d7c508d524405aa9bc095e57cb8b0beebd6909ebbfc85de3d18c3f53b871110b

Analysis

max time kernel
98s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a29d68768bc218479584badee4e1fac0N.exe
Size

101KB
MD5

a29d68768bc218479584badee4e1fac0
SHA1

0ec653a9a393d480ba07c4684daa2d28ff9e6fb0
SHA256

d7c508d524405aa9bc095e57cb8b0beebd6909ebbfc85de3d18c3f53b871110b
SHA512

f1f6f98624a021bfcf2ccccf551b94113875e9c5b287119ff5324d6184a0c0b85840393be3a18afc6266f610f8c91e1af0d72962eab70e62e09391bb6ff93b1f
SSDEEP

3072:IzK9lvQq1f9duXqbyu0sY7q5AnrHY4vDX:59lv91f6853Anr44vDX

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a29d68768bc218479584badee4e1fac0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe

Executes dropped EXE 64 IoCs

pid	Process
1408	Ojllan32.exe
2328	Oqfdnhfk.exe
4716	Ocdqjceo.exe
860	Ojoign32.exe
3392	Olmeci32.exe
2008	Oddmdf32.exe
3032	Ofeilobp.exe
2092	Pnlaml32.exe
1912	Pqknig32.exe
4780	Pcijeb32.exe
3964	Pjcbbmif.exe
4216	Pqmjog32.exe
1620	Pclgkb32.exe
4584	Pjeoglgc.exe
4880	Pmdkch32.exe
1792	Pcncpbmd.exe
3188	Pflplnlg.exe
2680	Pncgmkmj.exe
4808	Pqbdjfln.exe
2356	Pgllfp32.exe
2632	Pnfdcjkg.exe
1680	Pdpmpdbd.exe
868	Pgnilpah.exe
3536	Pjmehkqk.exe
2052	Qnhahj32.exe
2516	Qqfmde32.exe
880	Qdbiedpa.exe
540	Qfcfml32.exe
1628	Qnjnnj32.exe
1316	Qddfkd32.exe
2568	Qgcbgo32.exe
2444	Anmjcieo.exe
3416	Adgbpc32.exe
3424	Ageolo32.exe
3008	Anogiicl.exe
1512	Aqncedbp.exe
1952	Aclpap32.exe
224	Afjlnk32.exe
4868	Anadoi32.exe
4840	Aqppkd32.exe
4844	Acnlgp32.exe
620	Afmhck32.exe
3680	Andqdh32.exe
2820	Aabmqd32.exe
2572	Aeniabfd.exe
212	Aglemn32.exe
2748	Ajkaii32.exe
4472	Aminee32.exe
3708	Aadifclh.exe
4752	Accfbokl.exe
4692	Bfabnjjp.exe
1124	Bmkjkd32.exe
1700	Bcebhoii.exe
4776	Bganhm32.exe
548	Bnkgeg32.exe
3164	Bmngqdpj.exe
4792	Beeoaapl.exe
2036	Bgcknmop.exe
60	Bffkij32.exe
2204	Bmpcfdmg.exe
2324	Beglgani.exe
1448	Bgehcmmm.exe
4884	Bnpppgdj.exe
4360	Bmbplc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	a29d68768bc218479584badee4e1fac0N.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5600	5356	WerFault.exe	193

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a29d68768bc218479584badee4e1fac0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a29d68768bc218479584badee4e1fac0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 1408	3628	a29d68768bc218479584badee4e1fac0N.exe	84
PID 3628 wrote to memory of 1408	3628	a29d68768bc218479584badee4e1fac0N.exe	84
PID 3628 wrote to memory of 1408	3628	a29d68768bc218479584badee4e1fac0N.exe	84
PID 1408 wrote to memory of 2328	1408	Ojllan32.exe	85
PID 1408 wrote to memory of 2328	1408	Ojllan32.exe	85
PID 1408 wrote to memory of 2328	1408	Ojllan32.exe	85
PID 2328 wrote to memory of 4716	2328	Oqfdnhfk.exe	86
PID 2328 wrote to memory of 4716	2328	Oqfdnhfk.exe	86
PID 2328 wrote to memory of 4716	2328	Oqfdnhfk.exe	86
PID 4716 wrote to memory of 860	4716	Ocdqjceo.exe	87
PID 4716 wrote to memory of 860	4716	Ocdqjceo.exe	87
PID 4716 wrote to memory of 860	4716	Ocdqjceo.exe	87
PID 860 wrote to memory of 3392	860	Ojoign32.exe	88
PID 860 wrote to memory of 3392	860	Ojoign32.exe	88
PID 860 wrote to memory of 3392	860	Ojoign32.exe	88
PID 3392 wrote to memory of 2008	3392	Olmeci32.exe	89
PID 3392 wrote to memory of 2008	3392	Olmeci32.exe	89
PID 3392 wrote to memory of 2008	3392	Olmeci32.exe	89
PID 2008 wrote to memory of 3032	2008	Oddmdf32.exe	90
PID 2008 wrote to memory of 3032	2008	Oddmdf32.exe	90
PID 2008 wrote to memory of 3032	2008	Oddmdf32.exe	90
PID 3032 wrote to memory of 2092	3032	Ofeilobp.exe	91
PID 3032 wrote to memory of 2092	3032	Ofeilobp.exe	91
PID 3032 wrote to memory of 2092	3032	Ofeilobp.exe	91
PID 2092 wrote to memory of 1912	2092	Pnlaml32.exe	92
PID 2092 wrote to memory of 1912	2092	Pnlaml32.exe	92
PID 2092 wrote to memory of 1912	2092	Pnlaml32.exe	92
PID 1912 wrote to memory of 4780	1912	Pqknig32.exe	94
PID 1912 wrote to memory of 4780	1912	Pqknig32.exe	94
PID 1912 wrote to memory of 4780	1912	Pqknig32.exe	94
PID 4780 wrote to memory of 3964	4780	Pcijeb32.exe	95
PID 4780 wrote to memory of 3964	4780	Pcijeb32.exe	95
PID 4780 wrote to memory of 3964	4780	Pcijeb32.exe	95
PID 3964 wrote to memory of 4216	3964	Pjcbbmif.exe	96
PID 3964 wrote to memory of 4216	3964	Pjcbbmif.exe	96
PID 3964 wrote to memory of 4216	3964	Pjcbbmif.exe	96
PID 4216 wrote to memory of 1620	4216	Pqmjog32.exe	97
PID 4216 wrote to memory of 1620	4216	Pqmjog32.exe	97
PID 4216 wrote to memory of 1620	4216	Pqmjog32.exe	97
PID 1620 wrote to memory of 4584	1620	Pclgkb32.exe	98
PID 1620 wrote to memory of 4584	1620	Pclgkb32.exe	98
PID 1620 wrote to memory of 4584	1620	Pclgkb32.exe	98
PID 4584 wrote to memory of 4880	4584	Pjeoglgc.exe	99
PID 4584 wrote to memory of 4880	4584	Pjeoglgc.exe	99
PID 4584 wrote to memory of 4880	4584	Pjeoglgc.exe	99
PID 4880 wrote to memory of 1792	4880	Pmdkch32.exe	100
PID 4880 wrote to memory of 1792	4880	Pmdkch32.exe	100
PID 4880 wrote to memory of 1792	4880	Pmdkch32.exe	100
PID 1792 wrote to memory of 3188	1792	Pcncpbmd.exe	101
PID 1792 wrote to memory of 3188	1792	Pcncpbmd.exe	101
PID 1792 wrote to memory of 3188	1792	Pcncpbmd.exe	101
PID 3188 wrote to memory of 2680	3188	Pflplnlg.exe	102
PID 3188 wrote to memory of 2680	3188	Pflplnlg.exe	102
PID 3188 wrote to memory of 2680	3188	Pflplnlg.exe	102
PID 2680 wrote to memory of 4808	2680	Pncgmkmj.exe	103
PID 2680 wrote to memory of 4808	2680	Pncgmkmj.exe	103
PID 2680 wrote to memory of 4808	2680	Pncgmkmj.exe	103
PID 4808 wrote to memory of 2356	4808	Pqbdjfln.exe	104
PID 4808 wrote to memory of 2356	4808	Pqbdjfln.exe	104
PID 4808 wrote to memory of 2356	4808	Pqbdjfln.exe	104
PID 2356 wrote to memory of 2632	2356	Pgllfp32.exe	105
PID 2356 wrote to memory of 2632	2356	Pgllfp32.exe	105
PID 2356 wrote to memory of 2632	2356	Pgllfp32.exe	105
PID 2632 wrote to memory of 1680	2632	Pnfdcjkg.exe	106

C:\Users\Admin\AppData\Local\Temp\a29d68768bc218479584badee4e1fac0N.exe
"C:\Users\Admin\AppData\Local\Temp\a29d68768bc218479584badee4e1fac0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\SysWOW64\Ojllan32.exe
  C:\Windows\system32\Ojllan32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SysWOW64\Oqfdnhfk.exe
    C:\Windows\system32\Oqfdnhfk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\Ocdqjceo.exe
      C:\Windows\system32\Ocdqjceo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4716
    - - C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:860
      - C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        56⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:64
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        70⤵
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        72⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        74⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3672
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        99⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 404
        106⤵
        Program crash
        
        PID:5600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5356 -ip 5356
1⤵
PID:5508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
101KB

MD5
37b31bb20a60378d49fdcb9ab3ac1c01

SHA1
6741f3e47b519f26664459aa711add3a376d0587

SHA256
f40a378e4937aefee7da5167cbf0d99af64a3bc666cb71d67e5c480f7df08c8a

SHA512
5362c859f8e83ed25c144e13432d5bb9d0488c6be6eaf07a13edfebf1b3415a507d41f740ca2ecbe96fd524fee03f774c67548acbea140b199e6a0f75367186e

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
101KB

MD5
9ed072ac584f7bcdd4dbcc971b43b0a8

SHA1
43c4b9b4d6559369fb616075839c2d2509aca7e5

SHA256
391fe4131333d7ba036e680eb6bec1837d4b71d728a6ea0fdd92c584b26d94c3

SHA512
d8a79635f885107e54948960298cd2dad0010cfa293fdbc7e5a87db2ce4aab3cce6509662cc2162dd5dff6eaa896bcaa9b531911cbbb1cf51fb9c1fcda1a98be

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
101KB

MD5
79c7375356e14282b1eea38849468e59

SHA1
b0c938acfcf4c3ceb28121a6b68f06e5f41285ee

SHA256
95b3d28c9cbe8c2ba20932a49ad5ed43b62fa2c30936eae3fb6b73218c718c89

SHA512
981a113b083b7ec457976c130f86edd26468ea0e8cbcad3f8e50b5def0281a832b5dbd9596c4b41d16e2a893abeca25be7b3c4878dca86bea2ea00565f43ecc3

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
101KB

MD5
f05b65ee57c01e024cc628024def5743

SHA1
42a345a7764cf4a7c0262708a358822a796b4c0e

SHA256
b899235fc08ecdf54fdc7dda6ca410f0881c32597b3652255806d34b52143ccb

SHA512
4981a0639386883a99d4da51a7590fd1de7f682384dcc6751e6d6fd40c849e76e70407ae345228eea6eba5725b2943d77a8e12327aa7ba7229f209a4289e59e9

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
101KB

MD5
83a0ca21ee8934f283bb52a7df168dfb

SHA1
fe3017092cfb286541e87fb5539770b24c6c29ef

SHA256
bb9c14fc5ea5bcba8460ac869397fe8f8e6e1fbad4caf9ec8806c53012892dc5

SHA512
b2e8bcd70ad08fe36e06a2488c2ec5ee4bdb8180cb0cafa66bf5d491694546e9058da900a60991750668ceac3dfbd2a1ffe28bf7daf2b064552d41341ee79b74

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
101KB

MD5
c90fbfaf4af297528f0a8885f8f0cb3c

SHA1
9f504abd234b6769eefd69e6f1036a1419661fde

SHA256
1399069ae8bb4fbcb51398b4d776c94b965a498202d987ab28262f71585a3cb9

SHA512
26930c4eb49f69125a38b90c01c31e27b5f7dfafea6a5753b12243928be3d3c2bd78ab08f2f957e649683da1c756d3ffb0660332577601e39edc2075b0c6ac4a

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
101KB

MD5
865ff031ccce239e34bc55b174d080b8

SHA1
224b7ec12b653da7503bc9f6ff1d1b3bf1b77ade

SHA256
b6b75bd8a0db0e622bc5a3333d1e359870bdfcec70b5b2db21451900cb7b6447

SHA512
d133ed5486ff02d7afb546c51a8c421841337495cdee4e6c4bf24c6d78f78ab2ffec13c0615068af9bace10ad2f1eac3dd31d373bbb2575d7c1e82e1dc8c56a5

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
101KB

MD5
fd8710f303e789dd2ba51151ec697e41

SHA1
acc2a246d546e092b6a3e2e1bd9fe989c3f7399a

SHA256
2cc8e0f2c1ff4e600d7d2063144fa3d62be0bfc418669dd8579e5809b97605b7

SHA512
d7bbfcd983d9f370c4fc4d12ca096dfc0396e40e308aa697750bfa1c04f3df1f485b8b9d723886730abd4f66f79dc0611da21c5fe3d5b1966e4f22c2f2e0f77c

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
101KB

MD5
bbf89c4b566b799efb52da530fb1d030

SHA1
9c2b716d295a5163570add64bb251795b0feeaff

SHA256
6b64299624dd279d74004a62b46c688f4eebc6369a3d3dc842e9125c57f5402d

SHA512
6ce0ad1213e53d17b488d519b582cf9c36cde238e2c311a891db1ee87fe00f6d36a288efe6d25c0704e2b409813ecb2b33bc0428734f9e0b68dfe3c1e5ff5137

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
101KB

MD5
1373bf16f7140f35201af214d6c4d790

SHA1
d58b778ed673cf44aeb9485f95600028c281e560

SHA256
2a5c6d480336812dca83247b1491ebaffa98ae9351fa0c6d6d7b79d909f29e05

SHA512
1100794feb40c72d7886d3a5c480e9963ae4115072dcb6da113afc91a8d3284e1a106060b9b2dd67fada74e100810e99c151273c19d62897a40e0d8f5420604c

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
101KB

MD5
b1d8e640e5aa89d3f394cce4d085ea29

SHA1
16f5d7bb5f81610d79f2208bde8cfbbaba7e0ef8

SHA256
bf91238dcbfd2d8d6d623312889e1ae0a3094707bd85e6f4e9510c801f9a73fa

SHA512
4ce7df50ec4f6586b40fe63787a058216bd08a7234ad1ec25d8282150fc6da1de044240458eea85a7ddb7c34295fa7424730b59207c443c1bb536781791d6f61

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
101KB

MD5
ca9d861ddad7659805641ae01f4580ed

SHA1
288a16b7ef5e49a55ec7e101aed187ec0d27937b

SHA256
0ae6c1866687e86bbe628b9826a37f23eb892ec42410d803fc24821d992e13f3

SHA512
b9e6b8b6217686d34d1db2ed279b4edab69d875a4c38df98b06c725924a6d2dda5bcdd43353fe00adafa9c80ec72e10100d4c8305c4db1278e265769ff6837c9

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
101KB

MD5
f866b443b4ab99fcbcea9efa8d428974

SHA1
efdceb03b9bb9e52ab06014bf5d3a88fc82e571b

SHA256
e65273662348952c4eed6c90b6f8f5bf1239e35a2a467a7adae7899e35b5f28d

SHA512
1708c489e24688be4555f6b997d6975ac98300f5bf67b9c60371ad47013f1ef8fc58441f7d77c843bf02ec8efcf7a2e23a711ab1eaaf655d19e28d167b1cea99

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
101KB

MD5
077e2aed988b9d9cce8d3c0210a6bf4e

SHA1
c4ea0c8aa501aa8baca79dfc4bc1473dca726a5e

SHA256
e96e12955123b4228e1a6ffccd83252dac799c3c1ce378700b2183dc5fb5748e

SHA512
fe7673817d2a0ddb9345941ac913deaaf4beadc18e9aced68d4f5be07fb02bea3e6b12d5a486726682b26824f397b02bdf5d73ce32729a17a9aea8cdfa8bbb7e

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
101KB

MD5
939469e9dcd6d0a0c5108cb749df56e4

SHA1
c16979b7a6644b4b61e5de7a6da0082d8eb6eb9e

SHA256
2a044e0c29310f6623999f8c8460d7a2762d2695f9120fdf0d31b582a7a5d08b

SHA512
62b096f7fb71f45a13a54a8a66841eb09fbb4fd660340aa79b79df8f86facf26c3cc8d40edbfadd85d05a155484627622c60df792d69777b8f568f6251b886c4

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
101KB

MD5
f35f183f56b83dbd5115c92b699353ea

SHA1
39f923337ff3f3d2e8862dc806c00adf749b9f19

SHA256
2c5ab0b448f836b7e3d8cbedb4bbe3a980dff0a2c0f5797c7e76695ec283b281

SHA512
c981fefb1f1d12168137f209d7f9f674746b30834cfee0fb4751b0a7b4726ba5bca3a883145dda829cf34ed09e5bff9001530f2b4bad68c80f13e93527e813f4

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
101KB

MD5
cb27b6644efea45c110a7ca1d43a28a8

SHA1
60e039af43d10744de466404550a1146514c5969

SHA256
c247f0ba4912d77c39220603c651e6a54af7b1d93679178c9c11b88a35e8f0d8

SHA512
be51a1a30145e593cd8f46ca4b7b1afec27ffe131e7b8caddc02550ac013e51ec897773b92b1234a46880bb2b32c0e36dc8ff8ef5ccc437fd255a2fdaf54a844

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
101KB

MD5
25aad836d2fd996251ad49ed7591de29

SHA1
87c67450a9454202fbccacecbc843d1b35eb9921

SHA256
ac911af9a7b1dff20f45df84231603cef8cfbac6ec8611bfe828a0bc9bc73e8c

SHA512
8f6872bdf657912f95dabdcaa7cea9cd19a4d71c8ac43cdc732793b558f3ac86c9c39ddd33c3012aad09e83d98e67b6fc4494b17ef2b8b0d4155769a29b7b12c

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
101KB

MD5
08909e8eaa38b6ed83f3e0353c85d127

SHA1
7f9dc60d004587b69ef5351cf4a67e90d2081982

SHA256
9f6ee0736f0b8f5d7882c29f3114a4f0d13dc551fcd0161d5f000fcb33897dd6

SHA512
ba19f180cbee7830cd3aee904678b4f608d88728fb7649383860ac0106bd278e13459900ba95b066e5333b5e252a138c9180bb7564a2df8a11ed22af793b9fa7

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
101KB

MD5
bd986dc9899798d455818f6c6293322f

SHA1
2f9bfa69ace47d6cad08cac95555a8f25c948471

SHA256
3c3e8b6360752c38e30c37325c7970cd9f7508aaa71bf7c5f2f66b9bb31d535a

SHA512
d8648ecd1646c32a06ef4bfe80a4e6e78ce93d9599fedec40e58b931cf16b17bd0d2b927788027f7fe68a684188e64719a718ca1d7f54d0cf93203d94a43c6bd

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
101KB

MD5
931322c3266efd07526dd6ccbf77e6c1

SHA1
3c2b2f2c2df9f4839a6ccf1642ac9b02c051817c

SHA256
5b64fc5dbd74ffb66892ce6b328ab23c678d439d83cf4b1ef39ac5ecc536570f

SHA512
76417379401af1710166ce69c27b6defbd8b162193b5894473e15cf862a5e52dd63d6b4d5b46ceff61658b60cc93e0f568507cee6a595b761eb4d2a959396234

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
101KB

MD5
434d63550cf21c69b93b8410d36cc802

SHA1
de07aa27d59c79643c53ae5be4ba8ceba6e6d761

SHA256
f5a7c5d06c645c7a6f7dbce66980705601f288aa8d35bd9b54a7c7907e9b3af4

SHA512
e3b31048f5a17bac8410c2c6ffc38f30ac494f5acfb6e34dd26f4c973eca62af6d4b570e3ae7b802427e88cdc555ddc3713667fa7b83ab4aa7b1ceea13e7d7ce

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
101KB

MD5
e3814093fbde4daba4346264812f4463

SHA1
a8b18fcad69471828c1f0d994f62c35174c956b8

SHA256
dc7db2d22484b8ddf556698ba43c6769941fe765fe7252cc4523e059c15b37ab

SHA512
40cdb11521168c68119f336b7afcd80faec2d2ff9634cb833d3167ada7f8295d74ee4caaf7b2c7b9282b986ad86525c51652ca8eeb04fc0a427324008831a535

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
101KB

MD5
8ad65a8c403d831aba6e563b1675b87f

SHA1
22ce952436e0c9119893636f208560b8fdaee8e0

SHA256
47494095a9eea3311441428b06a44a7253a149659bf4b753661e269b58a85a6b

SHA512
38bddb49cd551a6afcee368321b1a60721aed9e38950e6a02938d006ed2e5ea5e1c1738bec70bfafca465a6d9ab2c5bc7aa3a33f1a9e7f1504388715f7c7914f

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
101KB

MD5
081988b43609b0c11327eb2d91189dab

SHA1
6de2e247227f8606cfeed4a390225bad873005d6

SHA256
148d0330ce73cf4da69add084cbd9793e4ebaad2f9c448e32403a3db861cd4e2

SHA512
6e87f8d161e8a302e04c78eec7596bed5741d2e47203451823895b15a1a9c4cf15ed1aa957603a8281878eb9489dc3c44fc08ab43869179bb3813eddb3f0f4c9

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
101KB

MD5
02094ccaa2ef21fdea356abee3d9a7cf

SHA1
4d27ada22e2e1f2fd541af6cfb7479f43e5b97cd

SHA256
f7778a221e47166e5a4180174f63e21842d06a1f90e0009b1d5b548bafae5dcd

SHA512
5caaaca58490f2ee3ff61029654db6be91919a217fd4c8865d7765febe0b76f60644497a385367efacc3cd6a73f29940f883db1ce8beef89f09c8ecff2a87c8d

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
101KB

MD5
0b711d276e22dbd2d890f4164054e645

SHA1
3aad86eafcadf97f096fd66ee802ae15fb7e7739

SHA256
b157dc428e15f01c60361e5d52e4833ee1109dbc2e3c9af42534caba9cda8390

SHA512
24085b6a090b079ccd6fa7753ec8a00e003a29dca7921d7d4b23b6aa90741111688186f07f69f6d820bb8c7e480a60b1ca839bbe8e6ca489468a400634ce9dfa

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
101KB

MD5
19ca619d06c328082cc879d122777671

SHA1
dccabc91003b32bf8a114d061cdbebbc904e628b

SHA256
960bde365ed89c0d2f50dfac81fbc263729398f2495106c7e838639d469eb95b

SHA512
f09767664fffdd2813a20fb9bd9e443fb8c76a1d12e48d3285a8e35bc0078cdebf176856b9df383b8a82f2c53bbbfb51294cd3a4ac42749fb6ab8e78b4728c00

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
101KB

MD5
2d128976cb848aec2c68da718ee7a436

SHA1
f38765d6cef70186754c225a7756242ca97792ee

SHA256
ad8636a98b12c43a59e34e170879f5405e31aa41e66fcbb5de12109e28aff30c

SHA512
3ff0f2a17ed6b36669c1b0cf9ce75a2e5f933432ef6a32bb01ea39560f380e4994c36e58587683b7afae84b37499f74aa7a09fcf37c4d924c9d1d9bf00f65593

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
101KB

MD5
5480a9b867890edbf269a8649b646af5

SHA1
55941d328d094059fcd74a692588ccb831255161

SHA256
18b3575d7eb32ae1d1f94b7239c923a73afd355bc1b403734edef82a920c2dcd

SHA512
d57025102cf803805eb8182820a8538b7890fbcad7bfaea281e70cec30070630130f79afcdd2d244bfc70b1cf8f649a14a2db7d5c6ecbb7e4be98c568349e1aa

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
101KB

MD5
298b1cbcb411340f278c9ea620b29212

SHA1
6019c6e72f0e0aaea8c334946531992381cea01f

SHA256
eff3afcd82791d450e992edb17d2cf429a8cc39b0be43c26919cf1f4856e8824

SHA512
e11e8c688918d2b9394235f65d7ae35cb487782ec64bd4ab2e55c026339ffcb85da5d3aae2f374438bfdef958d5e3e0ebf0b65a5893593c6a80e1e844fad7cf2

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
101KB

MD5
e6e229af9bc532ffaf7f7dca81468708

SHA1
598d7c834b8e6d360026c9337751ffe26f60486c

SHA256
eb1152a59468402475ac76a1f833a652a07aee10b56ec1b5fe83c38afc68a53d

SHA512
2c5b33157482cc74bf1d47482e9e873906e8dcc97e8b9e09d7e52b3180b9f21e633487137305c6f0aacc9406a7f4bc37e2771f0eb88e03a91f034c34535152ad

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
101KB

MD5
8f35cfab3438472297ce2383be5b3355

SHA1
8cc14f5492098c8df3d27ff5fb5aa8d483e96e1d

SHA256
6b15e3b3b0662de20bed4fc86176c488338584ad6e3a87eb6a6078550e1e3498

SHA512
27d8a6b240ef49fe68a44362e1ee7170cb33f59f700391205efb51018e32d65a32bd5ccfc0ed2f529bed32605055a28b9f83c18c4ba0bdc136df283e255df2ca

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
101KB

MD5
c6d4b21c54b928ff767a1bcea167e48c

SHA1
cda18bc5151bd7f92feaccbc4750f6ffa412829a

SHA256
a1ec4f7d4bc0410a6e40787a00fe359868252a89711b460e87fc990597e8aef5

SHA512
f185c69952b9462fa28c5cf4761316b192f0150bdd16f68a6b156f2b2fa014c6cf814cac4b3c78ad56524b64d31418c588558ff81c6db96241c94a98d698b044

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
101KB

MD5
b4fe91718020982bfe18e891a17cce2d

SHA1
811a9c2ade812539df4b17539526c6e82c8e0809

SHA256
449d5dd4097296a88d96e1c3649e22db443c2887629fe96393082fe6e1cf6a62

SHA512
5112c68ac9a54df444b4a34f505c4d40756c49ddb4ff3dcb95eaf2a0c4b8c4e674a7c74d0d523d1a37c5c2dcb723e8027a3ffb00454bffde176b4e3c61e6a552

Download Submit
memory/60-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/64-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/212-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/224-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/860-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/860-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/868-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/880-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1408-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1408-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1416-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1512-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1700-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1912-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2092-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2328-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2328-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2444-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2640-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-817-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-597-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3164-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3188-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3216-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3392-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3392-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3416-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3424-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3536-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3628-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3628-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3672-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3680-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3708-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4216-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4376-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4472-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4584-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4692-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4716-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4716-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-812-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4780-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4808-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4812-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4812-763-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4868-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4884-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5040-530-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5136-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5184-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5232-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5276-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5320-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5364-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5364-746-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5408-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5452-598-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6136-717-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads