95a664744c1a2e5f803496cb6eca96873697d083bb5dc140c9cfe777d0aac7aa

Analysis

max time kernel
104s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd3cde0f519c2cadfc3792e5d21e2320N.exe
Size

896KB
MD5

dd3cde0f519c2cadfc3792e5d21e2320
SHA1

83ee09bb3c884c5ad7f0c4fc0bb8bf40748b3a4b
SHA256

95a664744c1a2e5f803496cb6eca96873697d083bb5dc140c9cfe777d0aac7aa
SHA512

d56c3398a89821da2afe55c381cf6d683e2d22e50037a762308a6c732559f45539a2b25472752c83453462a445521a2a97a088f2af9d94837a72a033fad2de6b
SSDEEP

12288:00YvByvNv54B9f01ZmHByvNv5VwLonfBHLqF1Nw5ILonfByvNv5HV:Fvr4B9f01ZmQvrUENOVvr1

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	dd3cde0f519c2cadfc3792e5d21e2320N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe

Executes dropped EXE 64 IoCs

pid	Process
2120	Nnjlpo32.exe
1396	Nnlhfn32.exe
4492	Ngdmod32.exe
3468	Nckndeni.exe
2116	Oponmilc.exe
4892	Ocnjidkf.exe
5008	Ojgbfocc.exe
1772	Odocigqg.exe
4872	Onhhamgg.exe
860	Onjegled.exe
2528	Oddmdf32.exe
4864	Pdfjifjo.exe
4968	Pgefeajb.exe
4708	Pnonbk32.exe
2968	Pclgkb32.exe
3584	Pmdkch32.exe
3100	Pdkcde32.exe
3160	Pcncpbmd.exe
4076	Pflplnlg.exe
4368	Pjhlml32.exe
4548	Pmfhig32.exe
4148	Pdmpje32.exe
60	Pgllfp32.exe
2808	Pfolbmje.exe
4564	Pnfdcjkg.exe
2140	Pmidog32.exe
4524	Pdpmpdbd.exe
3268	Pcbmka32.exe
3872	Pfaigm32.exe
4584	Pjmehkqk.exe
2648	Qdbiedpa.exe
3032	Qceiaa32.exe
4104	Qfcfml32.exe
4268	Qjoankoi.exe
1332	Qmmnjfnl.exe
3456	Qddfkd32.exe
3644	Qgcbgo32.exe
4496	Ajanck32.exe
2416	Anmjcieo.exe
2344	Aqkgpedc.exe
2796	Acjclpcf.exe
1452	Afhohlbj.exe
3172	Ajckij32.exe
3372	Ambgef32.exe
3568	Aeiofcji.exe
968	Aclpap32.exe
4696	Afjlnk32.exe
5104	Ajfhnjhq.exe
4596	Amddjegd.exe
4592	Aeklkchg.exe
556	Agjhgngj.exe
2928	Afmhck32.exe
4136	Andqdh32.exe
4092	Aabmqd32.exe
2276	Acqimo32.exe
1304	Afoeiklb.exe
3080	Ajkaii32.exe
3728	Bjmnoi32.exe
2264	Bagflcje.exe
3864	Bcebhoii.exe
4808	Bjokdipf.exe
3064	Bmngqdpj.exe
2352	Bchomn32.exe
2512	Bffkij32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6036	5888	WerFault.exe	188

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	dd3cde0f519c2cadfc3792e5d21e2320N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfolbmje.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2120	2904	dd3cde0f519c2cadfc3792e5d21e2320N.exe	84
PID 2904 wrote to memory of 2120	2904	dd3cde0f519c2cadfc3792e5d21e2320N.exe	84
PID 2904 wrote to memory of 2120	2904	dd3cde0f519c2cadfc3792e5d21e2320N.exe	84
PID 2120 wrote to memory of 1396	2120	Nnjlpo32.exe	85
PID 2120 wrote to memory of 1396	2120	Nnjlpo32.exe	85
PID 2120 wrote to memory of 1396	2120	Nnjlpo32.exe	85
PID 1396 wrote to memory of 4492	1396	Nnlhfn32.exe	86
PID 1396 wrote to memory of 4492	1396	Nnlhfn32.exe	86
PID 1396 wrote to memory of 4492	1396	Nnlhfn32.exe	86
PID 4492 wrote to memory of 3468	4492	Ngdmod32.exe	87
PID 4492 wrote to memory of 3468	4492	Ngdmod32.exe	87
PID 4492 wrote to memory of 3468	4492	Ngdmod32.exe	87
PID 3468 wrote to memory of 2116	3468	Nckndeni.exe	88
PID 3468 wrote to memory of 2116	3468	Nckndeni.exe	88
PID 3468 wrote to memory of 2116	3468	Nckndeni.exe	88
PID 2116 wrote to memory of 4892	2116	Oponmilc.exe	89
PID 2116 wrote to memory of 4892	2116	Oponmilc.exe	89
PID 2116 wrote to memory of 4892	2116	Oponmilc.exe	89
PID 4892 wrote to memory of 5008	4892	Ocnjidkf.exe	90
PID 4892 wrote to memory of 5008	4892	Ocnjidkf.exe	90
PID 4892 wrote to memory of 5008	4892	Ocnjidkf.exe	90
PID 5008 wrote to memory of 1772	5008	Ojgbfocc.exe	91
PID 5008 wrote to memory of 1772	5008	Ojgbfocc.exe	91
PID 5008 wrote to memory of 1772	5008	Ojgbfocc.exe	91
PID 1772 wrote to memory of 4872	1772	Odocigqg.exe	92
PID 1772 wrote to memory of 4872	1772	Odocigqg.exe	92
PID 1772 wrote to memory of 4872	1772	Odocigqg.exe	92
PID 4872 wrote to memory of 860	4872	Onhhamgg.exe	93
PID 4872 wrote to memory of 860	4872	Onhhamgg.exe	93
PID 4872 wrote to memory of 860	4872	Onhhamgg.exe	93
PID 860 wrote to memory of 2528	860	Onjegled.exe	94
PID 860 wrote to memory of 2528	860	Onjegled.exe	94
PID 860 wrote to memory of 2528	860	Onjegled.exe	94
PID 2528 wrote to memory of 4864	2528	Oddmdf32.exe	95
PID 2528 wrote to memory of 4864	2528	Oddmdf32.exe	95
PID 2528 wrote to memory of 4864	2528	Oddmdf32.exe	95
PID 4864 wrote to memory of 4968	4864	Pdfjifjo.exe	96
PID 4864 wrote to memory of 4968	4864	Pdfjifjo.exe	96
PID 4864 wrote to memory of 4968	4864	Pdfjifjo.exe	96
PID 4968 wrote to memory of 4708	4968	Pgefeajb.exe	97
PID 4968 wrote to memory of 4708	4968	Pgefeajb.exe	97
PID 4968 wrote to memory of 4708	4968	Pgefeajb.exe	97
PID 4708 wrote to memory of 2968	4708	Pnonbk32.exe	98
PID 4708 wrote to memory of 2968	4708	Pnonbk32.exe	98
PID 4708 wrote to memory of 2968	4708	Pnonbk32.exe	98
PID 2968 wrote to memory of 3584	2968	Pclgkb32.exe	99
PID 2968 wrote to memory of 3584	2968	Pclgkb32.exe	99
PID 2968 wrote to memory of 3584	2968	Pclgkb32.exe	99
PID 3584 wrote to memory of 3100	3584	Pmdkch32.exe	100
PID 3584 wrote to memory of 3100	3584	Pmdkch32.exe	100
PID 3584 wrote to memory of 3100	3584	Pmdkch32.exe	100
PID 3100 wrote to memory of 3160	3100	Pdkcde32.exe	101
PID 3100 wrote to memory of 3160	3100	Pdkcde32.exe	101
PID 3100 wrote to memory of 3160	3100	Pdkcde32.exe	101
PID 3160 wrote to memory of 4076	3160	Pcncpbmd.exe	102
PID 3160 wrote to memory of 4076	3160	Pcncpbmd.exe	102
PID 3160 wrote to memory of 4076	3160	Pcncpbmd.exe	102
PID 4076 wrote to memory of 4368	4076	Pflplnlg.exe	103
PID 4076 wrote to memory of 4368	4076	Pflplnlg.exe	103
PID 4076 wrote to memory of 4368	4076	Pflplnlg.exe	103
PID 4368 wrote to memory of 4548	4368	Pjhlml32.exe	104
PID 4368 wrote to memory of 4548	4368	Pjhlml32.exe	104
PID 4368 wrote to memory of 4548	4368	Pjhlml32.exe	104
PID 4548 wrote to memory of 4148	4548	Pmfhig32.exe	105

C:\Users\Admin\AppData\Local\Temp\dd3cde0f519c2cadfc3792e5d21e2320N.exe
"C:\Users\Admin\AppData\Local\Temp\dd3cde0f519c2cadfc3792e5d21e2320N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\Nnjlpo32.exe
  C:\Windows\system32\Nnjlpo32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\Nnlhfn32.exe
    C:\Windows\system32\Nnlhfn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Windows\SysWOW64\Ngdmod32.exe
      C:\Windows\system32\Ngdmod32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
      - C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:60
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        28⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1332
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3644
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3728
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        65⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1560
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        76⤵
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1392
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        83⤵
        
        PID:856
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        89⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        99⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 416
        104⤵
        Program crash
        
        PID:6036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5888 -ip 5888
1⤵
PID:5960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
896KB

MD5
f0ed391f88279aeb42588c22c2475a57

SHA1
ce57158002e09e796da4602982aa006b8fedfeae

SHA256
2504b3edef3298f59a21f9a02df0e1f596940385253d0ffb5a2e07a7d9956768

SHA512
9fcd1de9609d40b1ac8d3835af73ea13740c774ab49c4913604bd94f4243b98b625bd4a6cb3f567d68d4a8a8a472a59dd07b292585e10b8828196fee958f77a8

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
192KB

MD5
785f99981c673aded5fbf608aa9b81c7

SHA1
fba0ae694aeaf00b88b590386d446e04c80fef05

SHA256
629d7d0c53b08a6a5d33172a049796f574b921c8d41228dc2e264f2e4afb0733

SHA512
0829ef80e5473ac3a134dcebeb1d759c069c6cb0cfe279965fcaf5f7b69e489589953e2219b1535a2addaebbde788380ca2894079624be1914a3c33afb1a4298

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
896KB

MD5
59f595f9ab3cdf948d3403542f23553b

SHA1
d59ed223457f64823cfa9b0bd761b26c35a0d64c

SHA256
e5bc014281c00732a2a348c2304a24d1bcf8a40b0a188ce794d86f1ce0f64959

SHA512
978d8ca4635b96bbd99bcb20858a362aca3ef61762344274a506bd6d10f25e3fdbdacded764e73b5d17b7d5250402a4009eebd423e88c2160282f969b6802722

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
896KB

MD5
7be26a5d7847c85fbc95f6626d0ac258

SHA1
62e60adcca68e6507d4c825cecf5db770b45c6bd

SHA256
f1ddf90dfaca1af5384456b10f81717397c40a38c692cf5a88788d78376fac2e

SHA512
04f54367ebf787896f3d269bc60345ec441124cd77f765e10b6fa8bb26631e8988cfc4d4a0b66e6e447ec37326b7c21fef0a1b15de9406b50c37e26d6c0b0a25

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
896KB

MD5
3c367fa52b52dabe6c884662879c3681

SHA1
71592af8af7246fe6895777b2be99908abee0c4e

SHA256
443f185ae97c49a8fc877ce069e9421b01b7d1fd22120d6c9c5bea12cee9fb0e

SHA512
6efb27371e2f7a6e50c50cdf4c6a51bfd6bc1500c3ffcbeccf6f27e85bd506dd4da55b2df5b1f5f32e5d0cbd338eb8e4c686378876e7c5c9c6d94f3962ab87e6

Download Submit
C:\Windows\SysWOW64\Jclhkbae.dll

Filesize
7KB

MD5
31b653c3d55a23900e50ba232e6bc7b7

SHA1
f92a52c4a5a13ca933ed0a4df473127f4ebf9389

SHA256
042ff42d36f6b7429b868fbbf1ac34d63a6476db96092077c444ec13cafde3e0

SHA512
776031453f9f0a602258833f0e9d890baca380f49c357bbbb5e2f32546100a88746bc2b399336deac8763625a3783ee72c487f452eaec865d525f1f049439ab8

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
896KB

MD5
6ba0c507ab707be9ed2ef6f15dd08224

SHA1
7d5b30336a288373659bedfbdbf9d7375c6190f1

SHA256
9eefe0dfa74fc378138cbf72bbf1db647e1903463b791028c2ccbf73c4bfc02e

SHA512
f04247edaa53e1bc76d60bc775ad833d12209cef0ae9b23efc32013def150b440d693cc823b985d6592039467fef524fca1403fda51f0ea5b0f9ed15e116b7bc

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
896KB

MD5
e99b463afa13390ede9273be5a6a9058

SHA1
2451006debe4032608395969b50f3bff73152de9

SHA256
9d1e8316ac26c690e9f1ef7f1b2f2cdac8e9e6ddc6e201c3decc304590b4966c

SHA512
89b1d69bb3abd1c27f1fe053c72a0cce9b43300a24946d51bea00fcb440de17a56114a04dcd34b74aa704b68c938720a1262876f85d1711f3e504b652642d290

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
896KB

MD5
2e7793bc9898c938341b1ad615941769

SHA1
099918d68e4127e9aa362718edbeafbc2dd99bd4

SHA256
1cc70e0381fadaecfba07c24f2d805c04b4df097d58eca67caeb550186fa8ed4

SHA512
8beebdac759f8dde2072b121e4b9a621febadc8b17a5da49755303148c942b3b3460a28064cb39efab43c55b5a2f524d41f7a31d116348659a63324df004616d

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
896KB

MD5
c44bf3d894d5c82de69235a95df5a662

SHA1
8b975ab53cceea941262c809992f293e4512e3a9

SHA256
07ceda3cd2d57adb2c175968503c23c43e7e5995b8fb5353e1d7a8bd21ebad4c

SHA512
8a94dcd832c5a6b1381a0ce58c1140f2592feeb64d4b8e17cc1079b56c25b21723bec83f90b3a2ef20b9d5f52ccf79a1f1d100d1631c70a5794de39300472955

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
896KB

MD5
90c5c146ad5bdd22374dbdd3b4b03e3a

SHA1
3fb1873a3a91f5959aed2538518d178c10d7ae5b

SHA256
a795c8c8dd7692ec27dd4eb1306ce5f0647c7997460bf61c8efc092b0889f14c

SHA512
7d78c88071dcfe2eeb5539edea9ce930d8ecf5e4d961eb87967b19a571225c61690da2f1c6a8ae5aa5c658325327f616fa05b4ae47bea958f27cbfada5812ae0

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
896KB

MD5
ebe2466f50b2e136b8d1ec3cd8f6ed4b

SHA1
458398597358f74044ce224a08c8f37dd077ab8d

SHA256
86618410d265500d13233378b54cd9e4d637626b703070cf789f8db2d6e11b44

SHA512
25968bc9d6012f8a940f4b4c79b8467ecc8cb2f48ef8232da1081af2771f2f63b413efdc2b92f465b3022cda9a5bd511d07779c85e929d847e1d1804ad9a04da

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
896KB

MD5
3b6c7cd5f4eb385d21654bf9237726cf

SHA1
d399e4e465af65976b020a20d2176b7a546b778b

SHA256
788344903c472413ae6e6f9ca773ae4c320383fc05c6eaf2e7968ee2e2570da1

SHA512
aae658a7b466eb98902b6122c13d53f2dd5b0ff68f0a46885f375fc7297810f798aeb7b30812f88f7991ce75fddae6b8afad16ba82683e3448cc374527ece112

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
896KB

MD5
71915b3a6259033c92ae0831aa3acb87

SHA1
0414f1fb43742b7ccbe5f865609ef19a3a4e722f

SHA256
d44e758a32f96706bdc986914b259536cb21dd82bd3473185b37a81169aff2c6

SHA512
d0dec1df62fad7468aa43445ebcd5e05a81d61848e149f7d78363e36ba38a5c2b7025121060c9066c55ed5ca45b9f2afebd76a793b9b0ce1cdbae11219678855

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
896KB

MD5
f1f6a267b330f9d08cdfa3f81b752675

SHA1
549ec2af6723a0ac9d07af538b5f3994b8f41c29

SHA256
5a99de8b1c5f8f54dea86f31a27c6c113e82c534e3645a9d1d60949329a6da4c

SHA512
5f676390190498e4c94864e0465cc6a51116612d7e8f2ed4081f5eae53a7d630c6872b218933b4d0aa2aee8066512c2033a1d91c03e424c7be8ed31227565266

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
896KB

MD5
46277221d4d9bb983a81fe36e4f39fff

SHA1
b0c372df655bee77a267fc6102e502bcaa33564e

SHA256
051665fb1eb39e3f5c1ce83a3994fdad971ab1c3e92ea45fb974843d79717322

SHA512
5b0c7c678f08ad8e4480f0f04c0a82d534cf95b98e40577deca910b5d001446902fa70645f7cd36baa22c907a68073bce6a6b2867b2e6d17db3b13064e0a3c5a

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
896KB

MD5
81c7c2299d6010def885ad7334044a3a

SHA1
3c703f0ce6c6cdaf63f05ac17b001212aab917ab

SHA256
4ea6698fd1113cf8edcb3dcab49ee417e4c96bdda81c6f1ada8e1d23a2e3e4bb

SHA512
50c40432052451afa845f281fa82b4dd88754278b0ec9e847c825123fca48e8a125ad090fa79502eef7e55db2e07c88c0c980c8beb8f1e28c6c4ccaabd4134ef

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
896KB

MD5
cfc3e0392b84e837cb853201bab12573

SHA1
4d3eeb96fb3aa4a3ad9775d8ed45e5e599d479be

SHA256
225424c148f1c7eb636ad49c25d2a52225d03d2beb1cd4ec8cf89fdabc9fd2f0

SHA512
b34f36ddabede171941322919f82ee5d8faf0bab426f58ede953747dfafc91f34005943b4965a8c979a717f43dad292796eb11def73faa3eafcf301d72bfe9e9

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
896KB

MD5
25b7eaef3c4956893bd700caacde07c4

SHA1
c63744e135ea32b17fa5fb26821f078fc9920096

SHA256
d45ca037f4faff7ab8bc5128f10cd13296624a5f592805ec69bef8a03f4af65b

SHA512
91bbd217a6f93418478518f6dbada58b89cdbc7cc3a27309d9a47c84d0e6a2e1db0feba3e62d419e82230e87f1baafb84a40bb3ef3bd43291c5d034c6d5ea925

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
896KB

MD5
c16767da4bfc7ffd1916a6cf4331e49a

SHA1
28006624437e018af481007071f3472f428124e9

SHA256
cfcf2a9d2c09c664c75ace71393a87576190e2e30c049c00c94c1794f94dc118

SHA512
1f054ec850b4f3578bb42e5f0c1c9691bbd9a843f686899ff0bb374cbb11cd9989659621bcabcf1bc166849ba7103333121bc344f3703840b5eb43f790531600

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
896KB

MD5
806830b79e5268d4871e3bdcabe21365

SHA1
f975382f26a5fe0b10b33f317ccede32ba426e3b

SHA256
108a287b7efdfe3456de2829468b26f6440a3bbb2b527960a4d2a0dc26e05419

SHA512
30df5c18fd0c876bbd27a31fb3ddc572a38c95ca02aec5f44575b744637bce6305da6600b20ffabcfa70358496e088f22f6f06bd416351e9787f83cec09b53d3

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
896KB

MD5
b28309fa3ba5dec8d6e4711b867dd68b

SHA1
83208e0f6a74f0cd04f04063491a3c31f21c309e

SHA256
29c25176a63e889f555617a02cca02f47afe5b1fdb29df4bc1a4553d24e7c587

SHA512
90cdbd7b8029e90a10aee4147fb9463a7991e9bf55b55d2f2a1985780f2b2db24e14762b7a9c5ad0b8c7b1eb1631b564c222298513800110e6e2e1a79a27e7cf

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
896KB

MD5
d521408669a5d562d0c793aece95b891

SHA1
b7583cc2ef3b89337f6629e1009dc50ae15a1b7b

SHA256
870078f25c57bb495b88f52ce67fd2b8b783fa2bc25b8af940fef37292e05cce

SHA512
5af05d054885e837e4f47c9d78b42e822d01764400c5140ca4b2de79343b10aa00d0af42cae07e0c27677f1b0279b1b6bd323c8dadd0e281521a103d36a930cb

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
896KB

MD5
37434996b2080f1d1e13a0a7a63838a7

SHA1
e049727bbc8383742752cab83e2894dced1da5ae

SHA256
e19aebaf3225ec028404e1c47b73185cb7c4c148e453fe3c9e23cb97a4b1859b

SHA512
30fec82acf8cf6e8b3dad02f9e75c603f1a55f6a8d96b57641a75cc016d42927deb82f3164365515dfee9a66d7abff5f1c37e6f8fcee1523116b4407ff31f72a

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
896KB

MD5
754914d6b43d90877ad0887681d5f11b

SHA1
34d92d6c6542b8dbc90913e35a7be6bfc66b9e40

SHA256
60a800a7d5f2dc17dff2888222a1b4a295ee22a5a7228f78d78f22e759ab64fd

SHA512
6043234a242dd2ded4eaf2a6ba56c0ac49ef6e0287f9cdc908ff10d1b359fd09f59a406bf2845bfb8693423ed8ef4871c89d8edf14e261493571b630d5d6c72f

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
896KB

MD5
54c0f766aa2be79038e40d00800254b3

SHA1
24e325b8208b20aa0fc43fc4dfdde9840b52429c

SHA256
a2a0eae91681cc1fcdbb2813a7fa22e0258879a4a9eeceb2a341ea8e6fb06764

SHA512
482545774d8a66a560e51bccf226d31faa202801ff072f892389c2160b108379ced31ac3410a78d3642155107700696443e9b72dd9f2626866875c6b6707ee89

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
896KB

MD5
9d351993c836853df96e6c45651d4a39

SHA1
05ed66e6b9a312340098fb2813cd85cbcfdcba0a

SHA256
4b026d9946c680fe96e555eaaa944b42b7bf2f08fd179c3d0fb4f7048547be72

SHA512
eb958f17de08fca68e9a1bdc48ab012de999a45c4d36d2316c5ddfaac0f6bd3e860306cad74294c7c397d620cf1a57ce28365134a02479ac4f4f6188203befbb

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
896KB

MD5
98d88b3fba721634dd373a064a7bd03b

SHA1
48b0beeab53c3ac605e31d6b7d5c2e987eea8869

SHA256
233eabe39830471ac51524554ecf1f6bf97101bbc114650a92de8a51008a1622

SHA512
d42ec20599dfa0c8f3a226faeaa1e7b39985de92aadd1e249f65e0bf65d6ae86b83243f0b487cf8b03b69ba6e19cb4d54119d157e514a5b6d375893cd908f473

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
896KB

MD5
10ab393165f70adefa1c58a661feac0b

SHA1
df2ce24df8f39af8aa875c224740f56d8f1ef2ad

SHA256
2819b09bef510135f9e2ed7a95f8b09640f419336db4b1d43d4b00cbbcfda4b7

SHA512
168c80c850a868aacf3f940b2cdb62edfad6715500eac605b4269c0e80a5d98c48d9d9b4e7376a887a93593b5c70ccbedb3a6adc95a88b7b0f3a5684df0ef19b

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
896KB

MD5
ca45c71436c9b6bb7b1bf8b785f2939c

SHA1
94e1e3860b20d50eb19f23e09bee5e6fb8564cd8

SHA256
500c0a9cf5ff034ed4ff68f56308d88ae418f13a638e2bcf778ea42cceb54a4c

SHA512
b47782ef96dfbabee457ab0c7a05d4a0c2857803b5054a52fbf872a7a3a804b03a1516c6501a6fd79f8064550a5b7c1c834c78374a1e604954d57edf45c3ed4a

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
896KB

MD5
3856058fe5d403c1840fd8e13d8ed6d8

SHA1
252bae1194c05c8120e5bb7a934d14ac557da0e1

SHA256
d84eac81b4d71a828daf351f314ad61bc39082fae0d137d2d8108e45be9e2d58

SHA512
18eb60ace228e7cf3ce614c29b2ae31bd4b7255d423f57b3d78e5adc979ddb8d113622f8adbffaf2dcd13d5dc427f1f11ba177c737f6cd34d995c97219605fa1

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
896KB

MD5
12a45f003f142921718b727f5b8279d5

SHA1
f675cd469a20a98074e76e7a7c984e42a51e6599

SHA256
486abf841ddfb33470f9ca93dde7ddf24741c3d664b99677ae1abcc2770fbcb6

SHA512
d15e31c44ea458b41ef502ba9fbefdb16e4f2fa5b3ffc597983a8c3ccf3ee03f2478cf8bef63f859b050ad27100dce35b517673518f8fa8497bdf02687ace755

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
896KB

MD5
af0a3d34440844ae5dcdeefd24d40386

SHA1
1c08587de4e454510f0dce09eda0b16cd3b1adcf

SHA256
f07fc51d1d9bd33188b468c93b63fded06aafe060785fae25cdc4328eca985ad

SHA512
bd2dc703281174b95ab7eec7c660b7d451197a21ca76c3c3a5ab15fd9a9fad6b1ca9046fad228e5937b860113a80904bfbc541b70454cef6392190ad51d19329

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
896KB

MD5
9ef2afb9481bd9b0f4ace5dbb66f1077

SHA1
383b452359b67a3589f2a803e74cf0a3e3c56ae3

SHA256
24313d12a6f053b3778d820a26d794120197aa055f0e9e9e1bfdfd414f960a68

SHA512
2ec0719bdf7fbf2e35264ebdc01d5c5f49e60bd88719e57af4513cc6a60bad035f79701e39b7a19edefc9372bf7618d89f6aaf634d8b3c42f524b28018e48e92

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
896KB

MD5
b9e342c28538660523da522740479776

SHA1
a0c1144905743b012b8789844631fd6582727cac

SHA256
8fe6293f0cf4f80c55fb9d812fe9828783e9547b37225c4741873c9a2424c9d7

SHA512
c2d29957327eb82b22afbe6ab097fcfd8fbf40e1614b254c119da9ae22960511e12905a4ce0cbdfeec24e7e7761b49598fa2d1aad05b68e942aee2e5ec152429

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
896KB

MD5
c45414dc8c2eed2a4742629a0cdc8429

SHA1
9c872e5c86511f8d76283fbe98c67b58ba541689

SHA256
103795ad204d9b94d5a7c7e5181b2c6f40aeaef1b23e469446ee0df97df22a88

SHA512
a66687f04dbb490c0290685b6930984bf8afd8cc88944360777cfde5b62d16d6e7a454779578d6112c75428dcee6866f52b31b87c0beabc2f4560809ce951923

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
896KB

MD5
d7f86685e3be19b94d786e9132db4904

SHA1
9423dc0541259aa755b48b2c44133ab731bbf080

SHA256
48e99cc69b0c9955a85b207dc79902197811ffa62b4ee7846bedf720eac676db

SHA512
a1763bc3bd8aa0b9313f6c3168cb1390a8955412ccd6635b4038302c431ab0f2bf811382319727a77732394880de4d9dd5cd13b5e655b4a95c27224fdc8aa6a1

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
896KB

MD5
851b1e3fc087cd61f86c0cecd238c8ae

SHA1
3700028c374e63afcef0f55d2c39c113a71765d9

SHA256
5cd37549d5d6d4f3a0e88771d78f0b990adcbce91d3941ce890cea10c55176f1

SHA512
818ed75d5ef6f1294c0256ed6a0647ff6d591c07afd1151acdecf3dfa2641951652a50915c6060a8bb95b1aada5b671876d8f85f0ccba2f055ffd66a49b26907

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
896KB

MD5
def32b525d73194f077556e7ed146317

SHA1
8dde8cb39e4bb550665b36f4bc7fad1d5a87093c

SHA256
b5edfc2a6f4c31cbafb7a290c15fc26798d7d23ef0a9539c0ee7832f88fec8a8

SHA512
c5bf930b92e48c2e7f2dbe9b4a46f5ca04f1577c9a0b728c9704e8d1f1c8bfc38a3ca47f5b9654863aeb2c18961b10bf65438f0b55949ae3518ee921c842a065

Download Submit
memory/60-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/996-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3872-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5168-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5216-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5680-696-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads