ebbf224d747712adb7ef41534e7e29a128fab0642d2b4e062df8b37b894212b7

Analysis

max time kernel
98s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebbf224d747712adb7ef41534e7e29a128fab0642d2b4e062df8b37b894212b7N.exe
Size

395KB
MD5

dc676f6aac0d27177b6ce090ac597df0
SHA1

fac8c997a3bf79d89855f5473783d91a0d4ed813
SHA256

ebbf224d747712adb7ef41534e7e29a128fab0642d2b4e062df8b37b894212b7
SHA512

b90d09d9a8d2d614ddc0605dde79ad4aa785aaa44450ee0cedc0d033128f1a83f5712194b5eb3a6a15e596d93c193c4bbceb6b0678df2298dc54c9620d978243
SSDEEP

6144:Nw2upIrJD7K7ss4y70u4HXs4yr0u490u4Ds4yvW8lM:Nwbow34O0dHc4i0d90dA4X

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ebbf224d747712adb7ef41534e7e29a128fab0642d2b4e062df8b37b894212b7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe

Executes dropped EXE 64 IoCs

pid	Process
4708	Pdmpje32.exe
4992	Pdpmpdbd.exe
464	Qnhahj32.exe
4296	Qmkadgpo.exe
668	Qcgffqei.exe
752	Qffbbldm.exe
3588	Afhohlbj.exe
4732	Aqncedbp.exe
2496	Aqppkd32.exe
4972	Acnlgp32.exe
3680	Afmhck32.exe
572	Aabmqd32.exe
4404	Acqimo32.exe
4944	Aglemn32.exe
3512	Ajkaii32.exe
1576	Anfmjhmd.exe
2420	Aminee32.exe
3708	Aepefb32.exe
2412	Accfbokl.exe
3988	Agoabn32.exe
3156	Bfabnjjp.exe
2436	Bnhjohkb.exe
956	Bmkjkd32.exe
3052	Bagflcje.exe
1700	Bebblb32.exe
4444	Bcebhoii.exe
468	Bfdodjhm.exe
796	Bjokdipf.exe
3984	Bnkgeg32.exe
2580	Bmngqdpj.exe
3076	Beeoaapl.exe
4196	Bchomn32.exe
3264	Bffkij32.exe
1076	Bjagjhnc.exe
3064	Bmpcfdmg.exe
8	Balpgb32.exe
3168	Bcjlcn32.exe
2212	Bgehcmmm.exe
1444	Bjddphlq.exe
4396	Bmbplc32.exe
4428	Banllbdn.exe
4772	Bcoenmao.exe
3240	Cjinkg32.exe
528	Cenahpha.exe
2248	Cdabcm32.exe
2584	Cfpnph32.exe
4472	Cjkjpgfi.exe
4712	Cmiflbel.exe
4000	Ceqnmpfo.exe
2856	Cdcoim32.exe
4536	Cfbkeh32.exe
4684	Cjmgfgdf.exe
3036	Cmlcbbcj.exe
4896	Cagobalc.exe
3160	Cdfkolkf.exe
3744	Cfdhkhjj.exe
4260	Cjpckf32.exe
3180	Cmnpgb32.exe
1448	Ceehho32.exe
4636	Cdhhdlid.exe
2792	Cffdpghg.exe
1064	Cnnlaehj.exe
2000	Calhnpgn.exe
3116	Cegdnopg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe

Program crash 1 IoCs

pid	pid_target	Process
5800	5708	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebbf224d747712adb7ef41534e7e29a128fab0642d2b4e062df8b37b894212b7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 4708	872	ebbf224d747712adb7ef41534e7e29a128fab0642d2b4e062df8b37b894212b7N.exe	82
PID 872 wrote to memory of 4708	872	ebbf224d747712adb7ef41534e7e29a128fab0642d2b4e062df8b37b894212b7N.exe	82
PID 872 wrote to memory of 4708	872	ebbf224d747712adb7ef41534e7e29a128fab0642d2b4e062df8b37b894212b7N.exe	82
PID 4708 wrote to memory of 4992	4708	Pdmpje32.exe	83
PID 4708 wrote to memory of 4992	4708	Pdmpje32.exe	83
PID 4708 wrote to memory of 4992	4708	Pdmpje32.exe	83
PID 4992 wrote to memory of 464	4992	Pdpmpdbd.exe	84
PID 4992 wrote to memory of 464	4992	Pdpmpdbd.exe	84
PID 4992 wrote to memory of 464	4992	Pdpmpdbd.exe	84
PID 464 wrote to memory of 4296	464	Qnhahj32.exe	85
PID 464 wrote to memory of 4296	464	Qnhahj32.exe	85
PID 464 wrote to memory of 4296	464	Qnhahj32.exe	85
PID 4296 wrote to memory of 668	4296	Qmkadgpo.exe	86
PID 4296 wrote to memory of 668	4296	Qmkadgpo.exe	86
PID 4296 wrote to memory of 668	4296	Qmkadgpo.exe	86
PID 668 wrote to memory of 752	668	Qcgffqei.exe	87
PID 668 wrote to memory of 752	668	Qcgffqei.exe	87
PID 668 wrote to memory of 752	668	Qcgffqei.exe	87
PID 752 wrote to memory of 3588	752	Qffbbldm.exe	88
PID 752 wrote to memory of 3588	752	Qffbbldm.exe	88
PID 752 wrote to memory of 3588	752	Qffbbldm.exe	88
PID 3588 wrote to memory of 4732	3588	Afhohlbj.exe	89
PID 3588 wrote to memory of 4732	3588	Afhohlbj.exe	89
PID 3588 wrote to memory of 4732	3588	Afhohlbj.exe	89
PID 4732 wrote to memory of 2496	4732	Aqncedbp.exe	90
PID 4732 wrote to memory of 2496	4732	Aqncedbp.exe	90
PID 4732 wrote to memory of 2496	4732	Aqncedbp.exe	90
PID 2496 wrote to memory of 4972	2496	Aqppkd32.exe	91
PID 2496 wrote to memory of 4972	2496	Aqppkd32.exe	91
PID 2496 wrote to memory of 4972	2496	Aqppkd32.exe	91
PID 4972 wrote to memory of 3680	4972	Acnlgp32.exe	92
PID 4972 wrote to memory of 3680	4972	Acnlgp32.exe	92
PID 4972 wrote to memory of 3680	4972	Acnlgp32.exe	92
PID 3680 wrote to memory of 572	3680	Afmhck32.exe	93
PID 3680 wrote to memory of 572	3680	Afmhck32.exe	93
PID 3680 wrote to memory of 572	3680	Afmhck32.exe	93
PID 572 wrote to memory of 4404	572	Aabmqd32.exe	94
PID 572 wrote to memory of 4404	572	Aabmqd32.exe	94
PID 572 wrote to memory of 4404	572	Aabmqd32.exe	94
PID 4404 wrote to memory of 4944	4404	Acqimo32.exe	95
PID 4404 wrote to memory of 4944	4404	Acqimo32.exe	95
PID 4404 wrote to memory of 4944	4404	Acqimo32.exe	95
PID 4944 wrote to memory of 3512	4944	Aglemn32.exe	96
PID 4944 wrote to memory of 3512	4944	Aglemn32.exe	96
PID 4944 wrote to memory of 3512	4944	Aglemn32.exe	96
PID 3512 wrote to memory of 1576	3512	Ajkaii32.exe	97
PID 3512 wrote to memory of 1576	3512	Ajkaii32.exe	97
PID 3512 wrote to memory of 1576	3512	Ajkaii32.exe	97
PID 1576 wrote to memory of 2420	1576	Anfmjhmd.exe	98
PID 1576 wrote to memory of 2420	1576	Anfmjhmd.exe	98
PID 1576 wrote to memory of 2420	1576	Anfmjhmd.exe	98
PID 2420 wrote to memory of 3708	2420	Aminee32.exe	99
PID 2420 wrote to memory of 3708	2420	Aminee32.exe	99
PID 2420 wrote to memory of 3708	2420	Aminee32.exe	99
PID 3708 wrote to memory of 2412	3708	Aepefb32.exe	100
PID 3708 wrote to memory of 2412	3708	Aepefb32.exe	100
PID 3708 wrote to memory of 2412	3708	Aepefb32.exe	100
PID 2412 wrote to memory of 3988	2412	Accfbokl.exe	101
PID 2412 wrote to memory of 3988	2412	Accfbokl.exe	101
PID 2412 wrote to memory of 3988	2412	Accfbokl.exe	101
PID 3988 wrote to memory of 3156	3988	Agoabn32.exe	102
PID 3988 wrote to memory of 3156	3988	Agoabn32.exe	102
PID 3988 wrote to memory of 3156	3988	Agoabn32.exe	102
PID 3156 wrote to memory of 2436	3156	Bfabnjjp.exe	103

C:\Users\Admin\AppData\Local\Temp\ebbf224d747712adb7ef41534e7e29a128fab0642d2b4e062df8b37b894212b7N.exe
"C:\Users\Admin\AppData\Local\Temp\ebbf224d747712adb7ef41534e7e29a128fab0642d2b4e062df8b37b894212b7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\Pdmpje32.exe
  C:\Windows\system32\Pdmpje32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Windows\SysWOW64\Pdpmpdbd.exe
    C:\Windows\system32\Pdpmpdbd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Windows\SysWOW64\Qnhahj32.exe
      C:\Windows\system32\Qnhahj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:464
    - - C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4296
      - C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3240
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4532
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 396
        88⤵
        Program crash
        
        PID:5800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5708 -ip 5708
1⤵
PID:5776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
395KB

MD5
bdeabbca4835861d252306479cffaf4f

SHA1
addef412f03eaa88df70c489c56d519b201155d2

SHA256
f9c6aeddacd3b664306b30e0ed8166f0693df302538fdf3ba2fc16d803ce1171

SHA512
ba8e56e559307fe4b15d64b85108581a49ba8a5855f4a5a40715a325d1926916f3dd515f837ce87940ff1effaa1bc806095bb0d83f9b73bd25062b35688de2bd

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
395KB

MD5
caa60a993835d18e4dab816db47117b8

SHA1
767bf348839dab697fade6892307a18f288fba7d

SHA256
b85a5be8df599b7ff27831c5e021a90096a69e605e0aaf76335f115454749d07

SHA512
4f6017879c4cce0fa9d4b3fc544de86e4ac4d3ac3e080703bb6359d01131d900115c29d3c1e3f3726f3c25784c6f7cb095790e299b7909df05131cffde29b124

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
395KB

MD5
13e246d1d276c337ed779a4af5706076

SHA1
d0b0b51885565c92e48ad5df81b223ec45fce507

SHA256
9fe60b5d659a2da7413d953c1beed494f63cfee25c668ba0fc92c10dc7a72fb1

SHA512
b0aa772308f28454a0c21099a4f0246b1146196b750fd3e5549446c6e8183ca68c942a980cacb2994517bf97225e97011454e01367aea29d5d77a24ef09d2c05

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
395KB

MD5
cef304197d6ccca4bd2afaf31e19a896

SHA1
9308c682c844d7c7984d7af7dc14243b4d438497

SHA256
ff429854c88dfdc8a3973ed6b6ca2a05fdac4ad369ba74d2d458bc6396726ffe

SHA512
9652f528d857ef546a884f57e0f555b44fceffc7e4e080334c8cee088edd9a0910c7ec9fc108eef1476723a0a1d51d570ed170a3b7d64291a12202535aea3842

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
395KB

MD5
41e2387a7ee23e079d236196d66d7f19

SHA1
6e596dde334325f3bd3df87e8bdf715d42572afb

SHA256
2f50753ddbebd9f3f65a0fac8683485e35a16d119b893151af30b745b75cf758

SHA512
f932c89ef0358e3916bcb65b3e844f5212a5c8d7282ef957e5585813130baebd86a5eba2f94235eeab65de736f80e805213443a1137a264033a10f027bed563d

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
395KB

MD5
d9ae23f6adfcbe32fba1649434f728c1

SHA1
7a9e13ac48e6cdc2b8da09505dc31a8b98ea95c9

SHA256
f18f9073bd2e58ae69111192beaaf901be48bb6c0d602201f4c89961f35f059b

SHA512
61773e0121fdd62460e5bfc507c18c1bf5387d7091c32fd79f4e7100dafb419f6934408b2e67b4b43dc2c40a88482ddc028e60a500c257f92e1af3ccd3af97ac

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
395KB

MD5
b9d34cd3d945ab99acac44af73a554e2

SHA1
e30c41d4daf20988ecc9f4adcdb06c4edb22355b

SHA256
677f233ce1a8ee72a20d68b514891c21ae4afb17b4ad101cebbb61c905fb8a4e

SHA512
84a004a9100c3f93e1553645121de22ebfb34d4abeac87dd7f9e7d577f7324178c0f6c7011f655cbea20ce84ab6acdc79eec5e02e93dc6621ab7ed8ecc7aeaea

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
395KB

MD5
5c19929d524ee4795c37a3ad2cc3defb

SHA1
d349e7f14e08efdff8619dac01f826ec37704359

SHA256
5b83718ea772772a328eea82c4692a9cdceb05c2b81586f7a7499b236e86905f

SHA512
790164f495cef0cf9c69489023531cb419a0c048d5e4316cf99b7fb3f951ca1f26d39d0e6cb9df830b48aee3a2097dfd2d17095591b9e90876f89a4a6492547f

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
395KB

MD5
0386836d5ba2b413392ae4af1f02bec5

SHA1
0fdccfb9572dea844f0aee96fb58c80b65256501

SHA256
19503defb3a043580dc3da14c6be8064a2cd1e32a9c517429c088e6ad39587c4

SHA512
0e5b9dbc4fb6c530465410b3d0ac68ef7d47b47689a1ca4f5b015e2db8403b5d4785a96f5910f64bc6e6692088565f3fd6a6df772b4881db55f226c543fa0257

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
395KB

MD5
1e3a4ce9e05c74461c5b3e7b5a03d4b9

SHA1
32b5c96b4b310e5cdf465bf433baf76141b225d2

SHA256
1aa75b34a0fce2789d9b81b7c60da40deb81b7c61b5c4ce350387e44bb893c39

SHA512
e7e9bc0b9f1089c8de4ef9ade677f1b61796b7a95a4b489b3515f93b2e0d4f2a7b5fd28bfebd48c1ddcc8e16a6e4d2e367299ef754b076abeaf5d26e1c741b08

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
395KB

MD5
5616ff72692c9dd5d168e865a9dad4e3

SHA1
3e538e363f91258f5ce3f9d06c12659221793699

SHA256
49ce694d52f070ee4e843d96252b2eada1066b1f3bb7f0538c44efe52b5503e5

SHA512
a7ee61ba98fbd5344e85f0b273e2fb0b967e44a92188990ab8fec7aa4d32b048b06a89b7709cdbecf9df3e0157f5c72290d62b06596afeace5be6cddb44b009a

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
395KB

MD5
9cd6697678a17bd4a85a3cecc8a634b1

SHA1
3a060cb857720dee6de1d672415654c3514a7835

SHA256
0a104e21cbb6d7916d976141276f2090194ef0a0d430768f043e681e6ebb4323

SHA512
5f8076b00c22d08081d46127db9f0de4e014111bc04c0ea4808daeea31e2d915fd6cf4cf2516f2dcb09fa29825c4cbaed64fbdf530cec5c66931b55c1bdaf23b

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
395KB

MD5
ac7f6d8807ec34d0f793b8e3c10eb608

SHA1
61c8edf08f6251289fc5dd40f423da7d54cc9700

SHA256
0c4649bf6b803a353024a106efd8dd5cf6c97410ce3d862318e66e92f2910596

SHA512
55b257d01328bebd2cd3e395c23d6c17b086e3ba5da55ae002bc0a398fea986c553a617cae32cddc92218552579494f73b1f7cc884d18f7073bff6ad340f1575

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
395KB

MD5
57a5f47305ba172dcf79bc0432bfac42

SHA1
56a16fef4627eda7b1e5d57ca7fd918b7c409942

SHA256
6b5db9da8e45c026aeff18d38ddf72aab282fbcf416d1d377f6a42f80a66e3ae

SHA512
696b902fdd2a20a8bad6d48d25247a11ed5c3c724b95f04e1313d8c521075b965a01cd06cb7e4ded1a287d61721b35655f0120dbad6345ad1cd3145856b36801

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
395KB

MD5
83ebf9947bc09328ed5147ec9d14a7fc

SHA1
5d6c4a564104274c17ef4a17ed61b6aaa0744efe

SHA256
96383b44d7acdbd3de109e86b6bae79b6d4c8ffdb77a9231b53f0310564221c9

SHA512
e08ecf24aad2321519c42dba8e61dd96c0987763fc18fc55bb17a6f85ebb98eba751b4618a173ab046dd73df0eae158d3921188370dc8a63921bf2c7b36ff7dc

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
395KB

MD5
83ae0f9d814893333e3e1a697ebb77fe

SHA1
7c39ed71766540e020fc7f486c368bc93e874b07

SHA256
8fb9b5def26e5780fdf033119f292d780b76ee468e1894820be148c9ff354faa

SHA512
1bf45880f3b6076f7095c5e88a75c3ca4a1e976e9ba411a5098239143d06589f43601651927873b4a0d61da373fb1181b771484cdf96ca9c99b48b42bf6567a5

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
395KB

MD5
ae8eb6ab0618c276b1361cb87a2d53f5

SHA1
e1c88a73eee28cc2385eed5dd9ceef7ff49db4df

SHA256
52a1cfa1b39352ec5a4027df1c60cd1fb3a6a4e861ee45d50714120b9e01f5d5

SHA512
65bb6d5b11d45dd60852b780f7cd46e6abd67a27ab9781d669aeefd6dcd23d5fdc2f21fd5b10fb586acbc7220470565b90bfb74a634b4aa9ef7cba992ccd7db0

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
395KB

MD5
a25fd47acdc06c4554e665d6df7e43ac

SHA1
ade682941fb7383e4cfa4f11bafa71a40d5f529a

SHA256
cda8f528e3799ad23f53ed38c666abc8c65bcab342c3177c900133a29c0698ff

SHA512
119e8fb864f21f124a74155d95f83868e7dbe5f99286e53940079ce169eef7e54fd34d126d3c59fcbc13c2e57ab7f035409c41a5e288fc802b7cd0fcbf3a3819

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
395KB

MD5
2f064c6bd1d99ab125dab10f081c4f4b

SHA1
1165302e0472fa3681d8c7bfa88c0dabed980e65

SHA256
0e9ebc83ec430fef5d362fbaeef55fae0ee4f102ffe8dcc5f6ed3f0286cf595b

SHA512
3239c47de15f3d779d19afbf1e4487caec7f18c54019ef45629b98d014600014c209f5f1b0c0d598b02116fc7c73ae02ec993590643bc0b2b6d8a168b346fa89

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
395KB

MD5
c519a5ea70111c532fdf7730f06b4dac

SHA1
df2eab26550fb5e255c93df103c06572b3004d9e

SHA256
34aba3fa77fa390a67f9dcd6d6e351d4488bee6a057e3253a4431fb54d71c45c

SHA512
535c14137f1cd05bf9ed49b56810b6f0e5647d300208ce31c3ce6eb4cc520a0fc83e07984d3ccca01ba4b09ea161c3fa5c1f32163a19bcd2e5d38dd6e0f27b69

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
395KB

MD5
7e734704ddbf3d49ee6e656924082fb7

SHA1
201f795b22475314838d1eceea40103d39ff2eb6

SHA256
1eb5709c5e712bd7f289f6cc91f09c567375b170a95ce77a46f07978e8c02522

SHA512
bb64075e67d9f874f87604646b8f74eb3dda628fa710c0f69eaa2f7de863358482b4299b05688c19090972725cfcaabe426f44d74b308e1e7c209521c3e849e5

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
395KB

MD5
81f9625ebf95c680dad9204acc1d34a8

SHA1
579c00b4ef54a1bc082a8cf67a7f67f589da943e

SHA256
5cbfd98bd124a64df83a7a5ea1a116fbcac46d735ac29d5f7d98339a53cfb2c0

SHA512
ad09cc0d26b790db747ffe74ce9e1a26b5505714293eafece0c3bb6b81ac20704ad02019a95b6795e20b8eec568722674a260d84d59489c8235bc97c991286a4

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
395KB

MD5
4ab23704294cc9413a1ae1422f0c7884

SHA1
fd6e95818c56dc3235b3ded0b5261806113b0e46

SHA256
1c2aa49353fd0ea3ac2acff952732dfc3f3e794995c33001d663139a03915b7a

SHA512
75450b49600713e8687ad83b7597940c2fd4295d034713d8baae93c2b18f0681ab5b04dd0a4d1e7a6068e0a769cd6691bd97b5606cda0a4bdf37803f3d936684

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
395KB

MD5
f895864c11916dda68526a67efbc99f1

SHA1
ce46ff936bda7adbca440e2618e2254f7d154d47

SHA256
49593a37439707b6b8f3aa4def49be9d8be82fa9d45b5c7502d24d59adeb70a3

SHA512
8af7210a344ca981dbee2de53f5cf37ccd018c518ecfcf50c4aec5ba84f8d3b96688c344d44dfa4fc9a35dd44d9797814a4413727db426e8e1c40990094e459d

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
395KB

MD5
93fc6f7a397022e47e6c6d24736ba51c

SHA1
d8a7512e452f31246776a08264d4289df30c8319

SHA256
c83a79cf27479caf5f66703dcf39446923940a9db7b9f28a8780cf68c0345b88

SHA512
54a5c834c81183056600f370ecf0ebb3a79da511c621cb8ca60519afccd866ee324b96977f50b838bc82cce5025dc4b3b029a21b49668fba0808cd156ba32ab8

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
395KB

MD5
358a7637964bcfa2b7cffdab9e689554

SHA1
1f16a2496944fa4e00144aefb931f20a3f11f0aa

SHA256
25f770de5f4850c0814f4f9b572012f400365bc892bc196c053e7441141eeaac

SHA512
a5e88391f04848b689d667c4acffbb436e2a24746008dc032339bf1b2783d1827db002ebf71cfacd4834c4683ce5f2385011725ed767707c8a9f91934f0238ed

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
395KB

MD5
583512bc18fcf8fd38d668ef84ca90d1

SHA1
c93b6ff29663ec41d44955a81e409797d5aedd4a

SHA256
45fdfc3209920fc40425441734d97733ae7f3baa909f1ae7735865ddd61e08b8

SHA512
885b6868238dc0b44d1afe238d9f484713b9e6dbf035cfd51ca6eea1a893fdfff3b5e4cdd297174d6049756fd6489b947c90ed3782332e37b3964ddb93bf80bb

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
395KB

MD5
3810d02d2a0d1fb42d3cf2e4b900a1e0

SHA1
4a7c0216a66b7454ce65d79771be261febed5c10

SHA256
c9f439cf4387ef74a50296801aebd685bdeda122cde6b363453e733c68c49eed

SHA512
2da6dd7fd7e5a0456742e5e9b4539e73969bb8d32a8345625a7268851da4b71b73f897472c34d58e7becea43de94a20585ae76a1b13b48807e6d692af28b5e26

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
395KB

MD5
a61ca8cf820274f6417a356e322f3c4f

SHA1
105583fd4d2acb0ce8ce8a086491b73fbf456413

SHA256
5609217f6baa6b40f178b7355426fe46b06b82e82256a1806b4790483cb5c75a

SHA512
a54637906220348515d2458830f84f4c61733d6c81b272456bb35247ab0c78cb0fddcbf8b542b14e9261c5b7dd3c8d9d35d281d0610084048af3b048469e53bd

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
395KB

MD5
9a7bc701a3425271fbb5076660b7b36b

SHA1
4ac49d9a73e7d7700ef67f510c426c4ac4676e28

SHA256
309b791c5e2064082ffc99e90dbaf4cc2c2cf3e19b99d1275be65cf0e61f857f

SHA512
a8ac2065a1666113f7ea961b49afb4ae78ce20af71dac44d6b28bbd2c34e31b30ce1d6bc5481ee4706479d2a55e4af391feb1efd71ea0e1fe04ae6945fb916a6

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
395KB

MD5
3b90307064a270470918a706200a9d60

SHA1
2a76166f427cdc158789ae759c2f8907842a884f

SHA256
65160139ac2ea0b4df80f594a1fcfb573d777ed6fab3c1fd589d3e7ad85487bd

SHA512
001e0ca09cae1eb1ac494f7b07566501447c86acc4d8b31ae1c5f147b1bf9171ba2e7007216c7ff532d9848872bde5982198c14d2aaff0976bf9ea6e2acb6def

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
395KB

MD5
788c9d4517bad01b0cd997372459c526

SHA1
82ab41dac6f8f768e140d6d2ac013b89cb093005

SHA256
b86ce78d71bb1357828805f47e796e21cc356a9cf64a6bea5c7106d8849df1a6

SHA512
9a52e94b4f56c8cfb002c6778d328bb1fbd5a75ae4920be6abb9230a75f96d4dd20b4f365533e155dbfd6507d662d27772c810bb43b720099770e6bcc670e7b1

Download Submit
memory/8-284-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/464-559-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/464-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/468-220-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/528-331-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/572-96-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/668-571-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/668-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/752-572-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/752-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/796-228-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/872-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/872-540-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/956-188-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1064-436-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1076-272-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1412-478-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1444-302-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-419-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1576-133-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1700-204-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2000-442-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2212-296-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2248-337-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-156-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2436-179-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2496-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2580-244-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2584-343-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2792-430-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2856-366-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3036-384-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-196-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3064-278-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-252-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3116-448-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3152-466-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3156-172-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3160-396-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3168-290-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3180-413-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3264-266-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-460-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3392-605-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3392-490-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3512-125-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3588-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3680-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3708-147-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3744-402-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3984-236-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3988-163-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4000-360-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4196-260-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4296-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4296-565-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4396-307-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4404-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4428-314-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4444-212-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4472-349-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4532-484-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4536-372-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4684-378-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4704-472-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4708-8-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4708-547-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4772-320-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4872-454-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4896-390-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4944-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4972-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4992-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4992-553-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5160-603-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5200-601-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5200-501-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5236-599-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5236-507-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5276-513-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5276-597-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5316-595-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5356-593-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5392-529-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5392-591-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5428-535-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5428-589-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5468-587-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5512-585-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5548-583-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5588-581-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5628-579-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5668-577-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5708-575-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5708-573-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads