847b85a66d1ec106ce1f6a66ff8b42945fe8cc3cb22f7b1ae97e18cf3e333b11

Analysis

max time kernel
132s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

847b85a66d1ec106ce1f6a66ff8b42945fe8cc3cb22f7b1ae97e18cf3e333b11.exe
Size

304KB
MD5

7808eb5327ef435f0d8e1cbb6a3e56a2
SHA1

d1f24f80004225cc82ed3e77109e8eb0046ee96d
SHA256

847b85a66d1ec106ce1f6a66ff8b42945fe8cc3cb22f7b1ae97e18cf3e333b11
SHA512

cfb39aafd0045702c1e98df10bb00a6a61eed8c542044200e68a8b6f6df21194bfaaeb48551b5a1978b704c4dc5490677861f97bd234ec7da29c06c15f219306
SSDEEP

6144:WdcUnBF6kyR+y+LqnTm0Tbtn4K90LSrmS8AD1LNxunXe8yhrtMsQBvli+RQFdq:qck29R+yKqn34KKLSrmS8wRvAO8qRMsH

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe

Executes dropped EXE 64 IoCs

pid	Process
4884	Pclgkb32.exe
4616	Pjeoglgc.exe
3672	Pmdkch32.exe
1700	Pncgmkmj.exe
2684	Pfolbmje.exe
2900	Pmidog32.exe
1136	Pcbmka32.exe
4776	Qmkadgpo.exe
4344	Qfcfml32.exe
3964	Qnjnnj32.exe
4916	Qddfkd32.exe
1620	Qgcbgo32.exe
2692	Aqkgpedc.exe
3260	Ageolo32.exe
4748	Ajckij32.exe
4512	Afjlnk32.exe
448	Anadoi32.exe
5112	Acnlgp32.exe
1236	Ajhddjfn.exe
4804	Aabmqd32.exe
1680	Acqimo32.exe
1032	Anfmjhmd.exe
3228	Aadifclh.exe
368	Bnhjohkb.exe
2516	Bagflcje.exe
3400	Bganhm32.exe
244	Bfdodjhm.exe
2324	Bmngqdpj.exe
2404	Bchomn32.exe
2444	Bffkij32.exe
3320	Bnmcjg32.exe
2848	Bmpcfdmg.exe
2336	Beglgani.exe
3972	Bcjlcn32.exe
820	Bgehcmmm.exe
2972	Bjddphlq.exe
1952	Bmbplc32.exe
2484	Banllbdn.exe
2908	Bclhhnca.exe
3688	Bhhdil32.exe
4944	Bfkedibe.exe
4872	Bnbmefbg.exe
4712	Bmemac32.exe
4172	Belebq32.exe
680	Chjaol32.exe
1572	Cjinkg32.exe
1076	Cmgjgcgo.exe
888	Cabfga32.exe
4272	Cdabcm32.exe
2272	Chmndlge.exe
5036	Cmiflbel.exe
2660	Ceqnmpfo.exe
2796	Cdcoim32.exe
1068	Cjmgfgdf.exe
1792	Cmlcbbcj.exe
3420	Chagok32.exe
4720	Cfdhkhjj.exe
4624	Cnkplejl.exe
4356	Cdhhdlid.exe
3240	Chcddk32.exe
1768	Cffdpghg.exe
1876	Cnnlaehj.exe
2552	Calhnpgn.exe
2764	Ddjejl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	847b85a66d1ec106ce1f6a66ff8b42945fe8cc3cb22f7b1ae97e18cf3e333b11.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
464	1492	WerFault.exe	167

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	847b85a66d1ec106ce1f6a66ff8b42945fe8cc3cb22f7b1ae97e18cf3e333b11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	847b85a66d1ec106ce1f6a66ff8b42945fe8cc3cb22f7b1ae97e18cf3e333b11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	847b85a66d1ec106ce1f6a66ff8b42945fe8cc3cb22f7b1ae97e18cf3e333b11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	847b85a66d1ec106ce1f6a66ff8b42945fe8cc3cb22f7b1ae97e18cf3e333b11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 4884	3332	847b85a66d1ec106ce1f6a66ff8b42945fe8cc3cb22f7b1ae97e18cf3e333b11.exe	84
PID 3332 wrote to memory of 4884	3332	847b85a66d1ec106ce1f6a66ff8b42945fe8cc3cb22f7b1ae97e18cf3e333b11.exe	84
PID 3332 wrote to memory of 4884	3332	847b85a66d1ec106ce1f6a66ff8b42945fe8cc3cb22f7b1ae97e18cf3e333b11.exe	84
PID 4884 wrote to memory of 4616	4884	Pclgkb32.exe	85
PID 4884 wrote to memory of 4616	4884	Pclgkb32.exe	85
PID 4884 wrote to memory of 4616	4884	Pclgkb32.exe	85
PID 4616 wrote to memory of 3672	4616	Pjeoglgc.exe	86
PID 4616 wrote to memory of 3672	4616	Pjeoglgc.exe	86
PID 4616 wrote to memory of 3672	4616	Pjeoglgc.exe	86
PID 3672 wrote to memory of 1700	3672	Pmdkch32.exe	87
PID 3672 wrote to memory of 1700	3672	Pmdkch32.exe	87
PID 3672 wrote to memory of 1700	3672	Pmdkch32.exe	87
PID 1700 wrote to memory of 2684	1700	Pncgmkmj.exe	88
PID 1700 wrote to memory of 2684	1700	Pncgmkmj.exe	88
PID 1700 wrote to memory of 2684	1700	Pncgmkmj.exe	88
PID 2684 wrote to memory of 2900	2684	Pfolbmje.exe	89
PID 2684 wrote to memory of 2900	2684	Pfolbmje.exe	89
PID 2684 wrote to memory of 2900	2684	Pfolbmje.exe	89
PID 2900 wrote to memory of 1136	2900	Pmidog32.exe	90
PID 2900 wrote to memory of 1136	2900	Pmidog32.exe	90
PID 2900 wrote to memory of 1136	2900	Pmidog32.exe	90
PID 1136 wrote to memory of 4776	1136	Pcbmka32.exe	91
PID 1136 wrote to memory of 4776	1136	Pcbmka32.exe	91
PID 1136 wrote to memory of 4776	1136	Pcbmka32.exe	91
PID 4776 wrote to memory of 4344	4776	Qmkadgpo.exe	92
PID 4776 wrote to memory of 4344	4776	Qmkadgpo.exe	92
PID 4776 wrote to memory of 4344	4776	Qmkadgpo.exe	92
PID 4344 wrote to memory of 3964	4344	Qfcfml32.exe	93
PID 4344 wrote to memory of 3964	4344	Qfcfml32.exe	93
PID 4344 wrote to memory of 3964	4344	Qfcfml32.exe	93
PID 3964 wrote to memory of 4916	3964	Qnjnnj32.exe	94
PID 3964 wrote to memory of 4916	3964	Qnjnnj32.exe	94
PID 3964 wrote to memory of 4916	3964	Qnjnnj32.exe	94
PID 4916 wrote to memory of 1620	4916	Qddfkd32.exe	95
PID 4916 wrote to memory of 1620	4916	Qddfkd32.exe	95
PID 4916 wrote to memory of 1620	4916	Qddfkd32.exe	95
PID 1620 wrote to memory of 2692	1620	Qgcbgo32.exe	96
PID 1620 wrote to memory of 2692	1620	Qgcbgo32.exe	96
PID 1620 wrote to memory of 2692	1620	Qgcbgo32.exe	96
PID 2692 wrote to memory of 3260	2692	Aqkgpedc.exe	97
PID 2692 wrote to memory of 3260	2692	Aqkgpedc.exe	97
PID 2692 wrote to memory of 3260	2692	Aqkgpedc.exe	97
PID 3260 wrote to memory of 4748	3260	Ageolo32.exe	98
PID 3260 wrote to memory of 4748	3260	Ageolo32.exe	98
PID 3260 wrote to memory of 4748	3260	Ageolo32.exe	98
PID 4748 wrote to memory of 4512	4748	Ajckij32.exe	100
PID 4748 wrote to memory of 4512	4748	Ajckij32.exe	100
PID 4748 wrote to memory of 4512	4748	Ajckij32.exe	100
PID 4512 wrote to memory of 448	4512	Afjlnk32.exe	101
PID 4512 wrote to memory of 448	4512	Afjlnk32.exe	101
PID 4512 wrote to memory of 448	4512	Afjlnk32.exe	101
PID 448 wrote to memory of 5112	448	Anadoi32.exe	102
PID 448 wrote to memory of 5112	448	Anadoi32.exe	102
PID 448 wrote to memory of 5112	448	Anadoi32.exe	102
PID 5112 wrote to memory of 1236	5112	Acnlgp32.exe	103
PID 5112 wrote to memory of 1236	5112	Acnlgp32.exe	103
PID 5112 wrote to memory of 1236	5112	Acnlgp32.exe	103
PID 1236 wrote to memory of 4804	1236	Ajhddjfn.exe	104
PID 1236 wrote to memory of 4804	1236	Ajhddjfn.exe	104
PID 1236 wrote to memory of 4804	1236	Ajhddjfn.exe	104
PID 4804 wrote to memory of 1680	4804	Aabmqd32.exe	105
PID 4804 wrote to memory of 1680	4804	Aabmqd32.exe	105
PID 4804 wrote to memory of 1680	4804	Aabmqd32.exe	105
PID 1680 wrote to memory of 1032	1680	Acqimo32.exe	106

C:\Users\Admin\AppData\Local\Temp\847b85a66d1ec106ce1f6a66ff8b42945fe8cc3cb22f7b1ae97e18cf3e333b11.exe
"C:\Users\Admin\AppData\Local\Temp\847b85a66d1ec106ce1f6a66ff8b42945fe8cc3cb22f7b1ae97e18cf3e333b11.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\SysWOW64\Pclgkb32.exe
  C:\Windows\system32\Pclgkb32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\Pjeoglgc.exe
    C:\Windows\system32\Pjeoglgc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\SysWOW64\Pmdkch32.exe
      C:\Windows\system32\Pmdkch32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3672
    - - C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:244
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        53⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1792
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        65⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 416
        83⤵
        Program crash
        
        PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1492 -ip 1492
1⤵
PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
304KB

MD5
2c0b1ff607f2e808a9d031c84cda1cfc

SHA1
46dc980d9ec99a3c5b04ad31346110f603f3fd74

SHA256
d8bdcb983f87fc519e9c8a890503a8b971b6999b3bb775187426d90eb0d31ac7

SHA512
cf1db062256ee99237adef8814c1b87ea48d46392b56252dbf13445eea8991989da90f02ebfd9919127f063aaada7a4732605bf4d32bfa36df25e473166e24f8

Download Submit
C:\Windows\SysWOW64\Aadifclh.exe

Filesize
304KB

MD5
0f8c9f73bbd27dc016ff391f1937a0c4

SHA1
9a7c1e729509458cbd867ac998827e584ce4279c

SHA256
a3db892c2cc5ea1b04df0558e0a79e196a48990846308d731933ddd2fda377d8

SHA512
395f4259b167f5c6d613757922821618b60790085487df9195c49fc2fad28f10dea949c74e7bc024fc717fb3641d46c1556e51e48dfb914f6f61097dc6652258

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
304KB

MD5
f846ecf7e0e604a3b733e7a3a773eba2

SHA1
b55049e7e8688ad770f2f10436e0acdd1c19871f

SHA256
0b81b0819add243eeee24db9577592f1a6fdfb34d4d8618bf58e66714d5ddc96

SHA512
19997891b7a5ef3cdfd82a9e556c5ca29d966a31e25b599e609007001408b3053f11e81c18750f4d752ec13d45f871bdcd0520dc0968a0fd24d83919670809ea

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
304KB

MD5
fbecc992a0ae651f09a84650f158be13

SHA1
e3d51309778b5f7bd80df3d8a6f35c2087b504ca

SHA256
c940635b3fedaa2eec1277b04d43b5d25541748fecf5aa3292dd93ba57b6a548

SHA512
33e172ee0a7cf0b01bd78cd5fcdbeb64d3139010b76e4a9f98e4900c5c41a33c6307794f93e4f68c9319d9a6c7fbd25086b0adef369f8698cccde8d9eb86f6ed

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
304KB

MD5
0f4642bd92c75f259f9e20231e9d0021

SHA1
6ceb9e0717a4033dcc37b7c3c588725582229375

SHA256
375e29a29098ae27989e0953f87fced09d061959a920074af46d785610e599a1

SHA512
f467239091eed5f27308ea02a6247e37e0694e10288315c76fab11417bf28ff9e45e434c3e1a4d5a03f6d5f253879ae59eb51133e205424cef4993032221bcc4

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
304KB

MD5
7f66a6789434eb97206c3de8fc65b2c9

SHA1
8cc05a314cc664f03f4130661d01f32c40ab101f

SHA256
3c1d2e7a33939939d3e12ba913df023fd50bbe4ccb857e534666d6edc2f0ae1c

SHA512
56c50d35f5330c364bdd47c408bce6736470ff3855d531192e3b4381b3d6922b08bd74553cd694eaf063f01c3e54a7a8d78a5790d8f5189745af5dfa17b2f157

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
304KB

MD5
2352f3bc3c5680c957ced68de0976307

SHA1
b6d941ac640a0652e7578ecc241140bf5b5da7e4

SHA256
3f1ff12c232350058a9ff3cfa6c2d358c93fb91823554e564bc8725b38dce859

SHA512
de78d57ef0b88c4c9e2a3556d62949c4ca416b18102ed07e8a634751bd31b32b67ce316bb8d0f6cfe7bd89fe2f736434af7f72e2d82340e68729a1aa204a2247

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
304KB

MD5
e8d01198531c7008d6e5f4afe1ee891a

SHA1
2aaca8f86638c4053c762d48acd480b18a0f7537

SHA256
2307da511ed8860066dd0ff4c7ea923bfcc86ebe1fb3086ae27941c61401e9ca

SHA512
cfc2d6a7fd82493ea7cc7ff6dfeb78b7406f5d330d09bec59946e7556f261ed9204ad895d2d75bc119a148ff31979e14b0c55ec5516d8c583524b314adcf8f3e

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
304KB

MD5
1e9844220e6195ba9982e95611de9ff8

SHA1
766c127cf6f14a1e7208d2cbeb4337d970820f58

SHA256
7c18adaa1e7245a203c0c436ebd915d87b7bd6cc30b84d270e539d0d226406d4

SHA512
8e5a2486dada42ca6357999ce0fe17c8066dffc6ad023fcc6abf7d918464819a28eaf06f53e4705851bcabb97899dc7bdb049774ca0ca9f132abbaaf0d3f767b

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
304KB

MD5
e6277b5c856973043723e1e9243f358b

SHA1
ee2b16df3048cab6d62789bc7fd98467d9c04b78

SHA256
4d7e3b567aaded37828f1b0cfb00e16e186a11532754c788c649b86410ae1653

SHA512
50e3ea17ec4ee273a6859c42c81e5f0bbfa02ec21ea90a7f1fad537f78f5353c97a610a8f9fd4002751714f64a53ae1a6d499d5e8f9c87dee6716afbf50ec931

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
304KB

MD5
db2c3b4c0d142553a56c88286a741f4e

SHA1
ddb29af3168edc5712d1d27f383e7ce75db4dd48

SHA256
ea405dd7cab1c79ade71d50dfdb9f7f77f32296eb48f628b003f4506a90dde2c

SHA512
0803e6ee05298b148f7f9ce27ee3cc0f26e6cff0c127c94bd3fdda628ac5b09c148b4bb46c646416932e51789b2a67812d0f15e3387225caf776ee64e2421dff

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
304KB

MD5
781ce4c9256aa5af3188246df49a93db

SHA1
ec0b4b7055c5931dec2e7ab8328cf653a9c9db20

SHA256
383fccbf3ef5d96a7c24bbe72827f3f9034bce8dbac5f596b39b5ff0aa3ed20b

SHA512
5e3e01d5ed101a420807f11919cf30e71e07fecbe1a0f94a7e51e5fa81ab6e1975317c05bb9c4feedf14c361240503239f4d26f7279afb87eed7e943bacd527b

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
304KB

MD5
5f9ee998fe125b11c024bf4ec49d24b6

SHA1
6ab68e9ff7ab812dd6dcd18a7204866afdbeca4e

SHA256
8e50b76f96d188c6b0f10a67171abc517b53ed9e6acdb22caf8dcc758bdceb04

SHA512
b044f7228fccf991e5a6af2566533bd2d2511f39c1eea4612655c86b76bdfe345cdfc86a3fe1a43ad8a737ecdee5f387073ebc3c4612762d84564dcb4c9207d6

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
304KB

MD5
3e74c1ecff7a703728e1ca24468b9f88

SHA1
5f683c2f691451316cf1a634e43fb013c5c148dc

SHA256
9bb74615e153ec47238cc0e47a2c6e0c79544f7ca81e88dbefc10124a99cda65

SHA512
9368f665abc841dedd565d31b1eefab2bfc709b1e282c08a0eee3743031e882e11516359253480b8b6b51343ba40c9bd89cc0fc9b23603ffc8ed2faa6d5fbcc8

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
304KB

MD5
58d959649eedd193fd8f28d3e432c3e2

SHA1
59703f5c0bec2b588d6d9e94d62ea1a5e7e5401e

SHA256
991d6fde4f161aa7dd72e4a2e2688f75affe8b937587a872fd804429419090b6

SHA512
87f481b92314a648b473d3645e84ff43abe22d880d7d900d15aae6cef8b8e7bfba230cbfd9a8c0d3b1b5a43eccd384678b7c25b90c48fde865b8569fbf36d934

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
304KB

MD5
c0c96779170df75f58fd56ff5907eb32

SHA1
905bbc9e6eff14d741ee310096a7aeaf2495deb0

SHA256
1206750242a10804f1eb8bc0a0a6536f93c0553dbc69ff27218ae793d9a4b864

SHA512
12d65ac99d302a678c68737871ff757cfada2fd5916a08a554fb6c2ea40d6ab738ae5b5ff4b04d1baa339362cbf8ef36256c477c2b253aa29bcd339bbcfc885c

Download Submit
C:\Windows\SysWOW64\Blfiei32.dll

Filesize
7KB

MD5
3d6bf92e20f3d0dd61d717fb1c281cc3

SHA1
334e1f1990bb7625ab43d8547791a46a00085873

SHA256
8d0be5ad637b0add8edeb7d3d9636ba14f3a071ac63fffd45ae7218202569cae

SHA512
84de7083827b71b2bd165d2dec009ad1e86cc699ea12ce536213fd17393b15639594fbd3cd0817b8e992d8e6af5f3ec942fd4bf49c6fd2570626c0766e6d4c60

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
304KB

MD5
5ea359ff2a1897b13d77e6e7a13da32e

SHA1
8f7305ad9cf5783033339064905629f27a970704

SHA256
b4f65d0f079c327cb8d1000d587b41448a80a5bc79dff8831f8b5df8b55c28f5

SHA512
c47d136ea175e2f512e34c1428ad2498b0644762336acd880ef9defb4bcf9caa4a7b2f45139d77229f5a73af5867735167d926e620ed664f6aa781d1f0e9df5a

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
304KB

MD5
66f38d10e84140a39f9b8a2e2d47aa1e

SHA1
14075914d49ca00bf67285f20b5e756e6ca12bee

SHA256
009a7ce542cadfd9799543baa106822af575c6cc86c37d4853507ff9e534a2a0

SHA512
d1956f6c29748e04dfeeb550800a31b9b3601cababcf26e4998dd4cdcae16353604de1e85faabc99e98ea6f880cfe2bbb6cd37a0fa1d2af41cf50b3178a3c057

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
304KB

MD5
d310e4bf1b2fdd722407bf87e1c41d05

SHA1
4d4fd07b47a81cc628e4980ebca5c97987f5b02c

SHA256
7250d7a01706a50900850af8197dd3c84993d0500318fe6ea27345eb9010fe28

SHA512
fd561797660bcb8aaa8c277f11ef89e73332ab885d751cd6202da3fa12bd22912a68df64858663bae68335bf7da64d81f2f0fc151fa3e626d4f38ec3013b1337

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
304KB

MD5
2c42b6a120a9274f4f6dc1e4f1ce9ecc

SHA1
36eebe670b9bdb9ccb72ef2eedfeb8e2a59000fd

SHA256
1b11b008209d17f81b7f2af78a612655fe2ba8f4d1798a42e164fa7281e6f06e

SHA512
c2cae3ecdfb6d375f90bbfa0784d3e805a7bd0bcfef58308ba8b3a44aa4ab3f93c1f1c39826bf33b5df99ac3173333a348a090e15b656d31d059ebd1c67c2ffe

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
304KB

MD5
c5821d183e759af13406cb043d9e63a6

SHA1
20330d6a9d61875aa5b9c12184d19f763f685a5f

SHA256
22ac190059b0916b5500e4dc23b69f24b14f11dca9d30bd006de1461acaed641

SHA512
2bddaeb564f1c83dc53e447157779e9b4cd4cbe9f98a082a68edc06778312313f21e878822a66c14c4f51b3ef8784f06acbd1124c03c42f4a0fe4ae5749d3a91

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
304KB

MD5
7c3a95987f18afbee481e5b1b371f46e

SHA1
f2f8046cade027c90b0b3f32085b8c583f86bc10

SHA256
9539d6e7567bd6e801db3d90bb06d0f34203d763ba2d5b9b1690655c51c1fe86

SHA512
fc42519454ad23e9bb75d04a11824f37b109f2a70cdeded73e61274cc6770b2e2ee9b5d6b10ba3e0634722922678a450973d78fc81863fc451d4b80b9c61fe65

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
304KB

MD5
3a6c83fe63c46b326367eb27bc9c4cef

SHA1
17e862c128cdeea94407f9273c887600926d0ab1

SHA256
709b9b303e8fee4107a11cca781bb87352ea834501b2951ad466402a7eb887d1

SHA512
4420bb58e36786291fe60875132b74fba87132216d9245ceef15b26318c6f2d21a8e1813fcff4124c467c57e6c5454dd7303e3a758a6c4a09df5c0493663f825

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
304KB

MD5
458aa3542dc9c416220c4db112b91cd6

SHA1
10ee94070b0f0a201c81a0c803bb76beafa318ba

SHA256
a8f9a94450124fd8d093f2392fe26f7265e0a4780c4f8fe87918ec6fa0fd9f6e

SHA512
7063e8677cb9cb082f16711a009a75107660391c2bc3cae26ee3120a7fed83f8c411bbdb3c401f9a1da3701da52bed37ce8b237f7d3483659f782f63acd852d1

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
304KB

MD5
93d39ac8243d74d14f759aaebd0bebd7

SHA1
0e4710df5109470cca678f7b90a70f03ee463497

SHA256
2ddc734df2c6652dd38e56a50601814d7823a5fbe3e75a4c25db65b090b78279

SHA512
05ced25c7eeca658ee85bcd9bd592942cca7910b97869f0e7e90a4545bf017036d881023332834a6acf69681620c8a059c7949d05f3f1d6300125832c7641793

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
304KB

MD5
99dc3298906f4b106cbda338e57236c9

SHA1
f7ee1053e536765f20519105cc5ffd188d38aef0

SHA256
c6ee87b82a45a9e9bafef9d3be05c8d97ea04cc32c468a260066c81c66b9b8ef

SHA512
f207f644d091dccaf971de20d20a6f391d568e43947f0a4f27da59e1486b5d61d950d77af7c7e50db9552e3eb705ddec0ed0eb3e3ac07e5370ac62907b07217d

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
304KB

MD5
69e895d9831c31dc767b2821b2fdae13

SHA1
7bd280e9a763ea41e6f4e0af76e1931949604fef

SHA256
e8251d4693e2e0a17e69dee73bd9218b8a69589eedcfea7c941eb7a487f02893

SHA512
61fa005c89fe30aea8c7ec52b38eacfae3ec535b3374374bd6250afa7133f68dcdf130fa9a8b61dc39da25c6ae356125f746be3e3444da830e6b8df8c31f34dc

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
304KB

MD5
1998582206a53f2e40254c6a7a05fff1

SHA1
ee120b4a6cfb9585986873dd46fd358572385e6f

SHA256
71ce5246a73e8cb9230a6e1df66158d270655995ffe5afca229663f58864c900

SHA512
04cc0f5f661fb58efb5f3cb0933e08c9513e23ec7b9296624b1b0e0f6e6aa84164e13e21637c8caa1c84d9927e65f07b9f1c3f6ef68b98ea2c9b7c133483cacf

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
304KB

MD5
df71818bb72eedf6c06d4ebcb92f39a4

SHA1
776c3d093d80bea5e03862c91055207221b9550f

SHA256
824fbc744b4c185cf85fd42317d662b2ff64a0924f664f8f5b74321524bf7f4a

SHA512
4cc15900b2a2a4daba1ff9fe3d752cff64b6abdb6d77c8f587c96a1a3be22f34c2eb0af02220cf5166753f6d5982e75657e8792eb70c9636ab857e5554a07a94

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
304KB

MD5
05e0b04facb19f2cac17cfcafac9513c

SHA1
3d723b06079d0b8d65245ad080eb632307f095e8

SHA256
bb72e1d6d4a5b47e03c82b19639dcdd37e8a750d03e1b984a11eaa852b367e78

SHA512
aae9883561ee35a2f0c8c039cbccaffc289e79632b0da51483e1511a033d85d046088821007c229938377f8c7c6a4fe4caf534ee8bc6d66c5b5e5ad87549979c

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
304KB

MD5
0d7f6ac6a8c53f60e158537ded33f016

SHA1
a2f82d9789f427b595a8344100cdd1edcf6b02af

SHA256
a7ed259082f4b2ce96e1af94169a36d1ca6de5114baaf7994621f65ea88e7662

SHA512
ce8e7f15f80f340b4936c6d40e1b348d07cd3e26dac69a0a53354ab56b8910f65cf81c3d6cccb58f7d635bb3a722a4d58a06055e0ba8bb0b62f1c9be17e754db

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
304KB

MD5
b424660dd7e29e1d716e1843970cc191

SHA1
040db121ffdec9b5c1efcb3c1c441cfa8fef4ef1

SHA256
4ba19b595e091bcbfd391e9dcc02defab31d5dde9eb2a34b88b2dead4520b185

SHA512
71abd1c8476b3ac2fb1f44689a7e1de08d4dcee4758b878c40b2fb05a325c7defc916c72db1297cc5595a8097ca40fd30eb07473c72c3dd9ab22a46d4adb114d

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
304KB

MD5
26727df6629899f8adca133f052b31ab

SHA1
dceda5e2044d94a97570a9483a47647141cf56a3

SHA256
74151c2034f3662c81eb1458eb8b5f5cedc564000a5e62b6b29ece608ba60875

SHA512
8e31fc217c48110e0216220b81c99a42977c15cc4b08c4ddefa5598829ba134226191176fabdfe7c64c7c677809e0c373e3427cdd5b1b83964c38c3af7bbf0ea

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
304KB

MD5
47ecf209569ca0069fd96b8b34ca860d

SHA1
fcf77b6a8585ea2703422cfc7b3d6016b7dea2a6

SHA256
51c51dba058aa157af2cf7fad2e49045c129befcb1678c5b796ffabcbf033a91

SHA512
7c715b374ee7f55de4bde796f0794ba8fd087ee247f352f0704b2dbfdf5a0fd325e157e29ac632a3b3df6be866ed8063158d7e73db628b3bf911c6e04d2184ee

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
304KB

MD5
ff7767c09a6e30566627b696ac8cf6a2

SHA1
d839d7d51e99330b6cd50d1eadbaa86f356d706b

SHA256
b722664eaae7381cdfe5b9250b17c5bb79f1528ad99b059b39619f76553907e1

SHA512
36b0d95e07616963fb430dbd4ecb6018ae6bbf1eea55277581e80e413a8dcd785fb487bff4d55cad282f2f7010a808313b37a9d3b5efbdd32efc08c10957296c

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
304KB

MD5
47621501f73a24d2bfe242b2ff71d88c

SHA1
acf13ada856eb04cd3927e30358f7ebba02d8376

SHA256
b74222f031b1e20f411d48ccab2091bb7e5ab6e455faca01c4c948bb58795b19

SHA512
7f6d5d5917d7c8052aa1b5cc9d72299783cb580754a2afb709c30629e7afd67deee48bf2593ca6a15a41280ce049a2e88011b7f682ffb5c931ee9f43332058e2

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
304KB

MD5
de8a6c0fff4f69adbc824778c01c3eac

SHA1
b47f6c2c720dce30a9ec5b85761917695b50b3b9

SHA256
0ae85262dfc0525ed9a79c17f8dd4151ca0c452ba2b1ed68ea2f850bf0695950

SHA512
ca1eb8731ea8e67ce11d75c1e8f862d41bc5861c04be1b929bbd514867ce06bd67b69804a48f89d2996b7bf0f3d685084e931259656055f3821d117c3369760a

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
304KB

MD5
db0ee03340890e50364a6ce3c129b335

SHA1
9339cfd50a533a982e1bb03553529d0907017a62

SHA256
48faa5f494c502ca96dfbd77b942168e47e22a9602facbc1b43585cff0704394

SHA512
b532a7e45a845c005b583972a436df0ee7d9d756d1ccfcb26d5bcc875b19fb129ae5d458f0d716bd551a5566404a1618c5bfc4f2b6f8a4f3344dedc7ee6741fb

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
304KB

MD5
a651f4fe469602b72864f19d35fea2f4

SHA1
42ffa2e62c1aeef3e45cb98c8cf32fe60c139d0e

SHA256
2656cff6b3595cc21efad9547269dd23e0292b4b52325d71c6cadff693ebe22d

SHA512
8e0f55538099ee6ac70e0c95ab82efc15164d7d4615aae3b6d5146c86c44c04541758d60cd557d3ed60b0a0cb3582e4e98f9515ed574959db4c86aaa274b09e7

Download Submit
memory/224-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/224-556-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/244-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/368-206-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/448-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/680-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/684-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/684-563-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/764-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/820-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/888-357-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1032-181-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1068-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1076-355-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1136-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1236-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1492-553-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1492-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1572-345-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1596-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1620-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1680-172-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1700-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1768-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1792-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1804-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1876-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1952-291-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2008-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2008-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2272-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2324-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2336-267-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2368-562-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2368-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2404-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2444-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2484-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2516-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2552-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2660-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2684-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2692-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-554-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2764-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2848-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2900-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2908-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2912-519-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2972-285-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3228-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3240-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3260-115-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3320-253-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3332-550-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3332-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3400-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3420-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3672-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3688-309-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3964-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3972-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4172-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4272-362-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4344-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4356-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4508-564-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4508-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4512-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4580-560-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4580-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4616-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4624-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4712-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4720-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4748-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4752-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4752-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4776-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4796-557-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4796-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4804-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4816-555-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4816-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4872-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4880-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4880-561-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4884-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4884-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4916-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4944-315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5036-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5044-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5112-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads