2dd2534f96961a8fe068a531e10869d745a14b6a1e6c5a1eea713f65f01e4fe0

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a15e2435802a8045f12bc12d03f1ad0N.exe
Size

52KB
MD5

9a15e2435802a8045f12bc12d03f1ad0
SHA1

5cf71320400ac8a6b5e04f736f89f555ada9078b
SHA256

2dd2534f96961a8fe068a531e10869d745a14b6a1e6c5a1eea713f65f01e4fe0
SHA512

d30e8b4f4e4cd87f0f05994affbbd5f10cab6da5a343f05d838cba3ca1cd15dbc059fba9f65664c89250f05c25113eb698e3dd89f5c8cf9395a2e005e3794745
SSDEEP

768:AdqXY5mwCyryV7PadnEmEKjmV+mbMu/y9/1H5F/sSMABvKWe:q5eVLadnM+vua3zMAdKZ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe

Executes dropped EXE 64 IoCs

pid	Process
3856	Opdghh32.exe
2508	Ognpebpj.exe
4356	Ojllan32.exe
3860	Oqfdnhfk.exe
3620	Ocdqjceo.exe
4336	Ofcmfodb.exe
4584	Onjegled.exe
2196	Olmeci32.exe
1484	Oddmdf32.exe
4724	Ofeilobp.exe
2092	Pnlaml32.exe
5108	Pqknig32.exe
1380	Pgefeajb.exe
2108	Pjcbbmif.exe
428	Pmannhhj.exe
3340	Pggbkagp.exe
2800	Pjeoglgc.exe
1688	Pnakhkol.exe
4036	Pdkcde32.exe
4896	Pgioqq32.exe
2584	Pncgmkmj.exe
3776	Pmfhig32.exe
2144	Pdmpje32.exe
1888	Pfolbmje.exe
4700	Pmidog32.exe
432	Pcbmka32.exe
4416	Pfaigm32.exe
396	Qmkadgpo.exe
3324	Qdbiedpa.exe
1812	Qfcfml32.exe
516	Qmmnjfnl.exe
1216	Qcgffqei.exe
3168	Ajanck32.exe
5016	Ampkof32.exe
2580	Aqkgpedc.exe
1944	Acjclpcf.exe
5020	Afhohlbj.exe
3432	Ajckij32.exe
1552	Aqncedbp.exe
4204	Agglboim.exe
1168	Anadoi32.exe
2264	Aeklkchg.exe
1432	Afmhck32.exe
2880	Andqdh32.exe
4504	Aabmqd32.exe
3556	Acqimo32.exe
3440	Afoeiklb.exe
4212	Anfmjhmd.exe
4440	Aminee32.exe
5032	Aepefb32.exe
5076	Bfabnjjp.exe
1968	Bmkjkd32.exe
4984	Bcebhoii.exe
2232	Bjokdipf.exe
3004	Bmngqdpj.exe
4564	Beeoaapl.exe
4624	Bchomn32.exe
3596	Bffkij32.exe
4816	Bjagjhnc.exe
524	Bnmcjg32.exe
2276	Balpgb32.exe
2292	Bcjlcn32.exe
4104	Bgehcmmm.exe
3984	Bfhhoi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6016	5924	WerFault.exe	192

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9a15e2435802a8045f12bc12d03f1ad0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 3856	4792	9a15e2435802a8045f12bc12d03f1ad0N.exe	83
PID 4792 wrote to memory of 3856	4792	9a15e2435802a8045f12bc12d03f1ad0N.exe	83
PID 4792 wrote to memory of 3856	4792	9a15e2435802a8045f12bc12d03f1ad0N.exe	83
PID 3856 wrote to memory of 2508	3856	Opdghh32.exe	84
PID 3856 wrote to memory of 2508	3856	Opdghh32.exe	84
PID 3856 wrote to memory of 2508	3856	Opdghh32.exe	84
PID 2508 wrote to memory of 4356	2508	Ognpebpj.exe	85
PID 2508 wrote to memory of 4356	2508	Ognpebpj.exe	85
PID 2508 wrote to memory of 4356	2508	Ognpebpj.exe	85
PID 4356 wrote to memory of 3860	4356	Ojllan32.exe	86
PID 4356 wrote to memory of 3860	4356	Ojllan32.exe	86
PID 4356 wrote to memory of 3860	4356	Ojllan32.exe	86
PID 3860 wrote to memory of 3620	3860	Oqfdnhfk.exe	87
PID 3860 wrote to memory of 3620	3860	Oqfdnhfk.exe	87
PID 3860 wrote to memory of 3620	3860	Oqfdnhfk.exe	87
PID 3620 wrote to memory of 4336	3620	Ocdqjceo.exe	88
PID 3620 wrote to memory of 4336	3620	Ocdqjceo.exe	88
PID 3620 wrote to memory of 4336	3620	Ocdqjceo.exe	88
PID 4336 wrote to memory of 4584	4336	Ofcmfodb.exe	89
PID 4336 wrote to memory of 4584	4336	Ofcmfodb.exe	89
PID 4336 wrote to memory of 4584	4336	Ofcmfodb.exe	89
PID 4584 wrote to memory of 2196	4584	Onjegled.exe	90
PID 4584 wrote to memory of 2196	4584	Onjegled.exe	90
PID 4584 wrote to memory of 2196	4584	Onjegled.exe	90
PID 2196 wrote to memory of 1484	2196	Olmeci32.exe	92
PID 2196 wrote to memory of 1484	2196	Olmeci32.exe	92
PID 2196 wrote to memory of 1484	2196	Olmeci32.exe	92
PID 1484 wrote to memory of 4724	1484	Oddmdf32.exe	93
PID 1484 wrote to memory of 4724	1484	Oddmdf32.exe	93
PID 1484 wrote to memory of 4724	1484	Oddmdf32.exe	93
PID 4724 wrote to memory of 2092	4724	Ofeilobp.exe	94
PID 4724 wrote to memory of 2092	4724	Ofeilobp.exe	94
PID 4724 wrote to memory of 2092	4724	Ofeilobp.exe	94
PID 2092 wrote to memory of 5108	2092	Pnlaml32.exe	95
PID 2092 wrote to memory of 5108	2092	Pnlaml32.exe	95
PID 2092 wrote to memory of 5108	2092	Pnlaml32.exe	95
PID 5108 wrote to memory of 1380	5108	Pqknig32.exe	96
PID 5108 wrote to memory of 1380	5108	Pqknig32.exe	96
PID 5108 wrote to memory of 1380	5108	Pqknig32.exe	96
PID 1380 wrote to memory of 2108	1380	Pgefeajb.exe	98
PID 1380 wrote to memory of 2108	1380	Pgefeajb.exe	98
PID 1380 wrote to memory of 2108	1380	Pgefeajb.exe	98
PID 2108 wrote to memory of 428	2108	Pjcbbmif.exe	99
PID 2108 wrote to memory of 428	2108	Pjcbbmif.exe	99
PID 2108 wrote to memory of 428	2108	Pjcbbmif.exe	99
PID 428 wrote to memory of 3340	428	Pmannhhj.exe	100
PID 428 wrote to memory of 3340	428	Pmannhhj.exe	100
PID 428 wrote to memory of 3340	428	Pmannhhj.exe	100
PID 3340 wrote to memory of 2800	3340	Pggbkagp.exe	102
PID 3340 wrote to memory of 2800	3340	Pggbkagp.exe	102
PID 3340 wrote to memory of 2800	3340	Pggbkagp.exe	102
PID 2800 wrote to memory of 1688	2800	Pjeoglgc.exe	103
PID 2800 wrote to memory of 1688	2800	Pjeoglgc.exe	103
PID 2800 wrote to memory of 1688	2800	Pjeoglgc.exe	103
PID 1688 wrote to memory of 4036	1688	Pnakhkol.exe	104
PID 1688 wrote to memory of 4036	1688	Pnakhkol.exe	104
PID 1688 wrote to memory of 4036	1688	Pnakhkol.exe	104
PID 4036 wrote to memory of 4896	4036	Pdkcde32.exe	105
PID 4036 wrote to memory of 4896	4036	Pdkcde32.exe	105
PID 4036 wrote to memory of 4896	4036	Pdkcde32.exe	105
PID 4896 wrote to memory of 2584	4896	Pgioqq32.exe	106
PID 4896 wrote to memory of 2584	4896	Pgioqq32.exe	106
PID 4896 wrote to memory of 2584	4896	Pgioqq32.exe	106
PID 2584 wrote to memory of 3776	2584	Pncgmkmj.exe	107

C:\Users\Admin\AppData\Local\Temp\9a15e2435802a8045f12bc12d03f1ad0N.exe
"C:\Users\Admin\AppData\Local\Temp\9a15e2435802a8045f12bc12d03f1ad0N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\SysWOW64\Opdghh32.exe
  C:\Windows\system32\Opdghh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\SysWOW64\Ognpebpj.exe
    C:\Windows\system32\Ognpebpj.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\SysWOW64\Ojllan32.exe
      C:\Windows\system32\Ojllan32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3860
      - C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        28⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:524
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        64⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        70⤵
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1480
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        82⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        91⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        99⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        105⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        106⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 216
        107⤵
        Program crash
        
        PID:6016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5924 -ip 5924
1⤵
PID:5992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
52KB

MD5
733ec5508fda4bdde6122bfaf7aa2b74

SHA1
739eccdd8489c6e972c954dd640f59fa5adb11ce

SHA256
aeff7e90afe3ccf00230c20a4ee08469dfd97f42728490ecb0255468a391bec4

SHA512
32921fc155343cad0a270aa1437c688f706d87463c23441e0a024a5eab8165df1d5d79b547d8a74434222a898cd15c99025e9a1a74500e30570b01a770410d40

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
52KB

MD5
4deaf7f3bd27214b2d65e424d944d2c6

SHA1
1a4429e4a2c9c8f5a184a2d7e1d43acf961418c3

SHA256
70d38d648c199d8ee20ff325962f9639895a59c381b7634d1f25363dbfe32a37

SHA512
ec8dea9bf4172f3e7e32cb1278e961212747d0b2d3190576d04f49414b7fbd882705ae22aa190e69d71b3c4878fd22631708ff2e43b697ce52a66d20e4a228a2

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
52KB

MD5
1a03bf71209a96fa9610dd9ced36781f

SHA1
1d1f47eacdf976b995a7ef867ab983adc7b238d1

SHA256
d1df332045a4857a4b59ea1e891438e566456ed9d4ca23e08645321301501e4a

SHA512
ea4b4de21ab75119920a3e9ac59ec96294a058c03f57ea07c9dadae43ba50022dbfaca435599157e8b581933b6b92f99fe9543ad7b850b1641b83094565a90c6

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
52KB

MD5
5ad8f7d69f6c8f36ecc2014af85d2bab

SHA1
76b75ab17a6f8efb6677aa511776d7a07567fd1f

SHA256
3506a4600570a6ff846a27ef8481e3319649c32e90dad4ed36430fc295e6f22c

SHA512
670b2cfff62179016dfd58de1cd4e6e94231f2737747237cd6ed0728c705559557fd533153b28cbfbcf52586daa2e5da6b46077c8960a96ea950946741852463

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
52KB

MD5
e957b2e005c43029e42d53f41cf72517

SHA1
7a6bfad7550fee4e8a9dc3638b5e17f14e341fca

SHA256
af001195fd0ea21cd0d74e8a86faba0025d306aa616f5376bbaea39296a1d27e

SHA512
3f29e59ad19aec0cc7a29042dfa1bb0fdfdc989815caaab0d6e32d99a9649485234a413f4201adca943be14800808a541d5cdbba4714059488640e3b56d924c9

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
52KB

MD5
e608929dd3a10a217e8556f01fd14e08

SHA1
bba0880b3b596cba4fc11285f4bed2eccebe4692

SHA256
02f9b0e15d6f055ccd52783299bcd2e2cf5aa184ec8e57faa538f83ef521f421

SHA512
0c30061e3520cea5d26c1e447d313da1e7d8367d2f8b47c58b801da2f4281a1aaf6c39aa843ffc05bedeadfdb92f6f54fb8d4837e3b819fc2a6a8d29feed11df

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
52KB

MD5
ac130503371883df71b2311e0ebf5123

SHA1
a275267acfcfef8a4bc8636d22dbdc595e57c3ad

SHA256
ded0ac3f65ed9169fa03cf33d76fb09545a24951e612063d242d42624efe3d0a

SHA512
13716f9b2da1f2e2bff1b12fa3ce00616bd15841846785e710ca26302296cc1c77a1572d38a9156e1c1841d574a1bb2c6397d03d002d0d1cc44bdf2fba2e4567

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
52KB

MD5
502f189e0b5ea93edc58da92fec7dd3a

SHA1
81e1c0f88234d33f16300b83453959e2080c40fe

SHA256
209921542bd3c3cb209e5f2c218447898c04d1bbd666cdef6e8ed04b75fba149

SHA512
fa199921fc3e81eb4ef726da5246534990ed7a45841929fefbd52a4222660240a57963de433326a8f1fe2d946c756cf24abe5cf6b1bd1962852fd66721b8ba52

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
52KB

MD5
d359433916d086650478c83f6c353f07

SHA1
ea66764eed0f8fc9b2adb96f005e312cef87353a

SHA256
b63e56eb867a5586c2d4047dba88b532fa2196f7d483e6caff5cd6b0c3e01712

SHA512
ad9d141e1d695fd352fb83cea8641d3a7fe5f29f0e9ec9d270ce7cf63353a35af8ea48ee38e83f308b24816700099a7700d417cfcef99c7d1063c83ae98ff782

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
52KB

MD5
f1ae1477b0f633f68377a46e78a9612f

SHA1
b7240b2a64705d66329b01406af1fcc6a74718c2

SHA256
3d0197b69ffb65c9e15363ecde08cc8ac6b3925f39e44abcf425414d5632b12a

SHA512
85b90d87fa08e4a3b8a632f7bf8c97eb7fd593bc6fbd5f23370a78283667ec751ae12680b565c1eb28d8fc873fabb11aa0e457b943079481d7323032a62c37ce

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
52KB

MD5
aa8b333234c97c7ef491f297754f7563

SHA1
5e1ebb33a462b021b8e4680f9311e4af86af1884

SHA256
d5385b5602d1d06771f7adeec38d192825033b816f6b0be088e5301cb27e7da4

SHA512
d8729b456ed7ef8e0a2062dc303a36d904923e943a8e328680081d7a3b2ec03547c96670e2f6b7992b08c0bf2f611fde3e78006a10692ce9e06ef6d8872a6bda

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
52KB

MD5
5b6ff469f58c772a8f071ac1b151771e

SHA1
85bfe74dd006d3982a90d8f48cce5f875838cb5e

SHA256
7bd2841a6bcff7ab90ef78cad2cefdae0dd2b82342da6f3903e87464f03f7e83

SHA512
6b0d671e07c6c2732360537bc8475e088f3676ed7a90ec511e5c746bc32a3089d332ebd49ec09fda37300b7681c95c8abd5ce75e47dff5fe70f6ba0da7fce389

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
52KB

MD5
a510055b69e846797f822ec0aae980fe

SHA1
db49ce4541a4ac1fb7a77f017fce9a0fb03410b4

SHA256
f8c26f9ab8b339bd7e169b92a5d4b5a71a73b5a6110e6c96fc611795ad9880c5

SHA512
611f6e60a1aabbb1d41af8e95ca90342c7c0cdeea3926035ae1e4c2c9e5063e68e294661b4177940115c443a21f8acc82ae633130887c0256c06ec8c82c0f25b

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
52KB

MD5
745d4a54287beedc66e55a3d6b876d5c

SHA1
22d37ff6facdb4b6e7d5357d13592d9f1cdac59f

SHA256
cd90741a193f4f0a0ad7b89a5325b84444d6b78af678eec0c19a1096e753a04e

SHA512
8e3af1faed2f9d83131d297e06b51d067c29c64ae35ce31d317f13a933f6054c569d1d239740b310d56965184388dea0e04986c32fe681086d1b5c61b5fcef60

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
52KB

MD5
3225f207b1a5fe63720fbddad5fc890a

SHA1
1292a2d23015f2d50254fa846fb91e75a234ba4f

SHA256
492990e948aba5d255d1b6b39ddbd40d0ff63373e09758c0cc11fea7ec47ac81

SHA512
d02b9641f22e26fd2d894622197e549c671dc332231f0983ef7852da667354bd7c9f4242724f5b2363c13ca83b92412fa292d27bc48b5335f7e2c4df0a91adf4

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
52KB

MD5
a9cd4945781c2c9e3f9bcdd31a17693b

SHA1
8211c8a931fbc02eca1af92ec6c482407d871f1b

SHA256
6133b835e46d1ed080f5db679ba8f8bf0ca40187173cdc425d8f7c42b79747ed

SHA512
fa86be62f61e6f37ce49e67afa1878d13956191873082d7a12df7808a5baf87e7cbfb37a36c6d9d5df2a8e2254d42610814da96241fa6f867525426bbde3e53e

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
52KB

MD5
dbe048706de2f64d815632dcd8b059ca

SHA1
f86198d0c9a4eda8a99bc9f0e88b2b9d7b509ec9

SHA256
792d2fe991fd0f69e00d98158095d3c274a7d71514e787ed155434eb6921c7cb

SHA512
e981cbee8d633b9457834806a92ef1207eb2af52bad091eb29082ad3ea07be7505a0a4d8db1e241e877137f9d04ed217c19edb420e3128362bb71779ea696f7b

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
52KB

MD5
7e5e1a9bf74c83f1820acc28030b3008

SHA1
0e207584e56d54052cc3ad536bbd0c4c20f2f003

SHA256
258f2792564b585f7212c28292e6f4839f6481c64906cb73e042b0e3f83213b2

SHA512
463908a6a797c90a538e188ba7dc6576afd50291ad6d4626a7917e2d3ad71a2546e0dabef42ef6cd73ceb68111738dcf6720065a48452707bbcc5333d7182c43

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
52KB

MD5
b51699e34b692ce59b847536a74bc61b

SHA1
c15281dc9086fa945102be3a07465fc1024366f1

SHA256
b847b18218c4a0ecdf1dd133b0186a8109cd0672565271ef2c1c5863f618a6a3

SHA512
585cdee8dbb05d956aae74b0d01c8c26b81ce2adb9dc57892a91554ac0bfcd128fc7a8dd1258c53d24f4fa1aacae3ee1063fbed87223dcd4da2d2b736be1592a

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
52KB

MD5
022d02ded548da68375112cc2a689069

SHA1
328c588cee7400e418e8b20f0d7651e1ae3730bf

SHA256
6f8d0f54047a685b16265b26dda9bd27a5c061b074dc4307799231ea13396e78

SHA512
158f408629b95aa7d74a3c647811a0220443d77fd5c1cb3e160478837927419f240a3990acb2f211c815283fb9d3f6f387fe198bd81818bad863abbd04eb9b58

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
52KB

MD5
262b0c23eb3f8448feba00c3b61e3a7b

SHA1
ba77107eeaa3376d628e803d03b2dfa4fa3200fc

SHA256
b84c1fa2ab74bc1400db1175aac61521213ac2c3775e2e173daa4cbef44e8ef9

SHA512
f2ceafce4efabf38d16a569b9e6f9f1389a2c481d42c041d55261794538553589beb641f3ea6c0b60b223e5e4b149218d874d7285bb50b11404087edd8573a9f

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
52KB

MD5
e621d5eea2e5d7f0ac0447c02a1f88ae

SHA1
9e0c5917dd18a92d185801c4eb9b93ae8ba1c6d2

SHA256
8ff3cdae3718c7ee265de4fed0c5bb31cafb2c63c1c877bf44e17c5f5e363fa1

SHA512
6730c23ebfaac7aff97e6ea7b6e4202aa82b4e8b0bc3bfe6ac5cd7ac33514bd7e25668adfe27652baae4f621770beaf96c48d189fdbe9cc3383ffc5e1e47f8ad

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
52KB

MD5
7134b934be7e8e0638a48b7fb8731292

SHA1
b273ae2bc4d503c0e51417aff8f6b10a3d885dad

SHA256
3dd4c181e7f270a4886344c151e1e5ab8912c43a31108bcefea17bb718c9755e

SHA512
801a86dcd40fb7c7b68818f84184281e3763f193a2349d23c8e4a6de6f1781abcf301e3f3911093aa6158ae54ae43417178cfeb2781c5dcf40e305a4aa4b03f9

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
52KB

MD5
139b854fc18b8e3051beeddd96ae3131

SHA1
aa227bb117a49b980816ef7590806e7018629275

SHA256
cf550325bb036f3f57b8edca471fa1f5ef8508797aad1d8c2bd10d63499f8c54

SHA512
e6d57996bd1774a94805c13f5bf2f1f25c99b3fd3b69e0c6698fa22458eb7c554ea4804442b2c792d6052cdcaf2c3f59bba9889f9ee83e49c49ca4fc620a74b4

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
52KB

MD5
c9875e3b8afed32db70c84d9b9d41245

SHA1
577786a20272b0d5f9899c6e0cc51bcf070357ad

SHA256
b64d6a8aba09165c67e24d6ace700642e0b07c733ea22de2a24cf79735cd6e8e

SHA512
b5a45d1c41e89029c6cd5e60b1b171187ca60a22ae585fe71fc60fff1f15cd8f1dbd61a17e1d2a3a880045d9ed850038fa5fe3db4f6ff1826f4e9a9d08dcf107

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
52KB

MD5
1943853f1ec2bdab264b7e8d523a182b

SHA1
fa8cbb7abdd4a9fde0032a6502f621bc71331fcb

SHA256
6a462e737e51de75c5da9bec0a59a8e81f91a254770c72d4fb575e6c5fb0083b

SHA512
f2d44a31fc35624715fe2d7dadf021703b495ec4693f555d4d1437689bdd09c0063ce8b0f1c8c1e33341b7470505fd0308d66c6dc3ca03eef22e46560dfcfdf5

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
52KB

MD5
ffd52bd0ec995ddafed41aeaebebb2a4

SHA1
6e782045eef19b58c2903c86e428dba227ccc3fa

SHA256
8a29855dd7dc5498c35f993114a72922371a76a61147f221354249ead0e9f07f

SHA512
3c6a62863339734e22c50271459d888b146ce3bd315b086d6716b3b413b57f2f1db193403cd3161bd75d7a61129b8970a48125362308c0994a1121dae280b0ea

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
52KB

MD5
725d0beddffd226ae0a5f76f69b898ad

SHA1
5aadcd9956ed8e55a812888bef73368128c72901

SHA256
07960569febbd2c8f449eac694892728dd079049516de3cc932f10ec9c2596a8

SHA512
3912415cfe66b126e11c9a2449f0f5981c218c1749a2bab81827023cba2e6cb518b7f2dee50f46a1f144191ea83e2d272ae23fcfc1d6c01dfd3c9184f72daf6b

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
52KB

MD5
1b6e12065aec057c5dacfe9dae6061c0

SHA1
f17ed928aaa043795eee1dd8df2d14dc34997877

SHA256
9fafb756221a8f06367abfc9c8b4e1493a641dbaf895cde117c7f7cad5713b8b

SHA512
4ac868483b5514b1f808be92a0a9a02eae0d7b314a69afd1764e807392a76b6186cebd67f6bc44b8f3263facbad251a5adb498e5cd633288578e6a34e778f577

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
52KB

MD5
2890494df931d214d01ec205be2038e7

SHA1
2f2cea9c54b918ec5ed60788907ff357f70bdf96

SHA256
b9bccd22356800d97ac8e8cfd1beb1ca6551809877377d5ebebc637960cbf2c7

SHA512
8929ddf611b37f9e003d7cdd6392c4edb80782a8cacbc8142c05567f6ed8eaa4321363ffba5bc4194efeab1a707cb07fa3874b96f3b19f117fb61f6d8ae5c4f1

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
52KB

MD5
054066a2351d64fc49b39abbfe84f291

SHA1
9019854e032ec4e3df1776b5f404d3e0f09e74b0

SHA256
f5fa659071cc629faeddcaf6987da0b15354543e2c58dc370329f93299575683

SHA512
d8df555cbb701f95f5ec51731c3962379c9ec89df7a08b572865cd27600c6909d457a7390a6be33dd5c7661793493b3baad089f62e62bf8464aa61e1db4a549b

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
52KB

MD5
b57cc5ea39e2ddf03521c76892e82b90

SHA1
64ea907fc957291c7a29e585160c793e114606ab

SHA256
ab445902d0497cf50669cae68d173d2b92719ceb46bfee21a9f118e3181b8b33

SHA512
21a3cbbbe44c46ccd3e0cd176ecd4b733b6b8c9440d551d9b8fc4400826ddbdbbd06737f71fc49a01b5c2259d86e9a95c67ccdedcb6b740f69b65b5d742c71cc

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
52KB

MD5
5154925df2f27d9ced1615f042e6fb37

SHA1
2034132d4e1b27d81c7cbafc1df3913399962676

SHA256
624433c5dff772e79e39557f06978af21a8616eb8e6cd1f496dd121f2ac0c106

SHA512
ec037822f2fb82e2a5ab31fc17da166f6c8b6b83789a5cc21ade895a11af5621c07514355fba50869bbf22f16d64fc851f88fa1983aaa9c4905dd8e6648827ce

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
52KB

MD5
c06742bf99d3750b34cfa4487f0bcc45

SHA1
03407d812e5ff020753770538c9a4bff3901118d

SHA256
ed52599b0d2728f92008b0b2f7b14e880bbb160ffe171130dc8fab08b07c5872

SHA512
7a56173c3d193aa25fa82aaa280c9473d291d92ec584e234d8796b5153763e2f4f5965a57d2ea044196622306d61a63b0da4191530376e224d08c8d419e5b4dc

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
52KB

MD5
c7369f33f171bd04d2f6672157e8da22

SHA1
f759bb79bff125d48a3d2371c518746d343d9997

SHA256
23983b42da5e97ae00d8d910f9a48ec318d219bee20d740b6f41dad321841a1b

SHA512
66aec85f84d0e425896e6bef0be74319b2e927510d2bbb777374cec76f89400b935123d88eda970fb1c5a9af499913fdc3dc955beea550ec289c8e719a9b19da

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
52KB

MD5
48057704444a324a521be2fec337c23c

SHA1
f6a383670f63bce39f8a8ee9f7fc420b6b6f16fd

SHA256
37780e9a09021830dbe8bc7dd8a1c9da2d5a7cf736a0d5bc38c99e1006103a1f

SHA512
57bbc6e8e3af7dd19054f2bd0bef62600c9dfe5f4c13ef7dd733025552632be3963e72bf8706c8e0a5588e0761b7117028053bbf4384084ac6a65519cd236a1a

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
52KB

MD5
356b7139ab2fb811c2be3547c440dd4b

SHA1
c755fa37125b9fd938ec849d66c196047efd8e36

SHA256
d95f823beb6e3a106a5ca1375b269335708b6dc2b0b5fd66fd818a3729a2e8d4

SHA512
473a804280eeaac08de37eb9e490ac20fdc91eeb6075f42a978c646503a39782a25ba1d671686d3e6b161d60fc674103d8e533ccdef6e703b7f286a1dca9aa7c

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
52KB

MD5
cce0de612a9badc1da5cf453711f8104

SHA1
018c5889e60f554fd3eeb268ed7019b566c0b6f3

SHA256
81372cc3e81df587ac56e70dba6adb4329c8a48ecc3c1bd02c24808d2042f6a8

SHA512
6c1257d462de772d1d8f677c5804d1e8e0112bf4ca565607a9bb9eb2f0671a4ff919ee1fa5254dedbeaf061722edbcf6532fe39fc17701c73232f8411a88d8e0

Download Submit
memory/396-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/396-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/428-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/428-214-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/432-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/432-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/516-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/516-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1168-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1168-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1216-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1216-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1380-107-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1380-196-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1432-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1432-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1484-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1484-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1688-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1688-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-206-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1944-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1968-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-93-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-117-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2144-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2144-198-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2196-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2196-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2264-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2264-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2508-98-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2508-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2580-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2580-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-179-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2800-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2800-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2880-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2880-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3168-355-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3168-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3324-252-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3324-331-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3340-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3340-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3432-325-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3440-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3556-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3620-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3620-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3776-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3776-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3856-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3856-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3860-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3860-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4036-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4036-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4204-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4204-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4212-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4336-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4336-51-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4356-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4356-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4416-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4416-313-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4440-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4504-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-142-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4700-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4700-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4724-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4724-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4792-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4792-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4896-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4896-170-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4984-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5016-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5016-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-314-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5032-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5076-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5108-99-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5108-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads