40c0c96badb44d3e7db9fb42af79e43488f8f7c9b2f4353af0315b31ac58b66e

Analysis

max time kernel
103s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfb62e6f36478bc7af0801726464cb00N.exe
Size

62KB
MD5

dfb62e6f36478bc7af0801726464cb00
SHA1

39d92599f12603f8feabe3cbb5c92915a132f027
SHA256

40c0c96badb44d3e7db9fb42af79e43488f8f7c9b2f4353af0315b31ac58b66e
SHA512

cd1f4628ffa0fc59088c5d5963fe2c29ad31ce134893aa52072b65108a445ad7ddd9befc02da0564c93462de98f6046f86dd537118142e69245750ed8537bab5
SSDEEP

1536:sQ0DrQzLZjvUFBqiBLTfobFrNMf99qusBxg9zlTjYDyvcshy3ve8Cy:wABWW/xg9zew+ve8

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dfb62e6f36478bc7af0801726464cb00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	dfb62e6f36478bc7af0801726464cb00N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe

Executes dropped EXE 64 IoCs

pid	Process
3164	Ocbddc32.exe
4316	Ofqpqo32.exe
3092	Onhhamgg.exe
2632	Olkhmi32.exe
224	Ocdqjceo.exe
4852	Ofcmfodb.exe
1288	Onjegled.exe
3360	Olmeci32.exe
4996	Oddmdf32.exe
3196	Ofeilobp.exe
4920	Pnlaml32.exe
400	Pqknig32.exe
4184	Pfhfan32.exe
2172	Pjcbbmif.exe
3052	Pnonbk32.exe
2728	Pclgkb32.exe
2308	Pfjcgn32.exe
2256	Pmdkch32.exe
1444	Pgioqq32.exe
920	Pncgmkmj.exe
3776	Pdmpje32.exe
4192	Pfolbmje.exe
3724	Pnfdcjkg.exe
4424	Pdpmpdbd.exe
2056	Pfaigm32.exe
4588	Pjmehkqk.exe
4324	Qdbiedpa.exe
4536	Qgqeappe.exe
4188	Qfcfml32.exe
1160	Qnjnnj32.exe
3392	Qffbbldm.exe
4124	Ajanck32.exe
1280	Ampkof32.exe
4228	Adgbpc32.exe
4616	Ageolo32.exe
2240	Afhohlbj.exe
1552	Ajckij32.exe
4248	Ambgef32.exe
2588	Aqncedbp.exe
3192	Agglboim.exe
2880	Anadoi32.exe
1136	Aqppkd32.exe
4504	Acnlgp32.exe
1488	Ajhddjfn.exe
828	Amgapeea.exe
3808	Aeniabfd.exe
5076	Acqimo32.exe
4972	Afoeiklb.exe
3236	Anfmjhmd.exe
3284	Aepefb32.exe
5036	Accfbokl.exe
5100	Bjmnoi32.exe
1064	Bmkjkd32.exe
4204	Bebblb32.exe
3484	Bganhm32.exe
3784	Bfdodjhm.exe
592	Bnkgeg32.exe
4144	Bmngqdpj.exe
4448	Baicac32.exe
4592	Bchomn32.exe
548	Bgcknmop.exe
5060	Bjagjhnc.exe
2132	Bmpcfdmg.exe
4336	Balpgb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6108	5856	WerFault.exe	209

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfb62e6f36478bc7af0801726464cb00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 3164	2720	dfb62e6f36478bc7af0801726464cb00N.exe	84
PID 2720 wrote to memory of 3164	2720	dfb62e6f36478bc7af0801726464cb00N.exe	84
PID 2720 wrote to memory of 3164	2720	dfb62e6f36478bc7af0801726464cb00N.exe	84
PID 3164 wrote to memory of 4316	3164	Ocbddc32.exe	85
PID 3164 wrote to memory of 4316	3164	Ocbddc32.exe	85
PID 3164 wrote to memory of 4316	3164	Ocbddc32.exe	85
PID 4316 wrote to memory of 3092	4316	Ofqpqo32.exe	86
PID 4316 wrote to memory of 3092	4316	Ofqpqo32.exe	86
PID 4316 wrote to memory of 3092	4316	Ofqpqo32.exe	86
PID 3092 wrote to memory of 2632	3092	Onhhamgg.exe	87
PID 3092 wrote to memory of 2632	3092	Onhhamgg.exe	87
PID 3092 wrote to memory of 2632	3092	Onhhamgg.exe	87
PID 2632 wrote to memory of 224	2632	Olkhmi32.exe	88
PID 2632 wrote to memory of 224	2632	Olkhmi32.exe	88
PID 2632 wrote to memory of 224	2632	Olkhmi32.exe	88
PID 224 wrote to memory of 4852	224	Ocdqjceo.exe	89
PID 224 wrote to memory of 4852	224	Ocdqjceo.exe	89
PID 224 wrote to memory of 4852	224	Ocdqjceo.exe	89
PID 4852 wrote to memory of 1288	4852	Ofcmfodb.exe	90
PID 4852 wrote to memory of 1288	4852	Ofcmfodb.exe	90
PID 4852 wrote to memory of 1288	4852	Ofcmfodb.exe	90
PID 1288 wrote to memory of 3360	1288	Onjegled.exe	91
PID 1288 wrote to memory of 3360	1288	Onjegled.exe	91
PID 1288 wrote to memory of 3360	1288	Onjegled.exe	91
PID 3360 wrote to memory of 4996	3360	Olmeci32.exe	92
PID 3360 wrote to memory of 4996	3360	Olmeci32.exe	92
PID 3360 wrote to memory of 4996	3360	Olmeci32.exe	92
PID 4996 wrote to memory of 3196	4996	Oddmdf32.exe	93
PID 4996 wrote to memory of 3196	4996	Oddmdf32.exe	93
PID 4996 wrote to memory of 3196	4996	Oddmdf32.exe	93
PID 3196 wrote to memory of 4920	3196	Ofeilobp.exe	94
PID 3196 wrote to memory of 4920	3196	Ofeilobp.exe	94
PID 3196 wrote to memory of 4920	3196	Ofeilobp.exe	94
PID 4920 wrote to memory of 400	4920	Pnlaml32.exe	95
PID 4920 wrote to memory of 400	4920	Pnlaml32.exe	95
PID 4920 wrote to memory of 400	4920	Pnlaml32.exe	95
PID 400 wrote to memory of 4184	400	Pqknig32.exe	96
PID 400 wrote to memory of 4184	400	Pqknig32.exe	96
PID 400 wrote to memory of 4184	400	Pqknig32.exe	96
PID 4184 wrote to memory of 2172	4184	Pfhfan32.exe	97
PID 4184 wrote to memory of 2172	4184	Pfhfan32.exe	97
PID 4184 wrote to memory of 2172	4184	Pfhfan32.exe	97
PID 2172 wrote to memory of 3052	2172	Pjcbbmif.exe	98
PID 2172 wrote to memory of 3052	2172	Pjcbbmif.exe	98
PID 2172 wrote to memory of 3052	2172	Pjcbbmif.exe	98
PID 3052 wrote to memory of 2728	3052	Pnonbk32.exe	99
PID 3052 wrote to memory of 2728	3052	Pnonbk32.exe	99
PID 3052 wrote to memory of 2728	3052	Pnonbk32.exe	99
PID 2728 wrote to memory of 2308	2728	Pclgkb32.exe	100
PID 2728 wrote to memory of 2308	2728	Pclgkb32.exe	100
PID 2728 wrote to memory of 2308	2728	Pclgkb32.exe	100
PID 2308 wrote to memory of 2256	2308	Pfjcgn32.exe	102
PID 2308 wrote to memory of 2256	2308	Pfjcgn32.exe	102
PID 2308 wrote to memory of 2256	2308	Pfjcgn32.exe	102
PID 2256 wrote to memory of 1444	2256	Pmdkch32.exe	103
PID 2256 wrote to memory of 1444	2256	Pmdkch32.exe	103
PID 2256 wrote to memory of 1444	2256	Pmdkch32.exe	103
PID 1444 wrote to memory of 920	1444	Pgioqq32.exe	105
PID 1444 wrote to memory of 920	1444	Pgioqq32.exe	105
PID 1444 wrote to memory of 920	1444	Pgioqq32.exe	105
PID 920 wrote to memory of 3776	920	Pncgmkmj.exe	106
PID 920 wrote to memory of 3776	920	Pncgmkmj.exe	106
PID 920 wrote to memory of 3776	920	Pncgmkmj.exe	106
PID 3776 wrote to memory of 4192	3776	Pdmpje32.exe	108

C:\Users\Admin\AppData\Local\Temp\dfb62e6f36478bc7af0801726464cb00N.exe
"C:\Users\Admin\AppData\Local\Temp\dfb62e6f36478bc7af0801726464cb00N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\Ocbddc32.exe
  C:\Windows\system32\Ocbddc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Windows\SysWOW64\Ofqpqo32.exe
    C:\Windows\system32\Ofqpqo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\SysWOW64\Onhhamgg.exe
      C:\Windows\system32\Onhhamgg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3092
    - - C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3724
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        27⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        28⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        29⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        52⤵
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        73⤵
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        75⤵
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        76⤵
        
        PID:764
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        87⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        95⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        98⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        103⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        105⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        106⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        107⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        108⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        122⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 404
        123⤵
        Program crash
        
        PID:6108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5856 -ip 5856
1⤵
PID:6024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajanck32.exe

Filesize
62KB

MD5
5143d130f9be40fb5054c3f30c9c7193

SHA1
07dc97fc1989553d3fe63dad35c575c56ea771bc

SHA256
62b3e164c49c22f23479d06d66eeffbbdfe5d3c433890c68a99f9a8be79ebcd8

SHA512
8f8f82e9554aec24e6848255e03fdbe3175553bf885a826b003b19836492907689ef78c3cd63b4684c897c1f4fab3404545af800beac7e23a4ab664f8bbec363

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
62KB

MD5
f205b96a1a682edef9fbcdb974abe92a

SHA1
5c853dcbf9ae8754d35c728dca02f8782d9c267a

SHA256
0c57efcdf13d5d62dcf41a90b13990419a1e91bfd75c62b3cf6d59c17fb0f186

SHA512
b352fea0c35db634bd8951fff1773ce219272073605f5cd8cf6ab51c054fd9acbd4d06fa33a3281208496f3dac33b62b6cb064d3536368cc1b413c59527ef961

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
62KB

MD5
3878df3403f766ea57ed775a42f6c48d

SHA1
4fd8fff5a831e85b3584f77c7c8807a8287a6450

SHA256
9aee687a8d782ddb5fdd5c68d81088c8cbd89be124880201a22be20b18232d78

SHA512
9f6f7d0da1263872f1da70af218662615def087c0caf82dd4f8f3a1366281003ca5ed9d1e7b4c6f6dd0559998a3d61ebbbd33ddb957a4abc249a488d417ecec0

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
62KB

MD5
95e51d17348e5ca596b2a28a3ad618a0

SHA1
1f4d0a6c657bebf58b658429efeb9bfcf96c0e71

SHA256
2c76645a53e7aa0ae4a66317b68bab3f9ca32ad6280a65f8549730a03fec90bf

SHA512
ac6ef27c403d2cb04cfe260f6cb6d7eea47876f51c9aa0db952c29f08e75b048801f1b3659e73ff18065039920a0893d1a71940f9ba40b0b9f3e349af9546160

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
62KB

MD5
e4653b00deec78aa5f32007e75350b83

SHA1
3447cc74c5e0f4a9dc1a58598a156e593d7886d2

SHA256
689c83da0ee64eec88ae810cdefbd0e6ed0174326248cbba23e99d721f4becf7

SHA512
59b6b7e7a32d3ff55f1d1a9cd1d12279bb4b8748c5871d723a050e28b296dcf6ae6e8cfd1230f923d0f6ff05cdbf1dfe4e7118b2ad381c1ac800c32b50ad8534

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
62KB

MD5
0a50b02132d13e66c14a2ad97f4db4c3

SHA1
03a8c66acf02c1a21916b57f2f51b3f7b6f24a4b

SHA256
831f6d9ad05f261b6f522279b8ceab7c8195bc9feb0e95ce42ee0aeda5512811

SHA512
fd89d1a5f6be4e13ea179adbc24f6d5f7c6f1824fee6900e8568b29aacea5fa8a59e09bfdf8fcd029a7985982f881563da594deb64a29c414af1e94a7c77199d

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
62KB

MD5
8bdfa77d41f186350c490d0dd6f1481f

SHA1
976c9bc14789517e5e13f47a22c0c440e6de4954

SHA256
d59ece0d1f7b733c6dc6b6b0c17971f0affa955aad8ca29d8c0f444cfd62784d

SHA512
ce92aea4f024ec74704cf3e045b42959e4a752ca84431fd8e78f43b057f34b5f594d917c204168b74cc83d4f1dc94e375d8812d816bb3cf8f0e594ae3b47787b

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
62KB

MD5
aea55af22229d74bbfd014f4ad15e664

SHA1
4d70acb62150a76791bf79969b8c7fbe897f2a53

SHA256
c017827f5d93ea1eb2876113921c6ca93905f1d56bf9d2003eaff78667acbdc8

SHA512
7d7cb4e5eca4b1c9bf1a808a7a967187b45b7c5d527a1a185d41fcd97d68d008b50ba208aa30e53952531f45587d250c9686352e485994a475f43b46ddae6832

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
62KB

MD5
9a268b3fd1d23e65bb5491be87469547

SHA1
997591e715c84f4803bf4ebbd522eb5dc80f42cd

SHA256
679d9e4f20f01d9a9e112796e873d0b83a5e4623c50988abfad4c9e4362b5604

SHA512
5b1ee2caccebdcc22f5c6920c057c098650cbe5a5fd8077594b7fca686343d481dc70a342737094ac90fd99cfea327023e69be9f44629d7f7aa79c1a4772728b

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
62KB

MD5
feec99ce4adbe237ececd8a9f699d3cb

SHA1
9ca9897d8b6c2495ed44d60daad3c1184ae6db96

SHA256
b1911d4dad681f94d9d893df4c07b5abb394bbf00af1101b1d100d7a9cd42116

SHA512
d3601625a28c3fbfce31ad63dfaf547b715efd86f37e926d247de2bac884eb1cdd5bb44060117a71e2213d305d2b07357f5dee2ffd3aab5f5ee5f36ce6f78942

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
62KB

MD5
78ef589d2f9084d01fcc6695ba2c51f6

SHA1
e4a64a4680de6f515d9e846bcb28a934bbbaa414

SHA256
c46fe4ee839e0c8d61f369839a61ab44ffdd29cc5c3e75c8ab58834de826cb08

SHA512
0d9ed3baf3ffac9941abbbf6a126717aba1b922f4850f2df5151cb6e7a08930ae8915ff8f2d22a6a004e634f5f432a5d66632c3a2684fb10b0876be5b53af251

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
62KB

MD5
43280c095a25d36a655868e3738d44c3

SHA1
79e220e01ea7c21b2b0387d2fd9c13a6100d9ecd

SHA256
ca653ac8eb5c359234f45ac4a7b3a5c1076e71439e3825fdd9e864477afb838a

SHA512
effdbcd85c50c926ec6d13bd830cb414a5dce2f8ea85a74fa31408ec4f67c402465b35429c33b0748c195705426c589ee9cc797a9d02ca3f6a4d2d4a43d7aa69

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
62KB

MD5
92026b539b05dbe1edce13e1902a4082

SHA1
15ddc2798fc42470f6b3da05e1bd851e9facaa80

SHA256
637d37e5a2490ab6f0d2f35cc3e0f5b82aa694205a455130083895c150f1a10a

SHA512
2f2948d56690ef173891c4aeeca56cbf4f5d3ccb2fd2d0e36fe62c3d31daf146d640e79fb481229219b459545f5cd4544ae4f6e58203be3e61cea0b4724c4369

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
62KB

MD5
24ab418ed01e04b7ca9c7488080aa091

SHA1
b2f2dadc8667b0414a85734cb0a7b17f6bdd0df4

SHA256
2b8694bc140d8df013a98bbd09996e59012a1f194ba076a62aa3b3ec82237e9e

SHA512
e5024ee0d0e5cdcc3f953e626b7a4ca39888572a2581e6755f783432ee64eef52fb4656ac3e1b53a8cc41964050cfc8cfa073ad413a51dcbb77d5079be19c862

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
62KB

MD5
8eb25d331f50deec9fcf6100d59d8db1

SHA1
226842fa03b95f4e499789d0dd5387ad9ad4be79

SHA256
7d068c5218d80259bf9fdd971820dd5b1723de86d2f4854de59d73c4673f7a6f

SHA512
0a77f57f43c88ae1caa95374762b353300c52ab8ba323286d8ae9499492e31b549184c6c35946e5ff023e2e050b1b9258257ec91c1a4dad1633e1aec8c10957c

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
62KB

MD5
c217834574c0e4d73bc681f7bbc269ea

SHA1
18f344be4a5ed1648107395ec9be69039fe20417

SHA256
91e6bf98b489f9bc96c683d2f008d38a6aa900f6ed022cd6a2115e9641da03e5

SHA512
cdf212d29a7b69dd8f4da9afc23ed60a31b6c904f5ed26b95ba7de49510637d36e8563becc05bf03d3b0d8ba9d4e4617c8ab728c436e215b39480f11aa7aab2b

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
62KB

MD5
c6648f386edf9cd04fb8995761bf6ab0

SHA1
7736c2e4d4f00707703e2dbf40bb804c2cc0939a

SHA256
37f60e240cbab7dc7e2944f5cc5574ada0bca32b005682aa8c67315512e4d4f4

SHA512
2a2a05423e81e39c8bf0dc184391fc4f57f8715243f2d71ecb2f539f16883c7dc9218807f831feac911bfb406d627ef97de44a952ac76b3bb9c732eeebe56f88

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
62KB

MD5
2a4f133e1b32e6246661482ea3349750

SHA1
5f15bf6cec043b4eec49976923a15f60d167273d

SHA256
bf4b22524fdfcb9ac99e0027fc09616e5d6a68f2b73e468b7d59573102f19e89

SHA512
1a6f9dacd925ee6ff019689b2cb5059b9f2fddee389ce08052cf2a49ba6e9448692b170fad057ab1492d61248c2505f5b8638de1445918e07a456f2388769240

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
62KB

MD5
ba63ccda2a8c31be493b7d1611cc2ef1

SHA1
c49c518622c904968c19e0660e31a89d5d817d58

SHA256
6707e541e1abde3bb5a90b758a5e5cd094a4fdf218cd58f00ca182a7d3690918

SHA512
622714f3a4e10c56ccc59e7fef7671427c09299ec4b21f97c0fda3f574bcc89603b3f89a9bd0debb863c426cc67fb1ede2bb67055430b6a9987f9c5da93d1775

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
62KB

MD5
b88c2fd61f6298816ad9a4eae164187f

SHA1
9f99d38f54e3f80f544d84596c7e5714a15fd2ec

SHA256
3a08d00fe3c738fab49d7f329fc9e3fd49867276532a772211900d82c9e5b763

SHA512
0053f04ece2fa4d62bb2527cd43bd3ded15882a4713ffae2a80810831f863a3d70062b234b67c776d2c5ca9536cfc9afde5626178cbb872aabfbee042681d6ba

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
62KB

MD5
1404c0575e483315edae84160e1d2777

SHA1
dcdd31422c48a2d40b86586653e9f02c516a4e9b

SHA256
bafe4bac93455e6707a5384866f097bf2956c3bd895027af9b8295502a4d5417

SHA512
b3c5582f781c04e35e93b36dff18b3623175c6f2db0dd264544b4faea6746a4c242bebfc82acc4f40102fe412dcc276c07ead534ea3866153f20a854c7f46dac

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
62KB

MD5
79d2eeeee69413c482179e85ab9180d6

SHA1
5983b57a50633f526925203f9c283834ca04caf6

SHA256
d6c4f7a8a9bd25c2928062ead0a2155c35c5adff758177d3b2044898de11abcc

SHA512
51092255181a0e90f9b395d9427442266bc50bbe05e49f963340a74f1551983084e6ccd8b286d3e204f88a91cf72f51fbe8e743c80735f8567e0e59193e4b5cd

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
62KB

MD5
6633a9c6277f2db5f28b60e82d545812

SHA1
c2bb917d95fa37a51a7fa61d758089bd359b064e

SHA256
db3067b82a4e4f25cac86403157f543337d70d1af0a0a1b14bf9f24430e74edc

SHA512
7b1a6fcad38c84e776a1b1cc62edc8b139c435d5df6c78cade7ff0972ea2e33a8ffb3c6b773a29a6b1627e43f5b4e436bb4ebc7c184597de0c6722b69e78bb13

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
62KB

MD5
3ddadfb7dcf0cb7a2c82bcf00076868e

SHA1
8bc68d08dd1c84a4ec82299940ffe2f119d324a8

SHA256
90e9fa84a7d381d982bae544c4813dc5483a3450a1421ca901720503bf5ae88a

SHA512
736fb997c99c4808ddf7a57dff34f108589623819bcaee609043a9a70404e32771134802c80d1935dbe5be421e29a7774b58e5ec81df6fba6c4c701001c4326e

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
62KB

MD5
76fd0ef9c8d4678ebe4d4ec1a7e90410

SHA1
217f113d923f1d4ada50ff0793d6d4647da4fdaf

SHA256
43c32f5bb1513d9468786403dbf208d5802ed0102bd7b48fbcade4018adad96b

SHA512
9ca9cc8b526b4960ad56ea88cf95568245cd39fb9f6001383f6864ecf552bee155fd6b439457e3ccd677ed7050d3ba71cef85860efe95ffe5c1f9e20564cc094

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
62KB

MD5
3bd27c780cc67f5204e753719c15f615

SHA1
97497351f51e1a92c10c9cd788cbc0d7e6c04c60

SHA256
7fc3dc0fd72134823f7c3bea9ac65fbbf9407a9864e9a4c73f5951560530533c

SHA512
6c483f524efd06f5ed2c21eaf3f258f94ec452af14cf990bba08ac686ff74f98a81c431fff447b3762abbd148106dcc92d91eb537ef684d22290f6bda1dc4b3b

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
62KB

MD5
221611784390890f004826d3cf3b67e6

SHA1
5c931c9ed00f3b2cd30991be0daf1eabe2193ed2

SHA256
7316ac2f9e411ca8d5c8312c6bd562cb4c01eb5cec2bd98be1a42891ddd72180

SHA512
7002e135c7df56266e518cdb84e8e8cefd491c8ea4925ac3c90febc9d88c3d41ad06293151c3153d9f8f8e3e090357819f2c0371d9981ec0cbb7fea8e4de3d6f

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
62KB

MD5
74389aff1144429b4df39e5581d8f1b7

SHA1
b376bd85969dd92f480b180e10feb0c799b85138

SHA256
271f25f95f55886bb3fcb3b35a7eb6007c12b876cb4ad3fcc21996f52a11390d

SHA512
a15747a5048d835680dfe151ad7a40ba5a0594f8ede14aebf954be847c590a1342422d6e437edbd4a8b924f6887662a969d0630a3af0e0c87f97cc9d8602fb8d

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
62KB

MD5
0ea5d7939d7fe91b7211fe56ac152b9f

SHA1
7ed1c7e2aaa0813a4983ac21907dbad8c196bf41

SHA256
6a8d4fded01f76634d6b5fea651a13739accbd942b55f2c731994f0794209f4d

SHA512
d85d5eecf6b41ee639dbba1f01edc9f57fb69a409d5996f291daaf02394f8e82d6cc1cb9d1714bbcfb9475babb5dd1400896264c7595024af7d210d4f4b0986c

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
62KB

MD5
703571ce131e8257fe7ab007adef8e78

SHA1
305aa0877948520f8af0b693596c20b75ae4eb3f

SHA256
a619e8251f5fa203122ffde6e4b574cad3f60facc01e4a654e4b72b80b5facdc

SHA512
abb8f364539c44ac65af0e52babbf543044a87c636743a6a6c8246354c27c6065cbf5f856e7f1d17b69adda3ebfba76df15c5fc2814a288f28dd8ba795af28e3

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
62KB

MD5
cb8b570fb07f3408ebef3e829362064f

SHA1
964a72a77158da2016a2401693ef0abcf7048b6b

SHA256
70904ca5e62e746e3b1cefec18d8bc2e75def384140f9de1f90d47d8db92072c

SHA512
dbe63e10bc1eeff34100c95527c9d90dfa7df5feba89342bbce01a1661173dd49e022ecb8b345db9a4bfe60cad822b7ef45edb24393f2230c3d95930cccf2381

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
62KB

MD5
58945ec60aebe35f53c403e378f2b9c4

SHA1
b67936b63d9b31fcb00a80c7838a64e8ff18f00d

SHA256
7086b5bc5be90d6699d0166b3ddad1dc7f62158a9b00b2fc3f99e6d7a2f2431a

SHA512
88742aa5fdc083c6d062c110027fa9d6e26a5ea714cc0a9d812b45f298cde5043919481d3075fcde9aeab0d2d3ea9af734870d04586e805b34eeed89b221e10e

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
62KB

MD5
c1d5b1497c20c929d9509c606e0cbf7a

SHA1
b0f1fc8d3d2b8ba9bec337fcf1b85d9355348cf3

SHA256
d681047b4348909c87f653be32e8e55dceacfef73b42c96fe78f6d8002c0661e

SHA512
e2475b5c8d3d05fc11c77e6523b5eeaa33126f3d347128371f9100b2df29b210a79681e378f679f2f21b265660f2b6a58221bbff34ff8f967340cd72e802725f

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
62KB

MD5
ff7489fd293cd52760c9a792abd44fea

SHA1
ee3fcb4cabc0152260cb4286d5ac268a251807ce

SHA256
e2160dbc82128a8426a30cedcd09f72cf6b76f52365524d1ff7f72484f884688

SHA512
3add2212b363dd7ce2add0bd47be20ee2d8518390e639669aaa6a016cfb1734464b4aecd5a0dfa06c884faddee7a1b089e8a616bc9efeb4de8735888f9a21536

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
62KB

MD5
773fc26fc122082a803eb693e80f73be

SHA1
75b38e5c9cd8eaef66cb34f2aaa18b91035ffabc

SHA256
a69a1336a38b23d4d4f77576c8f7b8e0135ca8b26cc152cf48ce3d5eab9a03ad

SHA512
273dbb55d602efdaaeebf18c0502724d7b7a3851248bf6e5fe1fa1963e6033deb829a7b675a1b4c52e824f47c28d9e7993bc229e2a9a12afb86e49bee9a9f4b5

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
62KB

MD5
f603b4c0f7428c6a72458833988f7ffe

SHA1
413061cee97f2e75e0e93af212f603cab2ece1c3

SHA256
6e3794612f39e4aef429ef917fdaec90d3ee4dad159fa91df31c91dfb2c4f04a

SHA512
b0a67ef0e3f48a160c9d913e693cfa0c4c0f380a579e532e0505cc10bf725606bccc3aa65435cd07b10e1de8660d39ebf3b023b41f049023099daaf0f7c5cb55

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
62KB

MD5
8bde75b1e5ef3b354bc1519feb09f3d5

SHA1
6182fb07209b8097df28de61dfb527124e38f5af

SHA256
a8f6626b466b56b0d51648a2491ba7eee87196633020e7c7082d5d13644a2e25

SHA512
6b24e2c82c220fae6c03cd590a610961c6a900f3ae602cb530158bf6c6637d69782f79f0f6a7b0e7abd7ccda197431f2239b55017523fca34fad14c1cbcec6b6

Download Submit
memory/224-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/224-125-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/400-188-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/400-99-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/828-369-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/920-171-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/920-260-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1064-423-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1136-415-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1136-349-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1160-261-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1160-335-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1280-355-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1280-290-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1288-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1288-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1444-163-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1444-252-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1488-363-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1488-429-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1552-320-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2056-216-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2056-304-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2172-117-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2172-206-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2240-312-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2256-153-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2256-243-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2308-145-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2308-233-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2588-394-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2588-329-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2632-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2632-116-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2720-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2720-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2720-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2728-224-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2728-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2880-408-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2880-343-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3052-215-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3052-127-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3092-108-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3092-25-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3164-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3164-89-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3192-401-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3192-336-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3196-81-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3196-170-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3236-395-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3284-402-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3360-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3360-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3392-275-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3392-342-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3724-286-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3724-198-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3776-180-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3776-269-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3808-375-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4124-284-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4184-197-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4184-113-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4188-328-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4188-253-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4192-189-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4192-279-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4228-294-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4228-362-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4248-322-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4248-387-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4316-98-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4316-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4324-319-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4324-234-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4424-293-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4424-207-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4504-422-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4504-356-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4536-244-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4536-321-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4588-307-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4588-225-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4616-305-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4852-134-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4852-48-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4920-179-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4920-90-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4972-388-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4996-161-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4996-74-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5036-409-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5076-381-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5100-416-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads