40fd63eaa7faf451cc4bd3fe1967ac56f1853caf99a2acc95c740784317e33b12ae22a6326e8decdb429be734110dd3d3

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
256KB

MD5
6c481903ebfabed03d81f05985c4636f

SHA1
aa5809a3f1850b6b3bcbfe40a64ba3640fc1888d

SHA256
cbbbca7f205cf68ec36075260c851a8331ae2445e798cfe3c3288fb0e0e5b47a

SHA512
afce87c5ff091cca770265b1a2c38da93d89fc55a82e6dc3368adc2d7173b8ec3f90600e1f34c10779eb3edb0f2d630d7258ab93c2caaefd32a01c7d9b6e77e7

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
256KB

MD5
6ab714475a7c5b60452aed6a42fff3ca

SHA1
4c5718c75b2cc56636d38c7006c071a7492f08f9

SHA256
3378851a5bc873f2ee64f27fc9dc340d0e29fa047812157a1a71e5fce36419bb

SHA512
4b12564e3603325f4c7babb600fa7efb7d4a8977508110557ab3eeb0ca5ade761cd2724e016e477173d97d8b613178cd370003af01ebd93ff7eb84d8e428b895

Download Submit
C:\Windows\SysWOW64\Kgngca32.dll

Filesize
7KB

MD5
08da06e47e86757cdb6c67e856a68fe6

SHA1
cadaa729219388b2610a24c713d00984e948261d

SHA256
0684186ebd1ce145ea6ebf8d459ed462023261b426b7edd8b45f2172c6a34e78

SHA512
865725856b964c972a4ed4d450a63b67e953f1dffd50fdda8901909703c2de092cebd3a6a122d00eab0ee6fae4f3eff72b3c20a1b71ed59fb550b94a58e6a9da

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
256KB

MD5
b308aa16354f526948b9b8397b0c1610

SHA1
1b57df1e61765d1644487328c10dbe74bb43324c

SHA256
b05d654fce9eb3f0086f308998bed5af53d06b5cffca2321b3ff189d4b148386

SHA512
c842078f338f6f87cc758b29271f50699e551dd4b3912eb239c792ca8a0bf755bd8dd024a7f1cae569f832bf42cfd74762286615a10aadf8890051aa4141a6f5

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
256KB

MD5
eb016eb6d17062cb3e1d114197c2090a

SHA1
ddeb4b1c75047ec1832222e7285c532acd2b3410

SHA256
efad0612c609d7329b41f5950a967399af740c2812b404d639e0c60054f7ca30

SHA512
357a666a8c857f87aacd38961dd2c3ac478c2082b8bd265397fdcebdeb580e0b6bbbc4e6dca1b5258128d05b531fe78cbd7c2c89ad8de61bea0032bd736843ad

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
256KB

MD5
8722e9209562ffc55940a7f3a1131a72

SHA1
ed6b51d768f6e104a87d62cee928a664f7809628

SHA256
6433e2c2c31f8ce21d03fae5ba9249093b1bb761d3d9978cdc9ffa7cf7f4f123

SHA512
a7fb42dad864c752bff00c86205d8e6c480fd8c682c48c5cc71f097595033b1401d8bca333e381177bc7a7102c85e135e65fcfdb353af3bf44f8d9f6e901fa09

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
256KB

MD5
f03353429178e755d98ca7cc35ae2f7a

SHA1
dd9759325a55d97b1054e576a246891602c77787

SHA256
9505ebd74a7fb97807f50cc1f3b835db98505c0a5f8e3f12bda08a8ab487b6a2

SHA512
43b74f138d954afd5141cffb6496976728016d6eeec0168267f8b4e0f08ee7d8af0bb8c9f08acf4f20fc46accc95069fafaf7c02e500da1f8c85f65b53781b3c

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
256KB

MD5
aabb54d9b4f482cb4cbb0849acbccbe0

SHA1
48ab70427f317ea07e1d45086797febd165705e2

SHA256
0462bf66539034e86d770b85d358ac2e1ec65a11da3d5752aa978d98e717d220

SHA512
a0ee2f3c8122248bb563b505790ec02a373c669ae8a4d6f9d0312a72560017681cf66cbe56e867f7c8ef3d6ec60c85cb8ca6e0354b7fbe4de1460f3c56ce7762

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
256KB

MD5
2ad6d9188a61609dd07f0b13ccfdf179

SHA1
3be234b349493130b77c2cd4cd9466ba57e34e89

SHA256
2ff4ee1ab3d5bf8b009375186482b6ee5b00658bf7c9fdad7c310e3daf0aedae

SHA512
d80d0793c0aab67b6e18772ec0500567cb5e8f05528aa65a019a05f7ca9925fcaeced7229ceac0586ecb5bb3fc4e6fc5b7f32ea030f9b08ae6afab3478f6ad5e

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
256KB

MD5
45473f3aaefdae07a52c6ed8a96b0ded

SHA1
f0acb8d164f51621c7c51ac89b56e96fc2ccf5b5

SHA256
180f03eac37511bd2f2579508492848cf41050ea43c3bed05d7a5d26f98f9f65

SHA512
78acdeb8c02ac28888955d760cc2952f1b94d9d54ee4f61a6f974ce9e70540ff0814d378e45b51238ec6adaf7cc976115874733b26b00e862278d3caf832876e

Download Submit
memory/224-292-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/640-314-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/968-404-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1040-302-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1040-369-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1192-344-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1192-410-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1224-8-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1224-96-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1496-221-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1496-133-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1556-168-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1556-80-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1564-436-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1836-425-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1920-315-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1920-231-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2024-47-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2024-132-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2044-204-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2044-299-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2276-115-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2276-23-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2296-212-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2296-124-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2332-177-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2332-265-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2468-323-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2468-389-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2492-151-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2492-238-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2668-330-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2668-396-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2748-383-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2760-329-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2760-248-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2812-164-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2820-195-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2820-291-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2824-423-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2824-357-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2920-56-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2920-141-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2928-376-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2928-444-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3280-150-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3280-64-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3308-354-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3308-281-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3356-313-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3356-222-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3412-411-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3440-397-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3448-202-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3448-116-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3508-266-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3508-343-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3600-256-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3600-336-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3612-280-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3784-106-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3784-15-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3840-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3840-92-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3856-390-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3956-193-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3956-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4008-97-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4008-185-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4064-46-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4144-438-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4220-337-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4220-403-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4224-93-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4300-363-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4300-434-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4364-355-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4380-213-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4380-301-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4412-437-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4412-370-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4456-300-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4492-145-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4492-229-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4528-36-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4684-279-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4684-186-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4804-382-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4804-316-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4876-72-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4876-163-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5004-417-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5064-255-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5064-169-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5076-322-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5076-239-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads