5389f4b327235dca0518a47609fbe90e82b3f384c9be7bdbb3167338e071f76c

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5389f4b327235dca0518a47609fbe90e82b3f384c9be7bdbb3167338e071f76c.exe
Size

63KB
MD5

f3492ab7c4d85ce6b8ecd0788e9514b0
SHA1

10ebd80820c94fa32ccb923500ae229e714d8663
SHA256

5389f4b327235dca0518a47609fbe90e82b3f384c9be7bdbb3167338e071f76c
SHA512

417b20f165d85a1fca34314d54ecb1ceca0ca0fe4b737b38301f1ac9b7e591885af82dfebb5afa9704635b6b7da6613ce5601c2721b1c669c1d4098d8545df63
SSDEEP

768:pdNy6g32YWJ/ZH6OwdR+G1Qx/GqWu3gnsbq07/u5ID3Fbj0/1H5oVEFBjmrUTvne:pPWdWL+RV1qgO/9FvK+VusEn9rjDHE

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe

Executes dropped EXE 64 IoCs

pid	Process
2524	Pcppfaka.exe
2464	Pfolbmje.exe
1952	Pjjhbl32.exe
568	Pdpmpdbd.exe
2456	Pcbmka32.exe
5104	Pjmehkqk.exe
4724	Qmkadgpo.exe
1872	Qceiaa32.exe
3488	Qgqeappe.exe
1196	Qnjnnj32.exe
404	Qqijje32.exe
4872	Qcgffqei.exe
3604	Ajanck32.exe
5032	Ampkof32.exe
3444	Aqkgpedc.exe
2764	Acjclpcf.exe
1172	Ajckij32.exe
5068	Ambgef32.exe
2148	Aclpap32.exe
2556	Afjlnk32.exe
4952	Amddjegd.exe
1396	Aeklkchg.exe
1412	Afmhck32.exe
3916	Andqdh32.exe
2752	Aeniabfd.exe
4316	Afoeiklb.exe
2972	Bjokdipf.exe
1544	Bmngqdpj.exe
4972	Beeoaapl.exe
1916	Bgcknmop.exe
1564	Bffkij32.exe
4792	Bnmcjg32.exe
4808	Beglgani.exe
2624	Bgehcmmm.exe
4848	Bnpppgdj.exe
2252	Bmbplc32.exe
4152	Beihma32.exe
4684	Bhhdil32.exe
5072	Bfkedibe.exe
4780	Bnbmefbg.exe
3204	Bmemac32.exe
2580	Belebq32.exe
4328	Chjaol32.exe
4368	Cjinkg32.exe
224	Cndikf32.exe
1760	Cabfga32.exe
1044	Chmndlge.exe
384	Cjkjpgfi.exe
3744	Cmiflbel.exe
2172	Ceqnmpfo.exe
3932	Cdcoim32.exe
4796	Cjmgfgdf.exe
3344	Cmlcbbcj.exe
4728	Ceckcp32.exe
3752	Chagok32.exe
3888	Cjpckf32.exe
2020	Ceehho32.exe
220	Cdhhdlid.exe
4636	Cffdpghg.exe
4812	Cmqmma32.exe
3388	Cegdnopg.exe
2332	Dfiafg32.exe
2192	Dopigd32.exe
3804	Danecp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	5389f4b327235dca0518a47609fbe90e82b3f384c9be7bdbb3167338e071f76c.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5428	5344	WerFault.exe	166

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5389f4b327235dca0518a47609fbe90e82b3f384c9be7bdbb3167338e071f76c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 2524	1040	5389f4b327235dca0518a47609fbe90e82b3f384c9be7bdbb3167338e071f76c.exe	84
PID 1040 wrote to memory of 2524	1040	5389f4b327235dca0518a47609fbe90e82b3f384c9be7bdbb3167338e071f76c.exe	84
PID 1040 wrote to memory of 2524	1040	5389f4b327235dca0518a47609fbe90e82b3f384c9be7bdbb3167338e071f76c.exe	84
PID 2524 wrote to memory of 2464	2524	Pcppfaka.exe	85
PID 2524 wrote to memory of 2464	2524	Pcppfaka.exe	85
PID 2524 wrote to memory of 2464	2524	Pcppfaka.exe	85
PID 2464 wrote to memory of 1952	2464	Pfolbmje.exe	86
PID 2464 wrote to memory of 1952	2464	Pfolbmje.exe	86
PID 2464 wrote to memory of 1952	2464	Pfolbmje.exe	86
PID 1952 wrote to memory of 568	1952	Pjjhbl32.exe	87
PID 1952 wrote to memory of 568	1952	Pjjhbl32.exe	87
PID 1952 wrote to memory of 568	1952	Pjjhbl32.exe	87
PID 568 wrote to memory of 2456	568	Pdpmpdbd.exe	89
PID 568 wrote to memory of 2456	568	Pdpmpdbd.exe	89
PID 568 wrote to memory of 2456	568	Pdpmpdbd.exe	89
PID 2456 wrote to memory of 5104	2456	Pcbmka32.exe	90
PID 2456 wrote to memory of 5104	2456	Pcbmka32.exe	90
PID 2456 wrote to memory of 5104	2456	Pcbmka32.exe	90
PID 5104 wrote to memory of 4724	5104	Pjmehkqk.exe	91
PID 5104 wrote to memory of 4724	5104	Pjmehkqk.exe	91
PID 5104 wrote to memory of 4724	5104	Pjmehkqk.exe	91
PID 4724 wrote to memory of 1872	4724	Qmkadgpo.exe	92
PID 4724 wrote to memory of 1872	4724	Qmkadgpo.exe	92
PID 4724 wrote to memory of 1872	4724	Qmkadgpo.exe	92
PID 1872 wrote to memory of 3488	1872	Qceiaa32.exe	93
PID 1872 wrote to memory of 3488	1872	Qceiaa32.exe	93
PID 1872 wrote to memory of 3488	1872	Qceiaa32.exe	93
PID 3488 wrote to memory of 1196	3488	Qgqeappe.exe	94
PID 3488 wrote to memory of 1196	3488	Qgqeappe.exe	94
PID 3488 wrote to memory of 1196	3488	Qgqeappe.exe	94
PID 1196 wrote to memory of 404	1196	Qnjnnj32.exe	95
PID 1196 wrote to memory of 404	1196	Qnjnnj32.exe	95
PID 1196 wrote to memory of 404	1196	Qnjnnj32.exe	95
PID 404 wrote to memory of 4872	404	Qqijje32.exe	96
PID 404 wrote to memory of 4872	404	Qqijje32.exe	96
PID 404 wrote to memory of 4872	404	Qqijje32.exe	96
PID 4872 wrote to memory of 3604	4872	Qcgffqei.exe	97
PID 4872 wrote to memory of 3604	4872	Qcgffqei.exe	97
PID 4872 wrote to memory of 3604	4872	Qcgffqei.exe	97
PID 3604 wrote to memory of 5032	3604	Ajanck32.exe	98
PID 3604 wrote to memory of 5032	3604	Ajanck32.exe	98
PID 3604 wrote to memory of 5032	3604	Ajanck32.exe	98
PID 5032 wrote to memory of 3444	5032	Ampkof32.exe	99
PID 5032 wrote to memory of 3444	5032	Ampkof32.exe	99
PID 5032 wrote to memory of 3444	5032	Ampkof32.exe	99
PID 3444 wrote to memory of 2764	3444	Aqkgpedc.exe	101
PID 3444 wrote to memory of 2764	3444	Aqkgpedc.exe	101
PID 3444 wrote to memory of 2764	3444	Aqkgpedc.exe	101
PID 2764 wrote to memory of 1172	2764	Acjclpcf.exe	103
PID 2764 wrote to memory of 1172	2764	Acjclpcf.exe	103
PID 2764 wrote to memory of 1172	2764	Acjclpcf.exe	103
PID 1172 wrote to memory of 5068	1172	Ajckij32.exe	104
PID 1172 wrote to memory of 5068	1172	Ajckij32.exe	104
PID 1172 wrote to memory of 5068	1172	Ajckij32.exe	104
PID 5068 wrote to memory of 2148	5068	Ambgef32.exe	105
PID 5068 wrote to memory of 2148	5068	Ambgef32.exe	105
PID 5068 wrote to memory of 2148	5068	Ambgef32.exe	105
PID 2148 wrote to memory of 2556	2148	Aclpap32.exe	106
PID 2148 wrote to memory of 2556	2148	Aclpap32.exe	106
PID 2148 wrote to memory of 2556	2148	Aclpap32.exe	106
PID 2556 wrote to memory of 4952	2556	Afjlnk32.exe	107
PID 2556 wrote to memory of 4952	2556	Afjlnk32.exe	107
PID 2556 wrote to memory of 4952	2556	Afjlnk32.exe	107
PID 4952 wrote to memory of 1396	4952	Amddjegd.exe	108

C:\Users\Admin\AppData\Local\Temp\5389f4b327235dca0518a47609fbe90e82b3f384c9be7bdbb3167338e071f76c.exe
"C:\Users\Admin\AppData\Local\Temp\5389f4b327235dca0518a47609fbe90e82b3f384c9be7bdbb3167338e071f76c.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\SysWOW64\Pcppfaka.exe
  C:\Windows\system32\Pcppfaka.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\Pfolbmje.exe
    C:\Windows\system32\Pfolbmje.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\SysWOW64\Pjjhbl32.exe
      C:\Windows\system32\Pjjhbl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:568
      - C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        66⤵
        Drops file in System32 directory
        
        PID:3232
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 408
        80⤵
        Program crash
        
        PID:5428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5344 -ip 5344
1⤵
PID:5404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
63KB

MD5
9ff61bef29dba9ff60301f56ae0a64dc

SHA1
df1234ba43347e37b59b440ef49c81a8ac25e0c8

SHA256
e21d0789abe83f614fd78fce61d81e6985e6ca2483a53d920069f4f6a5636274

SHA512
7cf739efde26f23fba3c2d88e31fd4efde46eb114327ad0af605dc3d45b8ce50461c2c9adcb4006339b51b6ed5e1aa3b1f5ffb728da3bc3f16827cfee8213382

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
63KB

MD5
308d387f8f1ac61d9bdb56728530bb7c

SHA1
92c707c493132bb8032d3b476111f6552ec21b56

SHA256
4aaf2192495440c21a9a0b7a0b8e74c60853aa2faa7d4436855f1660cc1d64e4

SHA512
631016320cc1af97e564d4c5af9d71f3dd98ccd0f839bb81d9fe04bf3740f1bcd38f5b7bd90ccb9b07ad0bf2f83d6d1a2ed203999a84a982d6c9fd9510815f78

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
63KB

MD5
95af820f94ac7b4871c4a59fc73e12d0

SHA1
651049d84776d0d9261553efcc9dd512e8ac5e57

SHA256
b0d1e4b2208292930ddca6ac62d9ace0bb98f34e516ecacfb360980feeb7ae45

SHA512
a88707af48a1fd18c4108867501226a20128ed82950716270ad658e3ce0274c344300e225d41b94e2e48a2865491fac58918034ee2a8af3ab8013aa7c6063d32

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
63KB

MD5
1e7198346e89483c27cbce1dec906577

SHA1
470f9f943d542a0f63046ed133a61c4bc4bca552

SHA256
03193e836d40cf4f31c741e5e1d0ba30a10fba593fa9efc0b77886b9f4e31e74

SHA512
f47313e9a0ba6c6bd0e13dcfea4f2274dc243746175e30c26b306ee72d86b4a0820d0e36d40c2c3b6439b639e64908acf71c20f028297639423f25b544cabb5e

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
63KB

MD5
09aec460a0336fe146304c5f0b120a16

SHA1
72b665124e7c6bf4eb9ad4be80a476f898bacf3d

SHA256
504746b4b2ee2e6fa291ed6fbb89f2de993112ef2ee14a934b98b2de2238c7e0

SHA512
6442d10a3415d78d0d23b30e3a22d581e5d0825086abaa7bce973d9922ca1dcd0cc737cf2f5e0895f7675394f013066feee65c7560e5756ca10cbf36b70d1cb6

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
63KB

MD5
c6e70f1f8e7d2476994f91fb5751cac6

SHA1
fb8cf4ee4752877914875c935c62e6b2bc65be3e

SHA256
460188713acfbd94e91b7f308a4b2e102982952d8a247fe48ab3ea796f27e84e

SHA512
ffeb5f8d8c9a20ab8ce822adb20206a1ff60ce4e23acbecca26e8701d23a737c78160010ee609e3a1a249659bd7e10bd348950d054853ee6ca885a7438a98b6e

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
63KB

MD5
fe92e570fdde60489dabf6564cd48698

SHA1
1634e9c64f939f7be714a426ce08ca15cc045a49

SHA256
3e09626821fc26d474c763dfb7bf1e1e1bca31d89fe1957579de2557f6451855

SHA512
f99a2d518927ec9c643bd80e6108f1998ad6f6d2bec87037bdce1121041385dd4a6f1632c233a0518901224b71d1bff6202c4e73f428c8379707fe913c18cee1

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
63KB

MD5
51cb9559fef56ef1d9571919d34aaded

SHA1
1c3f7bd521709c3021046d0294f5e5ab477296d6

SHA256
c221fef6036c1f4d878c6ba6de3b77acd2de89d1f56aa28ac71562f84f79df34

SHA512
ea65ca226ecc1707db27bad6bdba5e7f5fedddf71b3e04d85ad7f9736d411e3c7866fa5e51958003e81ee2aca77308864b4c53faf9aa173b78249952cda49242

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
63KB

MD5
ae069e8e913a5e71b352df01f5f325a1

SHA1
62245fdd1133a1cb5f30ba2dfe6a6d1255def2d9

SHA256
94f945ffd0be1392b2df43671266b0fe3e92f08f52ce51ff4cde79d5bbc3842c

SHA512
ff4a5e01dffaaafee1f07bbf70c4659ece4dcdc823e713dfd68dabeb775d45cfb23fd29c93e6f3f1e91a0c04f2d2a2f51ba9d91d1eb629d8a140aaf35a92097a

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
63KB

MD5
76fd5d7322e2ce1983423e1e274b0aaa

SHA1
973d06e34f709274e58123087d2cccbe02d0d81b

SHA256
754a7ebcd16eb3a81c1ebd0901947532f91921e81a70829aa22f487928dd2017

SHA512
dfcd07edd00f76935b08804205f553df373525493b176c2a35a70b7965234455c0de12fb22b31be9abd5cfa68b3af74c8fb04b76b1a71e34dc4f935bcbf1558b

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
63KB

MD5
4f06fc442eb3c6fe45075440cf62288a

SHA1
371e1172881742ac3423a11afda26cdf50b405ff

SHA256
44511b1a1b750939c3c743a8884380e25f45e89d0edb14676a0ab06179c01b2d

SHA512
16a7ba7df272303b48d72a9e006e55d64ad4c1027af52f3ff54f49e0a096ec269fe98b45182305ac9ea28987df1504851e64a999b89e0b3fe9751bafbb42ed94

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
63KB

MD5
58877b302d0ffb60f3fc2e26385a4caa

SHA1
9cdd101ec7c74792111477feb71ffcf41bf6571c

SHA256
5bdeecb17760ba06f882c416c9c40fd6cc93fb9f04f09be68a8883a4652b2b40

SHA512
3fde30a2217f9e25e1ed8f4a92984efed891b8471cf4ba525fcdb8d1828ea68754d4fc419518cd4e82e3bbd7b23e990337a61c3037d21f2d0ec5e93175ae8dab

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
63KB

MD5
d0e36390d4df24bdd77bdfde89de10a1

SHA1
bec892c674ff61073dfc74f2f2b0f525a3409b0f

SHA256
692f53a5211407ae2fcade44a3712e0fbff1562736f3d7acbaeebae147ee95fa

SHA512
694a68510747a279305224cf7bc84ad4d30a06dcdafe9be7543f8bfa6724c4122083a40379ca1e19c8d4c1d23b898c87a211002b295ed36991abafcf89e1684e

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
63KB

MD5
7930f6db08dbb5e38e0a764885c599d4

SHA1
7b25fe9837656396e1e67e046af6b0d7a5a5637b

SHA256
ff18a9f8218ca667d66be19b79555b1c1bd8c391b1aea6573ec816ff500de7f9

SHA512
e0ee3898ee77ce8a637b4cfe568802ca5114368d9ab7184ac0653ad83a336c6f651fb341501af29999305d38d1206491897cf9c2639f1a583d50b056f09e3922

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
63KB

MD5
6889b941f19cea9f110830ed5b831e56

SHA1
590a3331355dc981b9f5dbaecba411242c2dc47e

SHA256
9e280025e9487ff3d6b43ee9e319ba25cc0b7cf643b5d24af28d04e785f1f158

SHA512
9adf55b5c82d2a8e36fd7ff59ca6f89b20c34328bfecd48917834bdee202613e7fe7e174774c18c32fdff75a980af7274579ab0fb3ddb8860d46fa9398de1495

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
63KB

MD5
bda30870fd3d76e154544429f9a0b625

SHA1
60d18922a0832d8455ac5db11d2e839b97cdfa4b

SHA256
c0223bce8557cf9f015aeb297fb505c23ac8af8353d68c75d6441291cd22394b

SHA512
afe8f0b8120edccb0c665f44a8fd711140d136ceaef67af2ec540530fafc279954d6854e4198eaa2a1b9e16745dbe090d847e862199f346948db82519d05e168

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
63KB

MD5
b55a235ef9ce3120fbb114f2f457aae2

SHA1
3e4ee62240af9149219e491947c97132447ddb30

SHA256
61a8f337c9fb05909f29b92e4f1d82b04346be8cc2577d2d048713eeeb379af3

SHA512
ebdc1eee183fbe32c05170b99a9ea5d5d115d8df78bf70448a1a43aadf7a834cea35b55e335071a919a1a28a9d8fb2c1e25ab56a729081ede368399aa589cc4b

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
63KB

MD5
43ca92d6f020c48bb0d0d9a37efc561e

SHA1
0202121dfcffac91e52af0179b7d935c1f159978

SHA256
603168469c64bf3999833e2ba1d819f7f6f1863790279f800b4cde2c1daf910e

SHA512
d19886c8d5ca5bd9c16520912bfb2e156a80e8f764739cb5270c9b0f45a79f59b564abb6d615905eb157196a012d13a944234dcd9a42b0246c99336ce8964d06

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
63KB

MD5
5b5edd076f9641bac79dc3c25eba089a

SHA1
e7f6f22058f1a65b043418670a4c822b4176013b

SHA256
e2a33f684b5fbdffac83cce25f93af08388278e8f7e7b1ed380115f6007efd84

SHA512
e63e429aca5217e42be487bf8db79872afce98bf433a7be4e89515bad7d7bbb4ece91aa449b90726ae9920feae0be521b29c5e8de4fb0c211ed95b7be22bad35

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
63KB

MD5
74c58fca50c9bab022b466909b17273c

SHA1
65c6e3b0ebc460483aff94e6610d86264f298791

SHA256
09c635be0474f3d4408ba9cc2d1191ade5b43504e1e763179b861c83a35672cd

SHA512
eb2cc8c04314d49bcc33ba7c09e8d60baf8fd25515eab226596db7be78d132c3f72983729a0c02ddead0b1d4a40478c39922747049b29a62cc9dea97aa24dfc8

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
63KB

MD5
3c82cfaded4290a629a2d03a361906ae

SHA1
d388e457f91e5a4a0f09e864c6317a42f027036c

SHA256
2f3cd411affa4c7d22c67a2dfedef794a4300dae0abe5b1f42f6f7b83d0690db

SHA512
d2f2bf1d883be882fed95fd7e38b9e9a14f9e0b6fbb732775858ec8c5c49cdbbe1e083762de115fa60418b48f3ac5fdebc513f474d613a2395561a44f697b638

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
63KB

MD5
d1294b6fc1bb26c9ead03828b3ea2c70

SHA1
e26dec943d1404d71c3b88ad1fa215d6dcc36c0e

SHA256
6ba49c9a311e1a4da2f73fdb956531b64ccfc491a7ba4b456fa7fa8aa0af94ff

SHA512
c51348540dc8beefdafc273cd654808812b8c74dbc48298bd83119d32dc3b25019214952cb3cd1a5000edeb7e04c56b5dde6d765ad866c53476850762f5aafc0

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
63KB

MD5
7fdfb4ccad494715dff2b5bea7f3ddf6

SHA1
65eb7f804cbd53d292c21433c9ae2549e0180e83

SHA256
c42054bed33bf527def9a88934883339de0ef459add2461722960555490beff2

SHA512
cb10bdbb66ef6434740c08706b1c25f5ff58acff6775e5b5106faf0d138ccf26c70e71ef39effe0faa03b1c1ed75b1ba925c54da2f895095088e52873abae73a

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
63KB

MD5
b5f6a9b45257df06baf862ea24e7edbe

SHA1
ff027a624fc8fef33fbd5c156509dadf1462ba66

SHA256
608dffce97efaf80fad859b331f7a3f46d9ea32cbf83d99293dfa97cf93826bc

SHA512
5b86b5a371ffeb98d35ba3e24153fd4b35a023ac073639c80f2fcda74fe788f3066135b677f54cbd924f58009d66099ae435b6e50bfb1fb260fafd5d4aa6f68b

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
63KB

MD5
cb7d3cb697fb188e59f102ca13044e73

SHA1
72e9c741bd6238e2929f83e1432e7770fdab6c6d

SHA256
4ec5b95772e05f0345061b235245a42e2ebb74600ef850852780d5ec47fdce63

SHA512
26bb3e8390be5690526f4c8f5117658acd9cef5fe18548e21193275b7232c25f8397c2ddf676173804e3618cdd6b2d667b5f35deffeceb39a0008027b7bf5439

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
63KB

MD5
a48111a14dcd31a70385644701105f32

SHA1
567b0149eab5d9844f5aac2c06ea9bd252cd9e87

SHA256
44d1978a1dc2be8d82cd9672c71dcf3864f10f79873ec803300bf6a91f136c8a

SHA512
9d017c8b4be2056244343fbe31cdcdf085225043b34f2635bfb3ea17ff121503126481bee1706e7dad56909e71226b7d22dbd0e60ebf04aa0aa4d13a153774db

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
63KB

MD5
1ecf32f7e5f6122644880bd5be836229

SHA1
df36da8ea3c119f50abac7fa8dc545d9b38a3075

SHA256
a510118fb6c1d62dfdc54632352ed2cf1453d9d5bcc5f48b3cb2c3a42c8bcdff

SHA512
d63959e516d600ccc7c3fb5d5eb46476ad5a130ee3fc16c45001c8fa4b7b346d99b8524a37bee3e7f296fce5357859a5deab6d7214af75e4255d1117401b9699

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
63KB

MD5
b64bc139f03760fcbb0d3517d2e8e2aa

SHA1
6b23554afd556153a7d7a0f38ccd05aadb6ff1d0

SHA256
d0dd18a3cd9d0465b69dde63c08bf1d3422b83adbc9576aa8388bb8bfea06c4b

SHA512
c23b98b8ad928dc864beabd53c96a7fc2f3ae75aa10ccf87ee75a98708e667619f392ad985802b893c720bc1b178e26044f65e399452d2c627c8ce6579d122f0

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
63KB

MD5
22a65c03e46189650bca4005c8112ccf

SHA1
0293a8bd3785e9552dc65c39d8f2d9fc897e3c28

SHA256
aac0c129073b9caf22828e31e4265233e9d1c8f55e1e79aa9a89fe3cbd88272b

SHA512
0f4f19c563db04e63ab36960b65144bdde67123710f3475104d80f58ea92f775a3ed7a0f98c45066971e7cc73e147856b081872f8de2012ab6348fd32e40717d

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
63KB

MD5
40cf2f30135932d91c3e686bc1145148

SHA1
d11388f6a96794339a66f692cfadb9daca54732e

SHA256
e378fd09b3bb50858f89ffb80bdad8828fca7b46129f1555b403255ad4b86312

SHA512
bd5f6f8956ea12e24eda4e17c4b580cc3dbf79a825a1d2e74eb547bc49b23c994f7fc4a7639ab6963ff78c8930501df643774048aceec754c477fe2691418d7e

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
63KB

MD5
6bc488ab83053262be29b8361929639d

SHA1
d23d4d50c7bfbca4ac863892aa8ea260f7dda14f

SHA256
5c5216f810ee7993c3e6f1ce37e4286f7a637756e6b074c5f7b642c957af9eb9

SHA512
72c3f7ab0fa646726ed8a6fbd40f99cea742c1a14b4110b312a14e868d1f7c11a64fb0a373940e40f905664455262d5115714d61a1c791bb86cd270c58191f82

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
63KB

MD5
8f4332c823294c6b4b13123d0442a135

SHA1
f086a457ea2e2a8da4065c7988f4197d617194ee

SHA256
c2fc786bc294270ab80abe54bda3badcbadd2cbabaf542c6320422077c034b0b

SHA512
2d13d2bdd041f4c20e68c0397ceb69a41ea0b7f30efe41580c65b89df5a9a90629044e6c04f11e993260590216da630ca44d102af5dab8bad6a0f0d974ff520d

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
63KB

MD5
30396b2b033bcb5284bbad1159ed575b

SHA1
ee8d9d0edca7f71298833ebbba1d65c3764a2eb6

SHA256
40e46371f62eb3103c7a015228a91601b53ff3b462572ee2a3639301e0390e58

SHA512
a88d9457c65aa5f253c3ea8a0775e5523ed3b7027df2a2d9fd00167226443792c564ce56d416df335a6129f0255b967fb2eabf08ee7776d875f1ae929bcac777

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
63KB

MD5
5ac3ff503cd26e6a5d10cadd29c5a07f

SHA1
8643be2aa1499ecfdc46d41fedee11eeca6e2f66

SHA256
10ae407b7758c17f0de26761250fcfeab4ed95f6b4271d7ff5349ab8830ab4ee

SHA512
7fe50891262d53d98354c8ed3d52981a58401869b6a46d9f45f0d413dd3ce70bce9ddb18581f24b9f45b3c04a01e3899bbfe65bb21e98d7ff8b3feb0bbaad599

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
63KB

MD5
9d81414de6ab8a2f7e168d62aa70538f

SHA1
9ffa27479262a21814431927516f93aca163763a

SHA256
bf8d4572fa07c3d568660fbd7281ac21f50e629dbac57ecd240db17c8446a3f5

SHA512
fbb15d1bce46cf154c82e33f0213fab58412cbba22cff6d0322974b19adfa3c90ad11e7b61177751e0262f8fa2c07bd03dc47288400865b9eba761981101191a

Download Submit
memory/220-412-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/224-334-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/384-352-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/404-88-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/568-31-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1040-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1044-346-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1172-136-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1196-79-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1396-175-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1412-183-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1488-541-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1488-472-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1544-223-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1564-248-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1760-340-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1800-496-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1800-539-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1872-63-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1916-239-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1952-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2020-406-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2144-540-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2144-490-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2148-152-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2172-368-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2192-546-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2192-442-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2252-280-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2332-547-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2332-436-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2456-39-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2464-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2524-7-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2556-159-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2580-316-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2624-268-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2752-200-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2764-128-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2972-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3024-460-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3024-543-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3156-542-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3156-466-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3204-310-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3232-454-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3232-544-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3344-386-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3388-430-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3388-548-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3444-120-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3488-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3604-104-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3744-358-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3752-394-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3804-545-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3804-448-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3808-482-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3888-400-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3916-191-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3932-370-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4152-286-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4316-207-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4328-322-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4368-328-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4636-418-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4684-292-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4724-55-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4728-393-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4780-304-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4792-255-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4796-376-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4808-262-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4812-424-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4812-549-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4848-278-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4872-96-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4952-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4972-232-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5032-112-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5052-484-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5068-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5072-298-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5104-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5136-502-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5136-538-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5180-508-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5180-537-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5224-514-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5224-536-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5264-520-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5264-535-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5304-526-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5304-534-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5344-532-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5344-533-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads