7c6bafea50fe8368be96d36ba0760f25a8a468d952eb58c8d73dc00511c4ba51

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c6bafea50fe8368be96d36ba0760f25a8a468d952eb58c8d73dc00511c4ba51N.exe
Size

391KB
MD5

f79bdc04031f46002cc468de6166f7b0
SHA1

327f6fae9f6885709916a9b1eebe61ffab551f01
SHA256

7c6bafea50fe8368be96d36ba0760f25a8a468d952eb58c8d73dc00511c4ba51
SHA512

0675db6214ce830d15be0a074cd86e3d754eeeeb93188c5a855fe4df120269578bc60db3840a03958afd8ebd0bce20d44ff4965147c8ca347ad46f92c3ae6cff
SSDEEP

6144:0qJKvRzZGzAYlaAfbAfNtTAfMAfFAfNPUmKyIxLfYeOO9UmKyIxL:3mf2mNtuhUNP3cOK3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7c6bafea50fe8368be96d36ba0760f25a8a468d952eb58c8d73dc00511c4ba51N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe

Executes dropped EXE 64 IoCs

pid	Process
2640	Ncdgcf32.exe
960	Ndcdmikd.exe
1196	Nloiakho.exe
932	Ngdmod32.exe
744	Nnneknob.exe
4240	Nfjjppmm.exe
1880	Nnqbanmo.exe
3588	Ogifjcdp.exe
692	Odmgcgbi.exe
3768	Opdghh32.exe
544	Onhhamgg.exe
2744	Ojoign32.exe
4584	Ogbipa32.exe
4612	Pdfjifjo.exe
2616	Pqmjog32.exe
1400	Pjeoglgc.exe
1856	Pqpgdfnp.exe
4652	Pflplnlg.exe
2052	Pfolbmje.exe
4872	Pqdqof32.exe
5088	Pjmehkqk.exe
5064	Qceiaa32.exe
3288	Qmmnjfnl.exe
884	Qgcbgo32.exe
3660	Ampkof32.exe
1212	Ajckij32.exe
1480	Aclpap32.exe
4484	Amddjegd.exe
4624	Aeklkchg.exe
4336	Afmhck32.exe
3384	Aeniabfd.exe
4420	Aadifclh.exe
2408	Bnhjohkb.exe
872	Bganhm32.exe
4284	Bmngqdpj.exe
4796	Bchomn32.exe
2488	Bffkij32.exe
1724	Beglgani.exe
664	Bfhhoi32.exe
2292	Bmbplc32.exe
3668	Bhhdil32.exe
4816	Bnbmefbg.exe
2016	Bapiabak.exe
2336	Cfmajipb.exe
4808	Cmgjgcgo.exe
392	Cdabcm32.exe
4992	Cnffqf32.exe
3680	Ceqnmpfo.exe
4520	Cfbkeh32.exe
2628	Cagobalc.exe
4508	Cdfkolkf.exe
4656	Cfdhkhjj.exe
2180	Ceehho32.exe
2136	Cffdpghg.exe
1136	Cmqmma32.exe
1428	Dhfajjoj.exe
648	Djdmffnn.exe
4344	Danecp32.exe
3116	Dfknkg32.exe
3564	Djgjlelk.exe
4984	Daqbip32.exe
4876	Delnin32.exe
3876	Dhkjej32.exe
4288	Dodbbdbb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	7c6bafea50fe8368be96d36ba0760f25a8a468d952eb58c8d73dc00511c4ba51N.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1936	3036	WerFault.exe	151

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 2640	4820	7c6bafea50fe8368be96d36ba0760f25a8a468d952eb58c8d73dc00511c4ba51N.exe	82
PID 4820 wrote to memory of 2640	4820	7c6bafea50fe8368be96d36ba0760f25a8a468d952eb58c8d73dc00511c4ba51N.exe	82
PID 4820 wrote to memory of 2640	4820	7c6bafea50fe8368be96d36ba0760f25a8a468d952eb58c8d73dc00511c4ba51N.exe	82
PID 2640 wrote to memory of 960	2640	Ncdgcf32.exe	83
PID 2640 wrote to memory of 960	2640	Ncdgcf32.exe	83
PID 2640 wrote to memory of 960	2640	Ncdgcf32.exe	83
PID 960 wrote to memory of 1196	960	Ndcdmikd.exe	84
PID 960 wrote to memory of 1196	960	Ndcdmikd.exe	84
PID 960 wrote to memory of 1196	960	Ndcdmikd.exe	84
PID 1196 wrote to memory of 932	1196	Nloiakho.exe	85
PID 1196 wrote to memory of 932	1196	Nloiakho.exe	85
PID 1196 wrote to memory of 932	1196	Nloiakho.exe	85
PID 932 wrote to memory of 744	932	Ngdmod32.exe	86
PID 932 wrote to memory of 744	932	Ngdmod32.exe	86
PID 932 wrote to memory of 744	932	Ngdmod32.exe	86
PID 744 wrote to memory of 4240	744	Nnneknob.exe	87
PID 744 wrote to memory of 4240	744	Nnneknob.exe	87
PID 744 wrote to memory of 4240	744	Nnneknob.exe	87
PID 4240 wrote to memory of 1880	4240	Nfjjppmm.exe	88
PID 4240 wrote to memory of 1880	4240	Nfjjppmm.exe	88
PID 4240 wrote to memory of 1880	4240	Nfjjppmm.exe	88
PID 1880 wrote to memory of 3588	1880	Nnqbanmo.exe	89
PID 1880 wrote to memory of 3588	1880	Nnqbanmo.exe	89
PID 1880 wrote to memory of 3588	1880	Nnqbanmo.exe	89
PID 3588 wrote to memory of 692	3588	Ogifjcdp.exe	90
PID 3588 wrote to memory of 692	3588	Ogifjcdp.exe	90
PID 3588 wrote to memory of 692	3588	Ogifjcdp.exe	90
PID 692 wrote to memory of 3768	692	Odmgcgbi.exe	91
PID 692 wrote to memory of 3768	692	Odmgcgbi.exe	91
PID 692 wrote to memory of 3768	692	Odmgcgbi.exe	91
PID 3768 wrote to memory of 544	3768	Opdghh32.exe	92
PID 3768 wrote to memory of 544	3768	Opdghh32.exe	92
PID 3768 wrote to memory of 544	3768	Opdghh32.exe	92
PID 544 wrote to memory of 2744	544	Onhhamgg.exe	93
PID 544 wrote to memory of 2744	544	Onhhamgg.exe	93
PID 544 wrote to memory of 2744	544	Onhhamgg.exe	93
PID 2744 wrote to memory of 4584	2744	Ojoign32.exe	94
PID 2744 wrote to memory of 4584	2744	Ojoign32.exe	94
PID 2744 wrote to memory of 4584	2744	Ojoign32.exe	94
PID 4584 wrote to memory of 4612	4584	Ogbipa32.exe	95
PID 4584 wrote to memory of 4612	4584	Ogbipa32.exe	95
PID 4584 wrote to memory of 4612	4584	Ogbipa32.exe	95
PID 4612 wrote to memory of 2616	4612	Pdfjifjo.exe	96
PID 4612 wrote to memory of 2616	4612	Pdfjifjo.exe	96
PID 4612 wrote to memory of 2616	4612	Pdfjifjo.exe	96
PID 2616 wrote to memory of 1400	2616	Pqmjog32.exe	97
PID 2616 wrote to memory of 1400	2616	Pqmjog32.exe	97
PID 2616 wrote to memory of 1400	2616	Pqmjog32.exe	97
PID 1400 wrote to memory of 1856	1400	Pjeoglgc.exe	98
PID 1400 wrote to memory of 1856	1400	Pjeoglgc.exe	98
PID 1400 wrote to memory of 1856	1400	Pjeoglgc.exe	98
PID 1856 wrote to memory of 4652	1856	Pqpgdfnp.exe	99
PID 1856 wrote to memory of 4652	1856	Pqpgdfnp.exe	99
PID 1856 wrote to memory of 4652	1856	Pqpgdfnp.exe	99
PID 4652 wrote to memory of 2052	4652	Pflplnlg.exe	100
PID 4652 wrote to memory of 2052	4652	Pflplnlg.exe	100
PID 4652 wrote to memory of 2052	4652	Pflplnlg.exe	100
PID 2052 wrote to memory of 4872	2052	Pfolbmje.exe	101
PID 2052 wrote to memory of 4872	2052	Pfolbmje.exe	101
PID 2052 wrote to memory of 4872	2052	Pfolbmje.exe	101
PID 4872 wrote to memory of 5088	4872	Pqdqof32.exe	102
PID 4872 wrote to memory of 5088	4872	Pqdqof32.exe	102
PID 4872 wrote to memory of 5088	4872	Pqdqof32.exe	102
PID 5088 wrote to memory of 5064	5088	Pjmehkqk.exe	103

C:\Users\Admin\AppData\Local\Temp\7c6bafea50fe8368be96d36ba0760f25a8a468d952eb58c8d73dc00511c4ba51N.exe
"C:\Users\Admin\AppData\Local\Temp\7c6bafea50fe8368be96d36ba0760f25a8a468d952eb58c8d73dc00511c4ba51N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SysWOW64\Ncdgcf32.exe
  C:\Windows\system32\Ncdgcf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\Ndcdmikd.exe
    C:\Windows\system32\Ndcdmikd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\SysWOW64\Nloiakho.exe
      C:\Windows\system32\Nloiakho.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1196
    - - C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:932
      - C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:664
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        71⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 408
        72⤵
        Program crash
        
        PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3036 -ip 3036
1⤵
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
391KB

MD5
eb1ed392cecb22fc19901a91130ceb47

SHA1
a35b4ff2c959e601e7c0179b26ac5b72cbca3f01

SHA256
828a0290d85170a6b8965f06cd6f70dedc58fae09cfcdd054c70b0990a0fa366

SHA512
b6d5599d542d1d98a5066f18e1d12341872ef54009304058e6ee7a9469a9381c7e9a544695bb036f964d029654e6c389a02f3e3aa5e97579556996734ddbdd4e

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
391KB

MD5
4c2c1295a289f5a5e1d7a09c943e6d1f

SHA1
02fe09895f1b08ced98f7e9a469718b5515a28b6

SHA256
53bba2dbd54e2b778605423f4c1766c6981c2d946c9142a6e8ae2734a120b1c9

SHA512
adae76771aa68cbe2733eedd463fc09d65d8d8336d2eacb34906ea7f0f50484a030a0f52db0f49558d8f9a84f7f5376d88a34047be9f50092f5445d9601454a7

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
391KB

MD5
9fccba8341526b401d3edff62534a2ab

SHA1
5504f69e86356b03e1508c6dc799bc36c76537c8

SHA256
3f75e1c520098069c7bc4b824fbc1376ffb1afee68a45fbaf59a73a52cd98c8b

SHA512
fc85c298c31f26f4f622e97b1c5ab44290b9fee40a2a35a321809b1309590e914cfe3e40e58c95fb8a91d4da227ff157dc0a762190851827e775a444e41dccae

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
391KB

MD5
c83318bdff66f885af7ea806d8706371

SHA1
b908ac383e2cec2f953be60da52208a13d938d35

SHA256
16a9101d492e5a10254efc8dfc74e4cbc67705ac5425ac24f1de7e257afb35dd

SHA512
cc3a0176b94d8cebf44fa57e7dbdadd0945f2492492c0d8e8f8bc926aff945ad929e1ca8c4d1d1ef0d8eb26f6f19dd90c305717e47c87fcfd6beaea0d0b99467

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
391KB

MD5
bb31a3e87ab363ec3e421d4b95a1e762

SHA1
1e86038da25d5638b0a6ea1d0b2671212f7dbfdf

SHA256
659682685e22addb32154ac20c57824d30c0ca24a3f90d4b5b019c77401e400c

SHA512
cb819b99033d20ef8c14179a4a5bd890671befabb217d00937e0d9784598ba743538938ef9cc1b3a0e1f0a7175169a9d99c6dcf375e86a5bf19b58bf706bd079

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
391KB

MD5
600900623586f2a5120a4646039dbd11

SHA1
8070b833ab0c0db2f10c8ade8e4cf2a8f74caac3

SHA256
e8f20093d45976e0fd2ed293cad266250d85b0352a49a00993d1487701397e99

SHA512
811b2d349a61108ad2f72463d52d33c4275b87a00a4b1ad2c8f7786f38712403446504712d8009ab62e157352d84c2b7fd8cd2114bb9e6a9c7cc4d9b7374e0fc

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
391KB

MD5
7ab689aa31c2ac9222c646759ccdcfe7

SHA1
8c07b10a3646758014a124dcb47c833b67a95da7

SHA256
927200dd8941fcdc2029239aa2a1d9f4fa344b19bbd8cdea5befd6974d3e15d7

SHA512
eae6fcc4f843d3e0ff9334f7a0c31f7fa289930fe742402113b425d2d3dd34c77eb4c97d7ba359347fdfc96d0d6dc9f8a820c070383213d686856494e2fb344b

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
391KB

MD5
c7e0dc2794c519a169d0d8edfbbee541

SHA1
0eeea9308cd9a92a34b9dd04253ba6fe4ca4ec68

SHA256
e057a5e01134ad37a69c262d54ff2769591d71166f700b8e0f02d21c95b158b1

SHA512
95345a6e9d5aa1c331eea4e839978b904cc9fee533e0c01f5991e88e648505a4bcf734cf67a5b88ee06584453d241b3ed73b876590514dc03ce05083d12d53d6

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
391KB

MD5
4ebd9302873c723dfa3f6beba307f346

SHA1
3bc1f11dd44138a9602a957443dc211d6b952df0

SHA256
aa2d19eaf148576f10a24ce4ca1ecdb01315d139bf366064828120a5079317f3

SHA512
e26a3ad378f2f7a858d632a9c8f6bb8ff18a1299ecfe68aab59086c4e6c19757eb949828d4327c9e370fca9870b27cdd378a51f9582cfcd610a89099795ee2b3

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
391KB

MD5
68fbc9692db24fd6e0008b3c1b77404d

SHA1
54611987bf34a06de5a3f74f1b340d23867a74ae

SHA256
8b7f04be8821673867afaabcd3db17651a30195870ff97e917ca7e7730d16a72

SHA512
71ca74b5ecaf26e213eb7ecb973d0fa2be2911c151d8447a440f895973e05e9485a4acced47de9f9edcf42cb9a9589e473deeb9043863daf9a078ad65eb05eef

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
391KB

MD5
50406cb585b77fc5eb30cda2973d2f04

SHA1
67a60603ed4960de0e1fc9428e372f482bac44d8

SHA256
fc85a543df46f7ba3b9540ed9e3b2ff4a17e8cfef0483a334bd53644e1c48b2b

SHA512
86c58b62556581073c30956c94cd0b3cb9eaf39918af6854491cd3317a9bd852c3cc0b48719e12c80b92a704035145e5b2eb2c082d62c17808131731b1e78754

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
391KB

MD5
4876dfaed110146fc20660e1be42d861

SHA1
28ac7c6648be6754fd61fc4933b7aa19e0be0ca9

SHA256
8b8500eb11033ab6732d1c21ef81170e8ed83b16cf5d7cf3b773d995a9fc228b

SHA512
191c6416509ad90cb0f8f861c7285a41352fd9341ce1d83547e0c737a7eee2ce6745711cccdbb71072b70e875c44b2f135260939d50d5fafe026845a6ce2950c

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
391KB

MD5
9b99e8f65cac821ebfe23ddeead4f301

SHA1
4556f9847ad269d9922a279acde35839206776e7

SHA256
c257b68caa1bf66ccb3575b0550aa937d8a4d68ddd749851703beee403f16e1e

SHA512
771888e1915fc7ab555b487fe6a54902c6b14e327c7223cf431839f2389025cd858e3a9f4472e7f626dea78144937d01dfd93b9a299827559f25f3bdd2368940

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
391KB

MD5
1e00f30dcde0695b653acd9c706753ba

SHA1
90322da75fc7c8d8a45daa9bdd596215ad9c8e25

SHA256
b766ce6846ffd2a6c9b0b2c6ba5fb63ca5da30a111f550f6b247a2382b75e3cf

SHA512
a27ca7b5568263ea5e03c6412c908d56409ee16fb699e8de24c4a8337953fc36acae20fb11324b63bdca1f2364cb80bc25ec0e2e0d69714822ed174eed2c3a67

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
391KB

MD5
c27fe2d244ee4bd08462ce2a23c04931

SHA1
027fec355e6a4bae27f499c5c9e3ff35c024fff3

SHA256
d7e77f2b6bf4ffd2c2275b8c364ab547ae27165f3d37dca3b07f674f0be57815

SHA512
3ca851641957b7867b03e7518284d77a76f3e4bc1a9b1efbbe95e4906c109f6cce76cbf0672468d74127c112f8a3a9a5e9b0ad3b0f46d1081ac52fe9776294c9

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
391KB

MD5
a7efb7acd95e31dd25d9c1b1b6441bea

SHA1
b389c9fbb3394158c699a43f6f47940547a7e2c2

SHA256
6c8898f62a78c69e6f0a68d1615edfdaae3223475c474eacff21003d8b4fd5d7

SHA512
12a3008ab0480dfa51436f3eb080039733d62d2a80861f66ac82b5ec707d64c104383b4df797d464da858f7df64b692136dd221ba564618a933d71ed2f408650

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
391KB

MD5
ced2f911b197721a4b381d25f7e75178

SHA1
b49abc92799bf4f6f958d2e6717d5d022e2d82f6

SHA256
6cc3675683902356ba2dd044208f1fb1e0d49ab8cfccb2d312b99e7d27db605d

SHA512
6690ce63e3d1c6039cb9097d81ac230a7895718cd3ec5c42e2b23ddc9e538df753fff9ac5f1e14d366792e5dc39be5e214e36a64f71c41ab108060cfae816638

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
391KB

MD5
fcc4028b236b7551c14e32eb60e9e04c

SHA1
c069582f1d404a53c7bea70f6b0cad5da20f3b68

SHA256
5c19a5c9c3e648198c75d566d78b6d373ff4277933508152e90f5fe29831fd63

SHA512
ff07984b48ff2809e3b97169f883b48e8d694d27e3ec18f17d970d70e53c7dd1a0433c37ab1320c05b8392a01d7c0e61a80f1f99a6825b7f4d9357f97273b071

Download Submit
C:\Windows\SysWOW64\Empblm32.dll

Filesize
7KB

MD5
97b0ad362b42eb4a3ae0b9c65df07d94

SHA1
8bcae8942feebc92700c262c01831338d1dddc72

SHA256
694faecd9e9ff3e5629215004f492ef6ba4a8e80353d5038414ec05d185d7384

SHA512
ff228aeb161b4cd2d760497e9b253ef96fa77fd4520a2bf4556e29b9d80292d29261b22272ed7d5cd671f77f14b4f25576d85e2955a03d6e5079358897f3d635

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
391KB

MD5
1b27f33928adac487206bb4ca8d0b268

SHA1
e826d0c2eef05041c4c361e04e2ed4b20ace8aac

SHA256
9b9e9eb8ab17fa4d0bae0496828ddbbf3db6c9c9f28a7e28d614156edfe7fb59

SHA512
dea27bf0390707fe43a99e7e1b77157730c646a2b1c5732441e6f7c4cfc477ad2db16fa1635d1f41666a2f7e76e7405de833a2f8e62c4261aaa94bddd1254c0e

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
391KB

MD5
c0b6f17a0d4e6f59e815cb7987e06764

SHA1
9395c50138bf82e22681cbc3c35a70c8e39461cc

SHA256
80f72a4e3dcf72091dd9110be0e3bc6934b91e7204a2f4eb27d555efe1ed1f84

SHA512
aedc9bbed33b4262cfb6e446e1418141bb7e74a2b67471caaa79a1b3216e1ba6b5cacf806aa8eb2077ec685bdd203c5ae426852d2cf6534251b19f60361e385b

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
391KB

MD5
b26fcdc49fba88f32a010d0dfe037654

SHA1
31f328197420a1508ea15e3857829fc6e2844983

SHA256
8591ca17aa149d177151b28a77001b641f554c4104f297db7daa5cec7dc5ffdf

SHA512
2ee607fb1ed61d028967dac4416f03271ae89cfcac960dd42a371dc5d0e57eabff806713039a2de749de5569f49a25c4ae136ea0d29eb688947f5d2661ee77eb

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
391KB

MD5
722e679c34fa2f62f0d721833c24969a

SHA1
886ac94e1fc6fa2c99ec3b0d51f57adf919c096b

SHA256
dde963aef20c9d0c96ec74b4cda18d128d6de370f9485daf14d7ca6d685cc657

SHA512
a24bf885cdff74cc406fd70225a2e039e4b4f48f6310d423a244f82e64274b38e9d55953b66c3a1c7f8b46eb24a7a1a17b7e1b1b42c7db9b22813e3b378edf18

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
391KB

MD5
fb895b3921545c7db03d003dfb0b3dea

SHA1
5fcca4f826c4b3eaf86d9b4e8ab20141434ca9ec

SHA256
c0622cf8bcd880eb178832426aee2d4220d44542283f6642d51776c97429a72a

SHA512
8b04c796b4efcb3d774c16f9a613459d97edfa19e4c2ff90d404f492e0cd063782559efcab3ab95036c358ffb57efb114c579d8b799f5d0faaa380198d34a2d9

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
391KB

MD5
b3bf2c6bedd2e44432b6fa5afc84682b

SHA1
7b83b1bc2df1c0c06cde185f2792c1eb2dd823a5

SHA256
0b0bc074251fc634ad49d0dd8367fd9642e75744d96486020f5c915006f3f04b

SHA512
b131d6d0ff230cade21b4c469d8f46a6843679e141b0c4b1421bf365e7af767bed12127be84e2e1307e5e893ef2f6d9b056ff76c34d37fbdb33d776b68be0cd1

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
391KB

MD5
62e192f8bf3875ec2f6de800f76c8b85

SHA1
fc4fbf742c9a3b564a2709abf08719b621c19c29

SHA256
ee5ac6360c7d1bdfb7f7a248dde8068f94e66dbcd0984ad295045cf7cbb22bba

SHA512
f62fe2de984a4772042df44c5c56fed5b1cb345513173a4dafa0549cd632a2eb35da467abc494a8275e76d1f16f1001c76050a626c63071b4bfc73676fc83610

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
391KB

MD5
4de104ab084d819d2542978ba218358e

SHA1
7f8a37448f007d4592b3674e4d85934105a220c3

SHA256
a610861da705da301b14e1edd7d85207f0a04757c00788ab6c81833225e78f2d

SHA512
0657c53582c47b254d8d148b69a31beef12f41a1e2075a2317e8342b612db74959a20fae7a058fe12bdaaf78ddc4d16a6643f9be9e85dc3cd8111592811fbb39

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
391KB

MD5
1e0116f744f5f7ada68d58386bdf8f83

SHA1
373719f11f99a16228e98a4650020d81431de3ab

SHA256
4cea590fceaab37ba7a519b92193c9984b4b5b06ef0509d8adfc7afa826a1301

SHA512
5aa7ea8d0baf20cc2e7f1f1259249a47ce8401f091e184a405a2d59a6ec990b37abed681e3df999a5c72c5135e65c62e1c4fe6cc91fb1a1862fc929fc0b595bc

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
391KB

MD5
c40abcd2b5165a7d5fe420a158f010d9

SHA1
bb1d341a01fc1993ff8c2bf891333fe0f7ea1882

SHA256
0d5ac069a57a29f5d6ae6d84537dbc26bde4ed86bf46c008c6f48308aa672a97

SHA512
8efbdbfc3166c660bc4f59a61e82c9a48478894f7126fcd6d9bdf22b2340a2dc6e1c19840ef5466b62fa2e07d1aab2879502bf1dee368d52f9d2fd2cf0daa79c

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
391KB

MD5
2d119056c71d9947c0a61697b37e9f66

SHA1
9d7ca5cbbdbe5c855b1a481c416e2edf19d38d16

SHA256
1f78551063242f62848bde2e498f4d8d5a2409f8519ed94a572795b16a4594d8

SHA512
bd8e406e63d4c38698ee5788f181db3f90595f735bd423e162f59d2824696eb28e85b2f5fb740fa997c4977c8af35344ac6a3935f7155f5bf8ca6857d8c9884e

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
391KB

MD5
f236f5d91ebecece71c871cea4245ced

SHA1
1b74790e94537a5a7a7f43115c045bf413ca0326

SHA256
3f5e1e784c014c83390aad6b60b745a4471191ca80300d72fcd1cf31c7d1659e

SHA512
b01918c0dd157a28dd11f9b6d85f380afb88b0ace4e44d25937edf164b50311064efd3dcf6a686c32caa73dfb10a0a5e5ac6df4e58b9647234c5e56ca4367d0c

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
391KB

MD5
46ba13fdf0a7159b8a54be0932358d67

SHA1
b2c02966af89040e6d80bbb6a753d9b3e68484c0

SHA256
7747e76fe2e285ff127c5245bea39f15f92723555e55dc9233371c2032d84cf5

SHA512
b7a8b6fc969cdc447be83370626dde4967e40954e38f6c7414496d8ae97bbc3b6eeb66085235491f6de811bafe1aaa0c957b2169f76533ffaf871e56b6559bf9

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
391KB

MD5
4ca2fde77b0dc06de45b84c28997167d

SHA1
abf26cfec01dd13befd3f37ced6a44fd4f6870e2

SHA256
40131c1661f5c9efd5798620ee70bea66fd866edf8166f48903fbbf139931025

SHA512
3a41dabed853f0c6277aa127418b2da19e8c1aedbb93932d3e08d0462ceb54a51660ceae9ce512bd8facc49c8bfab64c454f720a82c8a8f58932d92fcc8ec999

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
391KB

MD5
ae7d73cf05f4c195ecd85bdaeedf116b

SHA1
ad45dd43905317ef37429ef949127084bb1b9f14

SHA256
6f10695b438b2e8fe0cc0af30534f12c04a83359fb46ae6e2cd82e87bb4290bd

SHA512
9df3b7f1b43caa0e073f1b8eedb343e134e3143f5fc4cde91e16dfa2746ffad534b722d3ced08957ead8ad6905ebdd3dba8929881c78b9e3d6f0b8bb68c16870

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
391KB

MD5
4bf5e715d6531bd0f12a25929c85d959

SHA1
8cd008da607af5cfd11bdee5228c4da9a3a7b686

SHA256
e1971bae2de29b978c3b9608f2f57e4057943437e79e89ae8e9895072895791b

SHA512
09810b3bd2c7543178ee8f053e4cb13955b7e8b5fdb617c495d8e96bfbb700d9e88b9297b3f672f8b8a4947afcda30e74068a13c16255335e51e36936fffadb1

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
391KB

MD5
766cca662ceb15fdbbbed9ccfd0fa845

SHA1
5b96e893559e75138fec7f21fbab53709a874010

SHA256
18f6f9886f86d79323923298f6a2e6776690439cfa66ed6b6a966778a0ab35f8

SHA512
a2cdb7156012372fbb1626d39b11377a46245a740bf609d7e361c110f355bf945fc692efd5cbc6fcd62cd7078398063f5d8a769b3498ba32df02ae27989f8316

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
391KB

MD5
405c26012cfe3dbf21be4c1c32465de4

SHA1
d0a8e306a58cbd23709bbe7dd6a1277897a74792

SHA256
c998b248f44224d29ca0bd641e8a42881efe71539e1b3bd9bad98b72cc336ed6

SHA512
c984a1c2f11dc51346ab1e07191c602b9d6d8b18c931562dc2b84bcfabf62ccdcc924403a913ba53906c77afc8b32e29fca276b38a06d4334f0cfea69a150157

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
391KB

MD5
f3a46ceb5d8a465089b05473c72c768a

SHA1
522bca7cdb1c82dd7622a6d743983421f647f70e

SHA256
01606a917f281b03c0409005ba3b6f87c2f8e1a66b9874fd0c61c7a683a29073

SHA512
adfe5dd22c8113eb36350683aaf4cbf328b5bbed9f694dcd2e535db381b286a7b564e2391a3c3a1b639d4c568c67be1301f5a23190085c2add7edf129c4cff00

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
391KB

MD5
79cbac4fa27a4ae6e011a66cf5fbed3d

SHA1
b9be8f8e80007c4d376af74a90c400704850b8cc

SHA256
9158dd464af983cff55e6df2308b7edc2706f3bec06d1fe628ac78e7e570f8ea

SHA512
3a6803baa27b9fb66ff74287c0adbf134d19984e1e4f3fd95f15e47cf536817d0fdb9ad69cd9df34b7b22332e1edc5c09c3798d0c6a29cb86e6ad57da78fd201

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
391KB

MD5
e33e3eedd31de3f58a81d08f14bf7886

SHA1
c9c7e5b98b2418565f73387571f0b09863fc0d1f

SHA256
18571d4e762f8014434dec669e79f922a8663580cbd79c9af4cfb532243ef9e4

SHA512
01384b4234e51e77d17cb76965e6e6ac0e49e0ff33e91c652a25528992a34b260d0b7b7983867b9da23240b7d21ebd8985837623fb428574a6af9db5ca22de27

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
391KB

MD5
48bd40f0ab7913350630a1cf1987c735

SHA1
436f66821d90c84bab1f944f3c2fc43448a27d4b

SHA256
e3fbf6bd5096a651815b2f5024e0c323265a8a2e317c613f0a7c5fef10bd07e5

SHA512
a052e3da78e25c21810a991fb015172a89bc072f941da4665656163d2925c790f490c4719915f88f141f0c9029ec7a82bef00e04218928f3f5f6e802dcd334c8

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
391KB

MD5
71b7960d8b09443bc0c1c9ad17ffa27a

SHA1
5d6da14944f60ca2e14b04b0c73d1e4699f915fd

SHA256
3e44b51e1c0080e28e52001ed409358443709e3f4169b5ea00ba274c74a83fa3

SHA512
2983a31e041b3bb549af8935cebe7729385cffe292c4cd1b3208d7370eb94f8873653d1d0206ff8c584015cee4b10d54decbbed25ddb6d0cc70176a7cc49abff

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
391KB

MD5
dd5fe714805629018127941d3d49a4bd

SHA1
563f14c1ad472acc28a42dceddfa80cb6c30d724

SHA256
dd23f5ca11d07f2bdd26ffeb3037030a64e56f22649e1cbcddc49337e64c8c53

SHA512
6e7e341343638da7f95a41ee7c923357560d8b699181d5fcee3049cecb6caefa8c4da50ea00e0aedece17439781e3a19bfe2ecef97d437133538ca7cac9cc7d7

Download Submit
memory/392-533-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/392-340-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/528-490-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/528-471-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/544-87-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/648-406-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/648-511-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/664-298-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/692-71-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/744-39-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/872-268-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/884-191-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/932-31-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/960-15-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1136-515-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1136-394-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1196-24-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1212-208-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1400-127-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1428-404-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1428-513-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1480-215-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1520-493-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1520-459-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1724-292-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1856-140-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1880-56-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2016-322-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2052-151-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2136-388-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2136-517-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2180-382-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2180-519-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2292-304-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2336-328-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2408-262-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2488-286-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2612-453-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2612-495-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2616-119-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2628-525-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2628-364-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2640-7-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2744-95-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3036-487-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3036-483-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3116-507-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3288-184-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3384-247-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3564-505-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3564-423-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3588-63-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3660-200-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3668-310-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3680-352-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3680-529-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3740-477-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3740-486-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3768-79-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3876-441-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3876-499-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4240-48-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4284-274-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4288-451-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4288-497-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4336-240-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4344-509-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4344-412-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4408-491-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4408-465-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4420-256-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4484-224-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4508-370-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4508-523-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4520-527-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4520-358-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4584-104-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4612-111-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4624-232-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4652-143-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4656-521-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4656-376-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4796-280-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4808-334-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4808-535-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4816-316-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4820-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4872-159-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4876-435-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4876-501-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4984-503-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4984-429-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4992-346-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4992-531-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5064-175-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5088-167-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads