1c8e80a91e8531cbe7657f54384f3d19dfa8398edc6a23560dd654c392c3f653

Analysis

max time kernel
94s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

878a5045a12d30bf87d0f64ea7735040N.exe
Size

360KB
MD5

878a5045a12d30bf87d0f64ea7735040
SHA1

8f11878568c32ae597d982d9b5075e10928a686d
SHA256

1c8e80a91e8531cbe7657f54384f3d19dfa8398edc6a23560dd654c392c3f653
SHA512

15f080438b490334b6c4b861f9c9260b29367295c9033393c8f70b9867715106cbd7cf76ad81e105876d6c95bf12b16cf125a5c5a90f719c2f11cb9e69a5dffa
SSDEEP

6144:YRww4WPtVbKJCpX2/mnbzvdLaD6OkPgl6bmIjlQFxU:YGw4WPICpXImbzQD6OkPgl6bmIjKxU

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	878a5045a12d30bf87d0f64ea7735040N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe

Executes dropped EXE 64 IoCs

pid	Process
4872	Ognpebpj.exe
2424	Odapnf32.exe
2840	Ojoign32.exe
3300	Oddmdf32.exe
3920	Ofeilobp.exe
3484	Pnlaml32.exe
2196	Pjcbbmif.exe
3360	Pdifoehl.exe
3116	Pjeoglgc.exe
3196	Pdkcde32.exe
4768	Pncgmkmj.exe
2956	Pcppfaka.exe
4580	Pfolbmje.exe
2784	Pqdqof32.exe
2240	Pgnilpah.exe
4408	Pjmehkqk.exe
4204	Qdbiedpa.exe
3160	Qnjnnj32.exe
2452	Qcgffqei.exe
4716	Qffbbldm.exe
1832	Adgbpc32.exe
4256	Afhohlbj.exe
4172	Aqncedbp.exe
1136	Afjlnk32.exe
4104	Aeklkchg.exe
3472	Andqdh32.exe
2692	Acqimo32.exe
3488	Anfmjhmd.exe
640	Aepefb32.exe
2788	Agoabn32.exe
4852	Bfabnjjp.exe
4804	Bnhjohkb.exe
4068	Bagflcje.exe
2960	Bganhm32.exe
1952	Bfdodjhm.exe
2716	Bjokdipf.exe
2344	Bmngqdpj.exe
716	Baicac32.exe
5008	Bjagjhnc.exe
4876	Bmpcfdmg.exe
1688	Beglgani.exe
540	Bgehcmmm.exe
2900	Bjddphlq.exe
3776	Banllbdn.exe
348	Beihma32.exe
5012	Bfkedibe.exe
2380	Bjfaeh32.exe
1684	Bmemac32.exe
856	Belebq32.exe
1812	Cfmajipb.exe
2884	Cmgjgcgo.exe
2532	Cdabcm32.exe
5028	Cfpnph32.exe
3392	Cnffqf32.exe
2828	Cdcoim32.exe
1128	Cjmgfgdf.exe
2932	Cmlcbbcj.exe
1168	Ceckcp32.exe
4860	Chagok32.exe
4868	Cfdhkhjj.exe
3728	Cmnpgb32.exe
3304	Ceehho32.exe
4688	Cffdpghg.exe
1484	Cnnlaehj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	878a5045a12d30bf87d0f64ea7735040N.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Qffbbldm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3456	2268	WerFault.exe	166

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	878a5045a12d30bf87d0f64ea7735040N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	878a5045a12d30bf87d0f64ea7735040N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	878a5045a12d30bf87d0f64ea7735040N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	878a5045a12d30bf87d0f64ea7735040N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 4872	1448	878a5045a12d30bf87d0f64ea7735040N.exe	83
PID 1448 wrote to memory of 4872	1448	878a5045a12d30bf87d0f64ea7735040N.exe	83
PID 1448 wrote to memory of 4872	1448	878a5045a12d30bf87d0f64ea7735040N.exe	83
PID 4872 wrote to memory of 2424	4872	Ognpebpj.exe	84
PID 4872 wrote to memory of 2424	4872	Ognpebpj.exe	84
PID 4872 wrote to memory of 2424	4872	Ognpebpj.exe	84
PID 2424 wrote to memory of 2840	2424	Odapnf32.exe	85
PID 2424 wrote to memory of 2840	2424	Odapnf32.exe	85
PID 2424 wrote to memory of 2840	2424	Odapnf32.exe	85
PID 2840 wrote to memory of 3300	2840	Ojoign32.exe	86
PID 2840 wrote to memory of 3300	2840	Ojoign32.exe	86
PID 2840 wrote to memory of 3300	2840	Ojoign32.exe	86
PID 3300 wrote to memory of 3920	3300	Oddmdf32.exe	87
PID 3300 wrote to memory of 3920	3300	Oddmdf32.exe	87
PID 3300 wrote to memory of 3920	3300	Oddmdf32.exe	87
PID 3920 wrote to memory of 3484	3920	Ofeilobp.exe	89
PID 3920 wrote to memory of 3484	3920	Ofeilobp.exe	89
PID 3920 wrote to memory of 3484	3920	Ofeilobp.exe	89
PID 3484 wrote to memory of 2196	3484	Pnlaml32.exe	90
PID 3484 wrote to memory of 2196	3484	Pnlaml32.exe	90
PID 3484 wrote to memory of 2196	3484	Pnlaml32.exe	90
PID 2196 wrote to memory of 3360	2196	Pjcbbmif.exe	92
PID 2196 wrote to memory of 3360	2196	Pjcbbmif.exe	92
PID 2196 wrote to memory of 3360	2196	Pjcbbmif.exe	92
PID 3360 wrote to memory of 3116	3360	Pdifoehl.exe	93
PID 3360 wrote to memory of 3116	3360	Pdifoehl.exe	93
PID 3360 wrote to memory of 3116	3360	Pdifoehl.exe	93
PID 3116 wrote to memory of 3196	3116	Pjeoglgc.exe	94
PID 3116 wrote to memory of 3196	3116	Pjeoglgc.exe	94
PID 3116 wrote to memory of 3196	3116	Pjeoglgc.exe	94
PID 3196 wrote to memory of 4768	3196	Pdkcde32.exe	96
PID 3196 wrote to memory of 4768	3196	Pdkcde32.exe	96
PID 3196 wrote to memory of 4768	3196	Pdkcde32.exe	96
PID 4768 wrote to memory of 2956	4768	Pncgmkmj.exe	97
PID 4768 wrote to memory of 2956	4768	Pncgmkmj.exe	97
PID 4768 wrote to memory of 2956	4768	Pncgmkmj.exe	97
PID 2956 wrote to memory of 4580	2956	Pcppfaka.exe	98
PID 2956 wrote to memory of 4580	2956	Pcppfaka.exe	98
PID 2956 wrote to memory of 4580	2956	Pcppfaka.exe	98
PID 4580 wrote to memory of 2784	4580	Pfolbmje.exe	99
PID 4580 wrote to memory of 2784	4580	Pfolbmje.exe	99
PID 4580 wrote to memory of 2784	4580	Pfolbmje.exe	99
PID 2784 wrote to memory of 2240	2784	Pqdqof32.exe	100
PID 2784 wrote to memory of 2240	2784	Pqdqof32.exe	100
PID 2784 wrote to memory of 2240	2784	Pqdqof32.exe	100
PID 2240 wrote to memory of 4408	2240	Pgnilpah.exe	101
PID 2240 wrote to memory of 4408	2240	Pgnilpah.exe	101
PID 2240 wrote to memory of 4408	2240	Pgnilpah.exe	101
PID 4408 wrote to memory of 4204	4408	Pjmehkqk.exe	102
PID 4408 wrote to memory of 4204	4408	Pjmehkqk.exe	102
PID 4408 wrote to memory of 4204	4408	Pjmehkqk.exe	102
PID 4204 wrote to memory of 3160	4204	Qdbiedpa.exe	103
PID 4204 wrote to memory of 3160	4204	Qdbiedpa.exe	103
PID 4204 wrote to memory of 3160	4204	Qdbiedpa.exe	103
PID 3160 wrote to memory of 2452	3160	Qnjnnj32.exe	104
PID 3160 wrote to memory of 2452	3160	Qnjnnj32.exe	104
PID 3160 wrote to memory of 2452	3160	Qnjnnj32.exe	104
PID 2452 wrote to memory of 4716	2452	Qcgffqei.exe	105
PID 2452 wrote to memory of 4716	2452	Qcgffqei.exe	105
PID 2452 wrote to memory of 4716	2452	Qcgffqei.exe	105
PID 4716 wrote to memory of 1832	4716	Qffbbldm.exe	106
PID 4716 wrote to memory of 1832	4716	Qffbbldm.exe	106
PID 4716 wrote to memory of 1832	4716	Qffbbldm.exe	106
PID 1832 wrote to memory of 4256	1832	Adgbpc32.exe	107

C:\Users\Admin\AppData\Local\Temp\878a5045a12d30bf87d0f64ea7735040N.exe
"C:\Users\Admin\AppData\Local\Temp\878a5045a12d30bf87d0f64ea7735040N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\Ognpebpj.exe
  C:\Windows\system32\Ognpebpj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\Odapnf32.exe
    C:\Windows\system32\Odapnf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SysWOW64\Ojoign32.exe
      C:\Windows\system32\Ojoign32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3300
      - C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        29⤵
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        37⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 396
        82⤵
        Program crash
        
        PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2268 -ip 2268
1⤵
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
360KB

MD5
3f0b1a9a5bafbad744de70716bca1a85

SHA1
0536b0d42b9d7670431f6458bd4a46459138d91c

SHA256
bce1db70c8a595dadd6a37556b1bfef4f80a773836a1634dc9a880a9172a76f1

SHA512
d35bdcb9452a63217110c9132d4162d3641bdc52352cb0731e82c57bda35a7b23233dd8aaf7f32dc3cf8004e890ffdb169109877068f43dae4f4548fb41727e1

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
360KB

MD5
adb4ab16b2e29f40d92ce2dc2c833edf

SHA1
d4def1ccea9d3ea18ff9dfe965c47835a42a342b

SHA256
c813deca7c6a19c3480161b4b9e88e5d68956b8fdafaf522a70af8944d839726

SHA512
c5fd5435a633ee1ec9227dca244c04e95c77de734dc13134bd748dad4067e3fa83c0c59e95bc09d04f0b76d98981581c1db8517827b8ff6006bfe8389ccb47e6

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
360KB

MD5
9c4f1e255965d1f268414d12f8c78de2

SHA1
5866b67b5a283b8cd31c20e91509c47010f2acef

SHA256
ccf012103f419b5bc8b8fcd4ff6750288755e248cfa00aa78c017eae1a50e95e

SHA512
005dee04e89373b06839b6db214b6f47ed2bf15ed0e11928efc0d4ec3b0b3d89c42b115ccd6a39c390b93929b5e33b983fb559948aad6729c7eb22734ae361f1

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
360KB

MD5
61058fb4aee242419a51469bd9269132

SHA1
a3a5b63e354d1e1fd0a55ceb7c110d73c6d64fc6

SHA256
0204c5690a1d409fc53c506a39b831af20c475fdcd0380c429aca08e7a4c44c1

SHA512
294272beb699b36c2fbe8f59909dc568fb83c2146acf438dc9cf3d5b59d32cd7249f757e274fd95bd02fd1f1bbc5186bd0acdae02297d6aca4a9bacb3eb068a0

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
360KB

MD5
34ab3da77325aafdacbdef68a1c9ab29

SHA1
35866ffc1e90220f016cf86abb8a75f8b736a932

SHA256
07a1c1c7cb12a856bb20d3243281e66726750684949b62ec5cdc288ad6fc26f1

SHA512
2a5bdba254caa6c4a4b99923385f2abe5f2b362e437183da8db4584b1d7dcb2bc0e0fa696ebfa108c8312bea24dde35748ffb1d69e8320a50291fa519f40e4a6

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
360KB

MD5
e3785a0614eee95adcf30dfebd4a305f

SHA1
91a2a4faa443290d1c5a36bdd14a6e8d0c28322e

SHA256
7929ce2f22289c4f0b35fe0e9e801c9f1bc9423077877c73c9ad5e9988b24ddd

SHA512
d492ff4a1ef8d4adfbb8ac120e9193291ea159bfcad13be1d23ffaecbfb3fbbf5d0cc48a125b3909b1b2a83fa06ace2827bbae64dbabe1031e29a3f772d328b5

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
360KB

MD5
9830026a2a088e14c887a84db97850ed

SHA1
c7b88c8cb0e2312859df7e94089464c4d4aba7f9

SHA256
ed3d76d6ce33225c24ce44727cd48128b9782d1af90853bcd0184dbd04dd78c0

SHA512
823aa8309e352b50b699f8d586ff781c496cb58b2ed7fc225b4c89091c4069d3312cacbedf8ba19b9d906c6c5f0f589cbcc5ca00241c872ae0cca583b9a98bfe

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
360KB

MD5
e604ba8df5a715d0bdafe1ffb27b56ca

SHA1
7ed82fdf658b643ef7fe2cabb83b66fe73d8e6ad

SHA256
e35789cd1eeb99106170ec790fede3a56f6934afa61510c4b3749f4cf405c102

SHA512
ba332d2d0d917ecdfe1b97419cc2297e1af1eea71b50cc2fffdef91fe7e5378e642f4cd0c461a41e8938e06279818e9dde1d88a4f7f4e8813d871f191f4ef511

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
360KB

MD5
49f5f86f6e29caeb27550ba6d08d9ee5

SHA1
fc15e978a5fcb729a6fe0f54766a2145dbd5bc31

SHA256
b644acc4b68b8a3fe8be23e3f001db53f930e507f28019c44637ad41fbee6720

SHA512
9ff4f0267955d1b88bdcd5cac82c1166d3fdc90214095b141d3130f7f70bd4107f9fa28e62ab1a34f3259047aed9d9404875bfb1ea10883a7489aa0e6d332ef0

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
360KB

MD5
df68f5489abd9f2babf8dba5f7b2bdf5

SHA1
5ed26aa5d56402966ddd532179f85947b415252e

SHA256
a7f3a1efa34d743c2f4d2ed2c87df6b5401695c3901d68f37dc6b068660d75c0

SHA512
da46731cf4e4d54f0683bda2f66c50963120a0fd45b37977af53366673961b86d51b746adea1191953aa18263290ec127fd1bdc0ff379793d7833762eb6e8066

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
360KB

MD5
4c48df6455c3c626f5c05cf2cc23cc88

SHA1
d6bc0ad43a45064ba514d88092b9716b77dd698d

SHA256
912ae6f949d960a5cf35da3c5634221338ce9ee726c8bb2a002dce5326d420af

SHA512
8ff59a14af66f8f72d2d3232542eb8178befcc465217e0be83dcfbcf392a66223b9fe50d0a61999cc2fe9de9226cf13a9cd5b75ece01a30fc176dd6acd1502ae

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
360KB

MD5
0ca5e2a9a60d7d9a1234886d2f8cb8ce

SHA1
9f735eb014fc17f18e45c4c4d467faaafc99ec5e

SHA256
d6bae60f6a759addc7c37a3968d2af28b03e5a13d249a579d09ed8d5cadfc1e0

SHA512
3a2723fd0e6f3733113abb296ebbcc1f9c43e4009cbf89e0dc60d08f2d077d1efae22cef3fdfbd29560ff690a5149bedfc5c31fe29bf9083fd8495a85a526b30

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
360KB

MD5
41c5aee704baca7143ee0879fc241b8c

SHA1
8bdfdc917b733e482bfff583c2c087ced2d24095

SHA256
54a2d499779697b59da81aa132271e61d7c6104883f605fee8a876a8c842b054

SHA512
344097c55bea6578331de5914eb3be3373cda851b1b0709b4bf342924a5792af7529cc2d051e4e7689025cbb306143f03bd2e0d24d929f894c8cf6bcc8f79fc9

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
360KB

MD5
fac2bfb12868bf6878a00714d39f4316

SHA1
f7a2d71b7c8b48e1f65e811037795df031858fcb

SHA256
16e0a12351049be4e3532a209f199f0317d214cd87a1d79c728d3ca640083d9e

SHA512
7a778164eb00b66d4f5412141f7b416a58953fc487b9bbcbf8a85a8bc508a0aac763e198d9ddd003c00ef179ca0643160da4933771d4c5c4b2f61c2ae78c486b

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
360KB

MD5
bf5083f6a0dfacf8a89788d3dfc5b5da

SHA1
a4a5b50989bc2e136751550d634386e8d337211a

SHA256
b930a466740700b10207a6ececb1bd977162ca10f1c67198cc31e0c3e21c9cb5

SHA512
98c657aa2936957384254f76ee6fcc0ec04221eb6c5b55e4f60a307ad95d7d3fa3392b413140ffe707b22fb71501e67ba6b919724d59b3d54fb0a29b42d991d8

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
360KB

MD5
1095360a2973a8ee2b08f02074970cda

SHA1
9b2fd2cdc3f4b1a58d5bb1f12ff79e31db04675b

SHA256
6ca5930a44a879dc05c2ac9947029dddcf1c2d203acb09dc36fe5d483e10a50b

SHA512
76300b7b82d6150dcea3606280d75a85416e4749b9503de8ebc4a72edee2fb0f8c1edde88089456dbfcabe290338482f4cc9f339bda6a6ef71b641490c5d9481

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
360KB

MD5
e96f62ae4dc006054526d4a9a61e311e

SHA1
b5f9413e1217f0ec227ac9011dc46aced837ebed

SHA256
ac5ec4836b27803cacd34d1cbc337bb09ef695edae2e1686014e32d533478f91

SHA512
12064f6bb6377f7e9ed162e3cb729a105ac63e03cb3b6b9725008e4245c62aedcb374200461e3beee71e28edfc9e68f383d31180b8bdd2f5370847ff9781c7bf

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
360KB

MD5
196f7dd98f8f39a4ed80b0e6ce3d597c

SHA1
ef6269824d8a9da4ee14c7cee52e96ed4585506b

SHA256
80640a52f4efccf16ed737d8a361a237c1e3bcf83efd5eeac79c773e40177d41

SHA512
1e56044c17b7ec6888a04de20e9a5d315558d2a2646da79c52aa57631efffa323869b87e25312eefe06f892257e2b087452821d60211a2d4542dce94edc2e27b

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
360KB

MD5
709e0d21ba2c80f9d561d25d719bc989

SHA1
a444a79fadfbfa3889203d415f02ba68cccf1f30

SHA256
4a4f582331830b93f77edc3fb9d192d0ff3d25bcd8427a489ddb7c6503b4c079

SHA512
67c0c5195fba7191038d47eb6d9bf885707b999d7602f4eee935e8da14b264afb72526ca959512e9b02f06c11c4a5c3d66ab792d745e464205625c34390c17bb

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
360KB

MD5
948b95a2821f614e80e7b8540e0bb5e5

SHA1
bbf0956dae9f13b5d3e0e728a1108ae663e28e60

SHA256
52f85d668fe9f8778a3630f888c7be9b2745f0ff6f70c747c97c20f42dfbb5b0

SHA512
977d7ec8d3c5250c5f95b3ff9cd977cc5a1b78cf8acb9d839ebea0a58aefd38c7f8400ba506ec2766e602a289a6d204fc4d281646775f0d91f23170012d05e28

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
360KB

MD5
77b4495f40fd81f5f12a3b1f0d8a4cd6

SHA1
a98f42ad42f64bc292c674ac8ea94207bd604b4f

SHA256
7f4a9542a2d4e71877766d19b646f368ad5a8a3e06a873f1e0b9cb4b62c53cb7

SHA512
e07d1ad9278e968341b1c87095331041203b63d5263c8c62d13d03ad8b8a54fd98bb8c2d08c325a5466e5345fcdd4205e8d2dd7167dea441a070d03e7c27dc66

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
360KB

MD5
5afc970b6857baec40dc342c8cc95087

SHA1
a1ab126c6328691aaa60663a30724a04761df8cf

SHA256
551d30c9b677ec428b7c8fb8147a40a63aa803ec36c9223756f473a3521643b8

SHA512
bfeced1f049bff3e0d798e71b85ce21c58706abc6a5e9cb690388697e9661cb581bf0210ea58ba45bb6defe760fa0d4e6d05a7583d56c2153e69134e04b92054

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
360KB

MD5
34cc2ca2782d66b93c70d448fd7ccef6

SHA1
e5238b8248ea6f421fa65cbb3c21d0a6c9b191e3

SHA256
5a29b0924a1755ac629b29ab01b6a92c29285a9c6095e22bade73e02c109fc54

SHA512
e07e6730d2819ce7f30eb93c14315b743be950c71177bff86f9d5562b4af5138b6a1838826f2b3bafababb040f9d547b9a2b7d1443730845b412df346b941306

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
360KB

MD5
fd7286f35377d0ac33058663cccf0825

SHA1
5926beb3d441648b60ee000980248bd929fa4930

SHA256
e7d636659ad9b367fef450a342ee7908b8a098679454a69b33fc8b4eb632106c

SHA512
3792af1908beae26a3fcce4d128865ea83e14fb326574183027a31408c8f7faadb5f5daca5c46238f38bc8d5108689c52f14f32be7c933ffe932da171f6302d7

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
360KB

MD5
b19ce092be33d2d0113dc4138afcd52a

SHA1
51f11ca5d735c4350ec030450b9d5c163cab64d4

SHA256
f34ce4bed6fe052af7a183971863688332f698982eda1af8649fbe2be781145e

SHA512
8be9e7ccf8c1427264a6fbdfb8eb6e413615a2565ef38252f25bdca52258c818bc09b4a3bb1bfef805c2d01982956de9dcfcd1bc3fc64d672cc579f025f8090b

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
360KB

MD5
7f46c5ac68029f36cec87eb53711e8f4

SHA1
8bfcbb4a3eba49760540a8ba872a4762f9ba62dc

SHA256
724cbe82881db6d4932a7e18da92d07f4a8a7efd949086e6dcc4cd167db9c4c8

SHA512
dd96f927f3e5df81d92b1b03e32e56485382579ddeadee5ada73e47a12db7937ae8a6f7f615cbaccb7d6ddbff4b7dd9392814b8498bc1206b5f57afbfa4f96a3

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
360KB

MD5
ed5e34390663b3f80cd8801ffd881ab0

SHA1
3cc52a52f4983be7267bc141d190196197d116eb

SHA256
eb8ab124d477ae9537ae3dbe3116419609098050279ab844bc11428db38caf32

SHA512
581ec7132c1c6889b1bdeade57032786315f988f6d54d36aa6941d30715c850037db99b3a3b4ba5d78f1e956c30d2a3fb28bf3b3c7801690c1d0c398fce3cc49

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
360KB

MD5
6e1a06e188ac8f14abd7fd1c56319cd0

SHA1
1ce7f6f14fa611951ba44de1088c657080b0755b

SHA256
63ed2dd47319c762e417c971f005c4e9982aaa68484ba1815ce4d669c82a9b86

SHA512
ac6973f504d31f59f812827f434394a190666a879df0235e33a0c3ee412789e4c9431a079c9e6004d6d69d2150805157a9998ba27268a0650d06aa40c5054367

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
360KB

MD5
5387446b30790d0c29c170642f860729

SHA1
bfb32d5c38bcffd794e4a436c0a18c58eb0302d6

SHA256
4a2d936d0a721fcf388d7b52e2bb1351e1dca570ec4ba906d516e5cff943ffde

SHA512
f2288fc63f5109ebe001385443bb7f7cc8456a69322814846417f59ea7c5853ff6bce9a1fc95628c8644d4c81d9cc8eab6492beb495c018cb6bd0226df512e29

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
360KB

MD5
29fbaf3f39eb98fff78256ece26893b9

SHA1
facbddde6ccbe63c1d36a9b39f32d684bed07326

SHA256
04055b3523a94eb5e47e4453221d0e9d665df59bfbf1741eb49ff70b6f0c73e7

SHA512
9c1dcd12d080d0ec6bf8fa79db09a6428a1a36f0ec6f68903aa83b28411bbf3769fe43e53099bde75fab9138afe4a648df95493500092a8ba9b2fa19ce7bb2ed

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
360KB

MD5
171c6c0fe35fcce93b78eb2ea1776c3f

SHA1
fb56c4af0dce63de0312f7d4c2ece89e28b7a25a

SHA256
7b023fb8eb1a8f3803aaa2ab232083a95b0e1c8ad161bd45fc5194a281db438a

SHA512
4cf73f73638001ae0c59f6a4d66112a52c6cfcdc4ea7330f862efe0698cd964a5d63e112aa886be9ab66fea4851766e47be7b392e451227452819cba1c64cf02

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
360KB

MD5
f996d2ad81b95cdc2c3da7a50610bac4

SHA1
f0a61cc40ae7a62e405b7f8576cfad2901d5f0f1

SHA256
1982462d3794ae848ade96a1b1c9c48d91ca29b046880382975c891d5b5bd10e

SHA512
9f447e0a425141572e939d4eb358639a28bb2219ad80de98245b1c6e0d46ba6b4a00acd7c2ee887a72e6521b148cd7b56a4b20afe126f8412eff3b1474720472

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
360KB

MD5
dfe767904795ab9691598d812ff3025d

SHA1
d093eea0009076ca16093b914e214011c1477de1

SHA256
cf7e0387f671d24286f9f0f49600c9fe15b2471ff3020876d084ddb88b4939ac

SHA512
10bc255985010c06d8e6c70a37b120ca076aef7ac57b84738e76459b5f9c17d04ecc21218417470887fe36b8116b3cd9a7d33af97b90963bfefaf6ebb0dbb31a

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
360KB

MD5
a8b93e4f0e3fa51fc744238dc5c34cc9

SHA1
1e447d9b07bed0a899188d6bddda082afdd70c1a

SHA256
c3414bcc9f39d2260dd1e24293f4094eddd6a14ae6d154270ba6e532ce0c87f9

SHA512
b07e1ca17b82243ecc2c9a0d76b2f6da0e6dceb97234048bdc4528245c9c564bea7f54534ea801d134996cf74c97cffdbf0a992c31d3e189da34b9136819870f

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
360KB

MD5
93f29cbf298a5921615ee8f641020b77

SHA1
393d3a6f5fde1076e8588a94779f945687469595

SHA256
41b1fb8ed4cee32863b085bcefeb4e0339d1326e3aceba221a521fba7b28600e

SHA512
949baf8b94b601996ea0eb333de537624044f46d483b2b9dda4bb9824956491470dcfd26c8469e6aefecfbbd1be0348be631dbec56401b84241f4c010e7a9c1e

Download Submit
memory/348-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/412-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/412-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-549-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/640-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/668-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/668-547-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/716-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/856-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1168-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-533-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1484-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1684-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1688-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1812-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-534-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-540-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2452-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-563-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2784-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2956-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3160-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3196-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3300-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3304-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3360-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3392-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3472-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3488-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3512-561-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3512-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3604-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3604-557-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3776-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4068-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4104-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4196-515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4196-553-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4204-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4216-555-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4216-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4256-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4348-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4688-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4716-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4768-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4860-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4868-429-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-541-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-511-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-567-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads