a4e4ce3e4630e21e7bcd73e9e46808ac6f60765c622e177a46b9283640580e21

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d00123efaf6aaf61311c14913daa2320N.exe
Size

390KB
MD5

d00123efaf6aaf61311c14913daa2320
SHA1

5158ffeec3a1edeefcc37bee703dd3319c956ac1
SHA256

a4e4ce3e4630e21e7bcd73e9e46808ac6f60765c622e177a46b9283640580e21
SHA512

4f207d0ebd13612dfbab88f16a0ccac950f481e715d5e3d38f119a6f202816de1043a2963f0cdb28c3de03826d543afe469a268a63ef5d1e1684dde6d564722a
SSDEEP

6144:Gi1uLMvYk6W1s66b+X0RjtdgOPAUvgkNRgdgOPAUvgkG:1QLUR6SUngEiM2gEif

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d00123efaf6aaf61311c14913daa2320N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe

Executes dropped EXE 64 IoCs

pid	Process
4832	Ofqpqo32.exe
1740	Onhhamgg.exe
4324	Ogpmjb32.exe
3108	Ojoign32.exe
892	Oddmdf32.exe
5000	Ofeilobp.exe
3944	Pnonbk32.exe
4636	Pggbkagp.exe
5016	Pnakhkol.exe
5060	Pgioqq32.exe
2956	Pmfhig32.exe
4228	Pgllfp32.exe
3552	Pfolbmje.exe
3432	Pnfdcjkg.exe
2728	Pjmehkqk.exe
4248	Qfcfml32.exe
5056	Qqijje32.exe
2244	Qddfkd32.exe
4196	Aqkgpedc.exe
1832	Afhohlbj.exe
4256	Anogiicl.exe
536	Ajfhnjhq.exe
796	Anadoi32.exe
3768	Aqppkd32.exe
3104	Acnlgp32.exe
4864	Afmhck32.exe
2208	Andqdh32.exe
4416	Acqimo32.exe
668	Aglemn32.exe
3860	Afoeiklb.exe
3932	Anfmjhmd.exe
3076	Aadifclh.exe
2828	Aepefb32.exe
2548	Accfbokl.exe
4724	Bfabnjjp.exe
5028	Bjmnoi32.exe
5048	Bmkjkd32.exe
1944	Bebblb32.exe
5020	Bcebhoii.exe
4900	Bfdodjhm.exe
368	Bjokdipf.exe
4624	Bmngqdpj.exe
3228	Beeoaapl.exe
2372	Bchomn32.exe
4704	Bffkij32.exe
1432	Bjagjhnc.exe
732	Bmpcfdmg.exe
4976	Beglgani.exe
3040	Bcjlcn32.exe
4212	Bfhhoi32.exe
4436	Bnpppgdj.exe
1984	Bmbplc32.exe
864	Beihma32.exe
2320	Bhhdil32.exe
1484	Bfkedibe.exe
4972	Bnbmefbg.exe
3080	Bapiabak.exe
2044	Bcoenmao.exe
4800	Cfmajipb.exe
3856	Cndikf32.exe
1688	Cabfga32.exe
3512	Cfpnph32.exe
60	Cnffqf32.exe
4504	Cdcoim32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	d00123efaf6aaf61311c14913daa2320N.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Ajfhnjhq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5172	3312	WerFault.exe	172

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d00123efaf6aaf61311c14913daa2320N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcapmm.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	d00123efaf6aaf61311c14913daa2320N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	d00123efaf6aaf61311c14913daa2320N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qddfkd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 4832	4776	d00123efaf6aaf61311c14913daa2320N.exe	83
PID 4776 wrote to memory of 4832	4776	d00123efaf6aaf61311c14913daa2320N.exe	83
PID 4776 wrote to memory of 4832	4776	d00123efaf6aaf61311c14913daa2320N.exe	83
PID 4832 wrote to memory of 1740	4832	Ofqpqo32.exe	84
PID 4832 wrote to memory of 1740	4832	Ofqpqo32.exe	84
PID 4832 wrote to memory of 1740	4832	Ofqpqo32.exe	84
PID 1740 wrote to memory of 4324	1740	Onhhamgg.exe	85
PID 1740 wrote to memory of 4324	1740	Onhhamgg.exe	85
PID 1740 wrote to memory of 4324	1740	Onhhamgg.exe	85
PID 4324 wrote to memory of 3108	4324	Ogpmjb32.exe	86
PID 4324 wrote to memory of 3108	4324	Ogpmjb32.exe	86
PID 4324 wrote to memory of 3108	4324	Ogpmjb32.exe	86
PID 3108 wrote to memory of 892	3108	Ojoign32.exe	87
PID 3108 wrote to memory of 892	3108	Ojoign32.exe	87
PID 3108 wrote to memory of 892	3108	Ojoign32.exe	87
PID 892 wrote to memory of 5000	892	Oddmdf32.exe	88
PID 892 wrote to memory of 5000	892	Oddmdf32.exe	88
PID 892 wrote to memory of 5000	892	Oddmdf32.exe	88
PID 5000 wrote to memory of 3944	5000	Ofeilobp.exe	91
PID 5000 wrote to memory of 3944	5000	Ofeilobp.exe	91
PID 5000 wrote to memory of 3944	5000	Ofeilobp.exe	91
PID 3944 wrote to memory of 4636	3944	Pnonbk32.exe	93
PID 3944 wrote to memory of 4636	3944	Pnonbk32.exe	93
PID 3944 wrote to memory of 4636	3944	Pnonbk32.exe	93
PID 4636 wrote to memory of 5016	4636	Pggbkagp.exe	94
PID 4636 wrote to memory of 5016	4636	Pggbkagp.exe	94
PID 4636 wrote to memory of 5016	4636	Pggbkagp.exe	94
PID 5016 wrote to memory of 5060	5016	Pnakhkol.exe	95
PID 5016 wrote to memory of 5060	5016	Pnakhkol.exe	95
PID 5016 wrote to memory of 5060	5016	Pnakhkol.exe	95
PID 5060 wrote to memory of 2956	5060	Pgioqq32.exe	96
PID 5060 wrote to memory of 2956	5060	Pgioqq32.exe	96
PID 5060 wrote to memory of 2956	5060	Pgioqq32.exe	96
PID 2956 wrote to memory of 4228	2956	Pmfhig32.exe	97
PID 2956 wrote to memory of 4228	2956	Pmfhig32.exe	97
PID 2956 wrote to memory of 4228	2956	Pmfhig32.exe	97
PID 4228 wrote to memory of 3552	4228	Pgllfp32.exe	98
PID 4228 wrote to memory of 3552	4228	Pgllfp32.exe	98
PID 4228 wrote to memory of 3552	4228	Pgllfp32.exe	98
PID 3552 wrote to memory of 3432	3552	Pfolbmje.exe	99
PID 3552 wrote to memory of 3432	3552	Pfolbmje.exe	99
PID 3552 wrote to memory of 3432	3552	Pfolbmje.exe	99
PID 3432 wrote to memory of 2728	3432	Pnfdcjkg.exe	100
PID 3432 wrote to memory of 2728	3432	Pnfdcjkg.exe	100
PID 3432 wrote to memory of 2728	3432	Pnfdcjkg.exe	100
PID 2728 wrote to memory of 4248	2728	Pjmehkqk.exe	101
PID 2728 wrote to memory of 4248	2728	Pjmehkqk.exe	101
PID 2728 wrote to memory of 4248	2728	Pjmehkqk.exe	101
PID 4248 wrote to memory of 5056	4248	Qfcfml32.exe	102
PID 4248 wrote to memory of 5056	4248	Qfcfml32.exe	102
PID 4248 wrote to memory of 5056	4248	Qfcfml32.exe	102
PID 5056 wrote to memory of 2244	5056	Qqijje32.exe	103
PID 5056 wrote to memory of 2244	5056	Qqijje32.exe	103
PID 5056 wrote to memory of 2244	5056	Qqijje32.exe	103
PID 2244 wrote to memory of 4196	2244	Qddfkd32.exe	104
PID 2244 wrote to memory of 4196	2244	Qddfkd32.exe	104
PID 2244 wrote to memory of 4196	2244	Qddfkd32.exe	104
PID 4196 wrote to memory of 1832	4196	Aqkgpedc.exe	105
PID 4196 wrote to memory of 1832	4196	Aqkgpedc.exe	105
PID 4196 wrote to memory of 1832	4196	Aqkgpedc.exe	105
PID 1832 wrote to memory of 4256	1832	Afhohlbj.exe	106
PID 1832 wrote to memory of 4256	1832	Afhohlbj.exe	106
PID 1832 wrote to memory of 4256	1832	Afhohlbj.exe	106
PID 4256 wrote to memory of 536	4256	Anogiicl.exe	107

C:\Users\Admin\AppData\Local\Temp\d00123efaf6aaf61311c14913daa2320N.exe
"C:\Users\Admin\AppData\Local\Temp\d00123efaf6aaf61311c14913daa2320N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\SysWOW64\Ofqpqo32.exe
  C:\Windows\system32\Ofqpqo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\SysWOW64\Onhhamgg.exe
    C:\Windows\system32\Onhhamgg.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\SysWOW64\Ogpmjb32.exe
      C:\Windows\system32\Ogpmjb32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3108
      - C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:796
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        44⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        46⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5036
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        79⤵
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        81⤵
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 408
        89⤵
        Program crash
        
        PID:5172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3312 -ip 3312
1⤵
PID:5148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
390KB

MD5
70701477ed8feaf1f9699e64136cd12e

SHA1
3fc43155038a73a5bb6704c4731d9191d90e3ccd

SHA256
4c57627d0aa81a928f0c9dba44b04462eeb951915913a512314c0c04409c13b5

SHA512
92f055d84b76efbb0fb033e6db5e15166e354b90653096605f10bc94d80c003e0053fc77662818055b66b623a47ab6d7a3f572a0556b975fd5f9d21a03e4d8e2

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
390KB

MD5
0f4987d299e7f940204f3bb14f69a2dd

SHA1
7b9cdada8ff18accbfa363be99af4f9bf5a32a61

SHA256
f0dfe336bba579fe97bcb4d5cc21ad026490dd728b38d5f3f36df2d5dc64460e

SHA512
d80c8dab590f0c53abd39008e28edf95184ce80277da77de7a2f404a4ca5e2f7203006dbd1414e9241811db97c47c81c3a81aed05eab92449f554dcd150d35d0

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
390KB

MD5
a4c27cc6f019f8a0026622104d63ec27

SHA1
450340a17fc84ea024b2182e36df66b57d19c7ca

SHA256
9b4c652f379e3e4ffccc6b0cf14c1e74e4c2fc6525c2daeee460c7065ac30cd9

SHA512
d8ba62fca924ea8a415958ca0742123c97faa92c15eb243cddb57cf96360b0d85e4e6aa29a80de032864f26b1de87fb86e604ed662a609ae7152ee2aac21e906

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
390KB

MD5
abfb1c012a8be063d4065c91755ec19e

SHA1
5b9bb429cd00a6cbb6b810e1ce17069e749e4e4a

SHA256
83f0b35470294e5eb7770629d0f5fae55b3c8e600350a50135180b3e8f14dbf6

SHA512
6c780a2a7ad88efe5dc55f995b2d2a9a40c23cd8d4e0e79efd4ebddcc0e9ff0d85ea3b8fc197862aa1246d8d24c17c3d34e60b537cc30f6135e6415c3bf410e7

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
390KB

MD5
6c3b20d10032b7a4c6f8fb0669b53cd6

SHA1
f409d8113b22775cd3162b742c2f0c094d8daad6

SHA256
6f832708144c63efaebaf208c102db5d03ce3c53c8a12db87119448a86236108

SHA512
bacffaaa7405a59d385b418a004472738e5f02f240933eded319a5e26c98a5e44b5252b0701e5f476d00e4b87c5177f12168c54e5f8fca157a425e4e6eeecb74

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
390KB

MD5
bb8136c1df3b2eeae07fee7460424e34

SHA1
78ed5a197d5412085bb6f367b5acbb9fd111e09b

SHA256
743f19e0323f08ba4dbdcb77c6b8b3b8b451652557dfc6ad77f9f69e4ee6538b

SHA512
8ae5d98c9853da653e6d57c8a59f8d7c41126a9590baf666ae882f2e05f4e87a6397c52de42edf840bf60e007d91ef61af4d0b8eae1aeb6deb3218cb70da5084

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
390KB

MD5
bdf57c4c89d9964957d17e013bf28e9e

SHA1
2ceb7b6fa5d9970cdfe780b40d2101afa95fcce6

SHA256
d48b8b912022c8b337de8c3381a4a56a064c948c3b061a43c4d908e0af81419c

SHA512
652b5293ddaf7f14d0e7e6fa53c447fef77588d078bf138a9c97bda4ffd8a77d2f3c2020cc55f018a7268e967464a75cda1c6b019cc5ca01727c98686ce196e9

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
390KB

MD5
9600c545521edcb3fb0bf41740fc4f44

SHA1
f7ff9230e64229929d7e743b9ed28380f7e91542

SHA256
6c2d16748a73827956d5ad4270a1f7d999431bfdcaa6ff7ea10b671cee0756f3

SHA512
f3a54dfff7c7738e00da28d4453c092ac6ecddb364a25a9e20d6416f3a5022386f0a78e614a30f48d5ef4fe3f14b257cf4b5b0515453072c44ccf2a7290edfd8

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
390KB

MD5
d8439d8bbf6f0ba35778ad0a4183eb50

SHA1
57f405171f72281725215a0554804a5047c111dc

SHA256
97c28dea9ac4981bd7d8151f10d90c0f32c4868fc59ecd2af260fcff523d60a2

SHA512
1fa50e77ae94824fc2681f9ac66199e1c6e96c1106050d701fb8d8646dd140e93f1cbd6f8e8570b202e9cb5e675b95987712eefff35569b740d616f408800cb3

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
390KB

MD5
76027148474f00b2fb424e096116580f

SHA1
884759b95346931423e0b549d08d11013a084d34

SHA256
91b5048b12b6152f5365bea603818f8386b5420f8ff1f44274974c1b58f72d0b

SHA512
a1afe30183cda186168c3fd54434e2e1bb519d4dba70d3d8f3f5b6da77ab109364c3c27e556ddcbb83c6b95ecc72bdf24e1124ab5445da5d96a48d08cd64825e

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
390KB

MD5
260697ddf6b04d49798270beb7c1a7b9

SHA1
6203fe140fb184c1569048ad9b85762ca5ea2425

SHA256
13e4c6faedb5e187aaf6cfc04c743f11510992cd161fa2ade960df2959d4c9b1

SHA512
6eb81748e893c099f05acd5f0dad92263699e4144546d057d90e37d54bc1c0349d7c2c7efe534ec77bc6eed7eb416aff811ef4d84c7d34f986fdb0d67880007a

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
390KB

MD5
afd6f86f8787f7308a34502bcea76778

SHA1
8d53a96d49ea691ab51cf667b7d56a9116bd7a63

SHA256
ff1cd85b73b88fccd79fcef17241be1b751bdfaeccc4e501eacdf61e18fac2df

SHA512
dfc209d52fe222f3f604694ae255d9ef6e7b18d722f73c4be885f1515d5be612ff22dbb7ff848014b3088c76b02bcc6be48b00bc40e8bd8f7a93de8de57de098

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
390KB

MD5
7e7240a11b20087fabb4ba17a61a9cfa

SHA1
aacd649fe1bede3e7dc4739e533acd72f98ca201

SHA256
dbde4298c17473b41df59a53bc73947b38c29a9a82f394be3eb1a004e7bc2c03

SHA512
d9c2606358f8dbfe5be235741ffd20d0329cd423eaacd951a4906e4ade1cf04965be3db8754a6137ecf0a4717062828e472b15ddff6a626f9a87991fce0479c6

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
390KB

MD5
94650943222b52c94e4e6cb741583996

SHA1
beb7f44bb25ab0b9ba460f4844cab2b34086fd90

SHA256
d533063cfcf69e538016b5025fa11d66df0f65eb46402b1da9e34d54b24d73b3

SHA512
e7aa5807439b041228f785cdbfebdb247902f6ed1926cbfeae4415a87a9a1fbff06b9add269cdb96935f225da25b49ffbd747ef8dd48b9ccc9532e9bf4d04e44

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
390KB

MD5
cd34ad69a7556f12fd829a075ff31983

SHA1
2ba877684301e444a9a86125dd96f4b1bb654238

SHA256
5d8b901fdf88d9c7161530600155c0d9c36993ac3f4ade98098981b4dd542dab

SHA512
052ed2cd5a9f0c5a60a63a9ef677b9b3996c49aa371c7624224e6aa4a128f0aa6e8ee8972d61eb54fae3ed7091ce529a799297bba4afb4742f6f61edf9bb7f2f

Download Submit
C:\Windows\SysWOW64\Gmdkpdef.dll

Filesize
7KB

MD5
94179a1a92a299a2351a8c5153f9ea5b

SHA1
5717496724764191653f2532b507780c3f57fa6c

SHA256
7fc8f19c33d75cc040476ec6558197a3f1baf091b6afb68b669881bb05065297

SHA512
aeef4efd926547ebeb0dc45e1944fbaf23a98f253f74a22a6b0789bb14026a4d9e6d0a1bd149ac71be5498c333ab6b509ee284809b2ef16487ece31995805a43

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
390KB

MD5
86ebe0bf2caef816819f67a056302524

SHA1
9069664423bdf83cd4c93d2bc5fdd8d524778b9e

SHA256
56146ba8d7d76545789259d9eb2f3ce9465c46ce26e257b6d4415fa3c2d65d6e

SHA512
8a63ae633d7d0dfa6b52ab54120d1988f9b4d10fdf5c63a14f0a8ba3f44d458a2c94ffe2991abb4d458371f4b47c8d63ebe1f4290ab78d419ebf247ee514c9a6

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
390KB

MD5
9bd50fd2892b9bc484ce849b5bdb99bc

SHA1
aa700e7bfb022460e39bdbda1a4dde75a34b4e18

SHA256
61137be1a01fd3e0cb22c7e12d2868302b53a4a373e718b72511bf6bee0fe1df

SHA512
88347a20de67a627ff6bd5c631021a7a0346c325f5b8c1fe517afeb7586cd6320773d49462efe4f5edb4f899acd803bae6e15656c10922214cf8f29099423b1b

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
390KB

MD5
117763d745371a6f11f51e38ab77c5d1

SHA1
91e465e537232bd4d8d9ab1a117f26549de9f8a9

SHA256
e97ffa2ec1f3b88f4271feb12b375b35f4d4aae33f36c074916286d8b84244bd

SHA512
a6d3182a0f0b016ba6b143abbf5387dfac5653e5200e9f046bcf41240741442bf8aadd1dd5345c6b828f339fa45c9350774bf30c35647b311a7e71669f13778a

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
390KB

MD5
8361d642536def07247262f4f791c5f0

SHA1
599506e61196ab0b90bd3f45dd7cd0d242b09094

SHA256
52837b39c217ea4923fd189271ffb86c8cece588e747e368960c9b04d5f30251

SHA512
0450ec56ea68932a60bc9edd7775cd290be468f32015204393e794b13d526177a8a62ef1559421c6c711f0a1cb0c059bc3612d3514add4ccef044fba726c5dd7

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
390KB

MD5
24fc231954a5b6439d16c2e38d3c97b8

SHA1
13851bf7e3b68210b26045ecdbfd3d9396271ec0

SHA256
59a978b93ce7d210878d2407585d2771ab52c9a0d4eb5ee4ebf85ba8f843474d

SHA512
50942e07b43e538b9f0e985bc09114c9713e748d383c5c7028af9fd1f2900cf40ac4c05ff3f578c86afb03947c861fecd0ff41e87a0a0e7ceb0d131b1675d5d0

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
390KB

MD5
2c62e7cae156cf7a6b73ffb94af116b5

SHA1
72a5606da5e9c6f39938efdc1d747760fa11d1aa

SHA256
c1a4a7f98bb9715dd3c4360f4a637e1a16cc6d746fe947c8cfbadfa64158173e

SHA512
d13116b2b4395115b45b53719e2d9c3c32bd5f426ad444e488ead0bc4739b0ddba6f106b9c2317a8ae3c61549a2259153ebd78eeefc18c78f209af1308d5d5e8

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
390KB

MD5
fed26756f4b2920d75d30965611b5519

SHA1
50a744bfae34b6061ebfe3d8b63fe2a8b68d8490

SHA256
b397ff80a09f149873424a7fce943d52001b9de890f4080fa5b5f073e727a23b

SHA512
71f73be750e0232180160509c0dc0aa9aef97bdd724f3cdf72080bb932e7b82cbe9d11acf59e4f5a986acdee0e03ffa6c4363227020513af5f2cf2d2c9c0b759

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
390KB

MD5
4f1b296cd90b2c58e71a6a0f96921700

SHA1
47ce21dc70dbca8f9e9e4c412f08ecb766459563

SHA256
b75b1e7ddecf9707834a271ad6b819e652050f884863e930d6e4406d892acd68

SHA512
12721f3521df404dc5acd0ae2764704962aa42476ce9cefdf8728cf3fa640b65d65cd4f658915307dc0ed418fa709dbbed1450a304317a6f6a7af2e7ccbf9f7d

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
390KB

MD5
090f400cb90a89bb28273f0c86692771

SHA1
3411033c28203f3941a90800793122c8eef91bd9

SHA256
d6c01f381c345ad46a0827dd3121e18586d6dcd46442b3e05cd6505a9dd7a670

SHA512
a2f6fa53eb834e68c54a9d38ad2e440b0eb79ccee03709cb7cfd02ed6ec5ef1e26472c78de951e8eb1a4671cf27fe423460d64cb918e58f338f9b8883035f48d

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
390KB

MD5
9ac47cce3618d8a592cbd85b52703e72

SHA1
c5c6d4b5c0e4d63a269280512f3d1402c74d1540

SHA256
2660fd0514851209f75ac0d360a3afd5bf273e885997ac3e483f7ae0a95eddcb

SHA512
6ea38173fa8239aa66e7343af32243521a85de9e5d2ce465c9de9319e69a6474422b879c173f7270d816518cac106d12a15ba965d397591b8087315339927c4b

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
390KB

MD5
f9b7fa8f139a7d1138ca646db859fabb

SHA1
160899fc39b0db729192ed452f2d07d47a2e0bd7

SHA256
03fd4cb5fb7c110e47deddfad745367c920ef797c389dde3f73411e09cd6c54e

SHA512
c4a0e43c1c2a42a78c334a13b0866befe9f56d273a2e0ea1b137c8f851d59c45d477230e67b02d1dedd02047773d7bc2358bacf5ea7405cf630d550108a65b3c

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
390KB

MD5
870541ce5db1af7259e6fe3afd4481da

SHA1
1c3151820e5985dc1422353e55409063f1c7db4b

SHA256
b28aa196e0f653a780120416bf2d3a7f0bd60bfe2434246c7b3a92bbbe94acdd

SHA512
679c39a8bce6c1fb8ec6a8c5f0f15c888ed43dfb8a60940d688bf0101e084722ff4e162de0ced379e6277e4308ce538d92a8f1930b11a93eb8c23afe62c6b4ae

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
390KB

MD5
e4dabdea0a63db5e94f610db24d74440

SHA1
a53ca7b5e506bc233110fbbb8629df88d73a7e21

SHA256
5eff90d37b8424518938e34824a40e3b4f96c643710a03618ba17a34fe26c497

SHA512
aba0b87ef9e8b6a9bb1e887fd4b30f8bfd1d4198e5592ca119e30f1d13d90fc40cdb31083d056ff4f15e14850def48144dd7f36283e2107e136bd08e3ec953a9

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
390KB

MD5
cc119b50e96968f08f0f72b031163027

SHA1
acdadc9dbaa88a2dd8d550aba4c4bcb4df394204

SHA256
c052d89df54a36882151d67197d151f8778678c3455c14f4bba0201d71d48357

SHA512
fc6b2bb939a0ec95aa4a4b4063f2aa6b1978e8e6897d0d0cdfc2a17188163305f4c5c4fdc318b037026f2f72a61c659580021fa03f452a40de6dd7560e48356e

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
390KB

MD5
23d48a95d6138b84dcd261c07861b3af

SHA1
4d607d294c3e335ca0f827faffd521711203eac5

SHA256
29512cd01729965f5e35de4a5688f777c1ed5af5c8f533d6390de522ce8ed367

SHA512
edf88d541d54bded530661a8fd801bcd17fc7280ad59abb001d704d7c1539e3739268e882e5f5735849091faa30d98a902297ca10df18bfeb7e3f66b2ebd800b

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
390KB

MD5
db0da402d71e8d2d58532c0012bb9c77

SHA1
0b0e74c95e55c1475e3dae37ea1f130a926d95b9

SHA256
07a3db0c821b548a3fbd26ce7de89c55f69d12522e59206970718e2601c93785

SHA512
bd43e3456b1f6b0abdc0f74ff67176f6e9394ef5dc4a6191aa8827d4ddb3824f818a46769b9c7ec001b6206e1652b4c69fbf5fb04db6b7790e4e03787316f398

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
390KB

MD5
ed2f7e90fcce52d04cf9ac23fa8b339d

SHA1
5a29a530b9fb30400be72e38a0a34c4991ca9229

SHA256
89c008c90e664dca8b85f463d728c2072d447ee1ab129d63aba74749692d1ebc

SHA512
e7ea55a9e019a2100155fbe724e8d64fd113875a2d8f1b50d5ec4fdeaf14f5301f2235675596fbb7a91750ce535695dcb2ab4fca5f96e7b8e822dd7e6ed5f88a

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
390KB

MD5
2f3883932f916bcbf452707b0429ea57

SHA1
3e9e61a29624c04062a88b3287bdbdf7e6667c78

SHA256
10bd5b3e981a0a7c1c79f3bba3ec5fb76dcdffbde8c6547c656b3058ad37d2eb

SHA512
48c6fba74072668ec9a294f90ae1a8a51c0d547a4cd8711c9e61fdf1c9c431a50bf577fa52ac34846924caff83d80ac86e12d4185b3ee2173c7a9d29dd6b9736

Download Submit
memory/60-432-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/368-314-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/536-176-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/548-508-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/548-605-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/624-586-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/624-573-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/668-237-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/796-187-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/892-44-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/892-569-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1156-479-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1448-589-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1448-560-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1480-593-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1480-547-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1488-497-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1688-425-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1740-16-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1740-546-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1828-467-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1832-160-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1912-530-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1912-599-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1944-297-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1984-376-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2008-601-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2008-520-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2180-587-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2208-220-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2244-143-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2372-332-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2380-597-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2380-537-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2476-607-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2548-273-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2728-120-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2828-267-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2956-87-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3004-540-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3004-595-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3040-359-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3076-261-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3080-401-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3104-207-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3108-32-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3108-559-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3164-485-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3228-326-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3312-580-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3312-583-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3432-112-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3512-431-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3552-104-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3768-194-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3772-491-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3856-414-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3860-239-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3932-253-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3944-579-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3944-55-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4092-465-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4100-449-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4196-151-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4228-95-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4248-127-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4256-167-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4324-24-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4324-553-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4416-229-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4436-370-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4504-438-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4536-455-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4624-320-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4636-63-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4636-581-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4704-338-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4724-279-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4776-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4776-532-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4800-413-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4832-539-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4832-8-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4864-211-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4928-591-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5000-572-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5000-47-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5016-72-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5020-303-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5028-285-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5036-514-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5036-603-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5048-291-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5056-136-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5056-721-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5060-79-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5104-473-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads